WebApp Sec mailing list archives
RE: Security Testing
From: "Pitts, Christopher C." <Christopher.Pitts () HaverstickConsulting com>
Date: Mon, 3 Mar 2003 14:48:56 -0500
I'll second this. In addition to the reasons that Kevin mentions below, Seperating the two provides more oversight to ensure that external or internal pressures don't create a situation where the developers "certifiy" product should not be. There's a lot to be said for seperation of duties. Christopher -----Original Message----- From: Kevin Spett [mailto:kspett () spidynamics com] Sent: Mon 3/3/2003 2:04 PM To: Ramirez, Manuel N (CORP, DDEMESIS); webappsec () securityfocus com Cc: Subject: Re: Security Testing While all developers should be aware of security issues and do their best to harden what they build, I recommend that the security testing team be seperate from the development team if possible. Security testing is a specialized skill that requires full-time dedication and experience to acquire proficiency with. Also, people are less likely to find bugs in their own work, which is one of the reasons that normal QA should be seperate from development. Kevin. ----- Original Message ----- From: "Ramirez, Manuel N (CORP, DDEMESIS)" <Manuel.Ramirez () ddemesis ge com> To: <webappsec () securityfocus com> Sent: Monday, March 03, 2003 1:09 PM Subject: Security Testing Hi everybody, I was wondering if some of you have some papers regarding web applications security testing. I'm working on a CMM iniciative and we are planning to include a security testing phase so every new developed application is security-error free. Would you recommend every development team to perform security testing or it's better to have a group of experienced people doing these activities for all of the developed applications? Best regards, Manuel
Current thread:
- Security Testing Ramirez, Manuel N (CORP, DDEMESIS) (Mar 03)
- Re: Security Testing Kevin Spett (Mar 03)
- Re: Security Testing Jeff Williams @ Aspect (Mar 03)
- RE: Security Testing drG4njubas (Mar 03)
- Re: Security Testing planz (Mar 04)
- <Possible follow-ups>
- Re: Security Testing Bill Pennington (Mar 03)
- RE: Security Testing Pitts, Christopher C. (Mar 03)
- RE: Security Testing Brass, Phil (ISS Atlanta) (Mar 03)
- RE: Security Testing scott wood (Mar 03)
- Re: Security Testing Kevin Spett (Mar 03)