WebApp Sec mailing list archives
Re: Security Testing
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Mon, 3 Mar 2003 15:32:27 -0500
I agree with Kevin about independence and objectivity of the security reviewers and testers. You should include application policy development and developer training into your process, so that developers understand what's expected of their code. If you're already a CMM type organization, you might be interested in the System Security Engineering CMM (www.sse-cmm.org). It may help you figure out how to include basic security risk management practices into your development process. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: Kevin Spett To: Ramirez, Manuel N (CORP, DDEMESIS) ; webappsec () securityfocus com Sent: Monday, March 03, 2003 2:04 PM Subject: Re: Security Testing While all developers should be aware of security issues and do their best to harden what they build, I recommend that the security testing team be seperate from the development team if possible. Security testing is a specialized skill that requires full-time dedication and experience to acquire proficiency with. Also, people are less likely to find bugs in their own work, which is one of the reasons that normal QA should be seperate from development. Kevin. ----- Original Message ----- From: "Ramirez, Manuel N (CORP, DDEMESIS)" <Manuel.Ramirez () ddemesis ge com> To: <webappsec () securityfocus com> Sent: Monday, March 03, 2003 1:09 PM Subject: Security Testing Hi everybody, I was wondering if some of you have some papers regarding web applications security testing. I'm working on a CMM iniciative and we are planning to include a security testing phase so every new developed application is security-error free. Would you recommend every development team to perform security testing or it's better to have a group of experienced people doing these activities for all of the developed applications? Best regards, Manuel
Current thread:
- Security Testing Ramirez, Manuel N (CORP, DDEMESIS) (Mar 03)
- Re: Security Testing Kevin Spett (Mar 03)
- Re: Security Testing Jeff Williams @ Aspect (Mar 03)
- RE: Security Testing drG4njubas (Mar 03)
- Re: Security Testing planz (Mar 04)
- <Possible follow-ups>
- Re: Security Testing Bill Pennington (Mar 03)
- RE: Security Testing Pitts, Christopher C. (Mar 03)
- RE: Security Testing Brass, Phil (ISS Atlanta) (Mar 03)
- RE: Security Testing scott wood (Mar 03)
- Re: Security Testing Kevin Spett (Mar 03)