Re: Security Testing

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

I agree with Kevin about independence and objectivity of the security
reviewers and testers.  You should include application policy development
and developer training into your process, so that developers understand
what's expected of their code.

If you're already a CMM type organization, you might be interested in the
System Security Engineering CMM (www.sse-cmm.org). It may help you figure
out how to include basic security risk management practices into your
development process.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com



----- Original Message -----
From: Kevin Spett
To: Ramirez, Manuel N (CORP, DDEMESIS) ; webappsec () securityfocus com
Sent: Monday, March 03, 2003 2:04 PM
Subject: Re: Security Testing


While all developers should be aware of security issues and do their best
to
harden what they build, I recommend that the security testing team be
seperate from the development team if possible.  Security testing is a
specialized skill that requires full-time dedication and experience to
acquire proficiency with.  Also, people are less likely to find bugs in
their own work, which is one of the reasons that normal QA should be
seperate from development.


Kevin.


----- Original Message -----
From: "Ramirez, Manuel N (CORP, DDEMESIS)"
<Manuel.Ramirez () ddemesis ge com>
To: <webappsec () securityfocus com>
Sent: Monday, March 03, 2003 1:09 PM
Subject: Security Testing



Hi everybody,
I was wondering if some of you have some papers regarding web applications
security testing. I'm working on a CMM iniciative and we are planning to
include a security testing phase so every new developed application is
security-error free.

Would you recommend every development team to perform security testing or
it's better to have a group of experienced people doing these activities
for
all of the developed applications?

Best regards,
Manuel