WebApp Sec mailing list archives

RE: Security Testing

From: "Pitts, Christopher C." <Christopher.Pitts () HaverstickConsulting com>
Date: Mon, 3 Mar 2003 14:48:56 -0500

I'll second this.  In addition to the reasons that Kevin mentions below, Seperating the two 
provides more oversight to ensure that external or internal pressures don't create a 
situation where the developers "certifiy" product should not be.  There's a lot to be said for 
seperation of  duties.
 
 
 
 
Christopher
 
 
 

        -----Original Message----- 
        From: Kevin Spett [mailto:kspett () spidynamics com] 
        Sent: Mon 3/3/2003 2:04 PM 
        To: Ramirez, Manuel N (CORP, DDEMESIS); webappsec () securityfocus com 
        Cc: 
        Subject: Re: Security Testing
        
        

        While all developers should be aware of security issues and do their best to
        harden what they build, I recommend that the security testing team be
        seperate from the development team if possible.  Security testing is a
        specialized skill that requires full-time dedication and experience to
        acquire proficiency with.  Also, people are less likely to find bugs in
        their own work, which is one of the reasons that normal QA should be
        seperate from development.
        
        
        Kevin.
        
        
        ----- Original Message -----
        From: "Ramirez, Manuel N (CORP, DDEMESIS)" <Manuel.Ramirez () ddemesis ge com>
        To: <webappsec () securityfocus com>
        Sent: Monday, March 03, 2003 1:09 PM
        Subject: Security Testing
        
        
        
        Hi everybody,
        I was wondering if some of you have some papers regarding web applications
        security testing. I'm working on a CMM iniciative and we are planning to
        include a security testing phase so every new developed application is
        security-error free.
        
        Would you recommend every development team to perform security testing or
        it's better to have a group of experienced people doing these activities for
        all of the developed applications?
        
        Best regards,
        Manuel

Current thread:

Security Testing Ramirez, Manuel N (CORP, DDEMESIS) (Mar 03)
- Re: Security Testing Kevin Spett (Mar 03)
  - Re: Security Testing Jeff Williams @ Aspect (Mar 03)
- RE: Security Testing drG4njubas (Mar 03)
- Re: Security Testing planz (Mar 04)
- <Possible follow-ups>
- Re: Security Testing Bill Pennington (Mar 03)
- RE: Security Testing Pitts, Christopher C. (Mar 03)
- RE: Security Testing Brass, Phil (ISS Atlanta) (Mar 03)
  - RE: Security Testing scott wood (Mar 03)