There are expert penetration testers who know how to find security vulnerabilities. But their specific methodology, not to mention their relatively late involvement in the application security assurance process, is often not enough to find all the holes. Additional resources, with different skills and a more intense involvement in the development lifecycle, are required.
One way is to deliberately use personnel without a security background, such as QA engineers, for generic security testing activities; in the presentation below, shown in the Sigist 2010 conference in Tel Aviv, I suggested how it can be done by using simple QA methodologies of “verification and validation” - something that requires classic QA skills.
In conclusion incorporating QA resources in the process of security assurance will advance the ultimate goal of improving application security.
verification validation and ... security
No comments:
Post a Comment