Security Testing has traditionally been a core testing type as a product gets tested and ready to be released. Test teams have typically worked with development, business and product groups to create a threat model analysis to understand what the product’s vulnerabilities are, what the threat entry points would likely be, what kind of data a hacker may be using to compromise the system, to determine what ethical hacking (aka security testing) they would need to undertake to make the product more rigid and hardened to handle real world security attacks.
At a basic level security testing is handled by the core functional team itself. Checklists and guidelines from organizations that promote web security, such as Open Web Application Security Project (OWASP) have proven invaluable to help in planning and implementing a security test effort. However, beyond the basic security testing, to take it up in further depth, be it pen testing, white hat testing, security test experts are sought after. Based on their tests they submit a report on the product’s security status, which almost is a certification for the organization that the product is secure for release to web (RTW). Typically, these specialist security teams could be a third party independent testing team or could be the organization’s resident specialist team. Regardless of who they are, they are often an on-call team, who evaluate the product for a specific period of time, submit their report and move on. Granted, they are very expensive resources, but the question to consider is whether it helps to have such a floating team take on this very important task of verifying the security of the system. There has been no dearth for web security breaches in the recent times. The most recent news is that of Target Corporation’s CEO resigning from his role, taking ethical responsibility for the compromise of 70 million user data records that happened late last year. While there is a useful blog that was posted recently on why security testing should become a part of the core testing effort to be contained within software releases, in my opinion, security testing spans across product releases. While the team plans and executes the security testing effort within a given release, the landscape is so vast and dynamic that it requires an on-going resident expert team that is watching for newer patters, hacks and trends in the world of software security, relating them to their product at hand and working with the developers to harden the system to handle them. Security testing thus becomes out of band in nature with a need for on-going monitoring, analysis and fixing and in this regard differentiates itself from other types of software testing.