This practice involves engaging the Development team (developers and QA specialists)
to perform basic vulnerability assessments during the implementation and pre-production
stages of the software development life cycle (SDLC). These assessments
are directed by the Security team and target key issues that the Development
team is able to understand and act on. More complex tests are still handled
by the Security team. This significantly alleviates the burden on the Security
team and reduces the cost of fixing security bugs, because the earlier an issue
is discovered, the less it costs to fix.
Using automated tools for Web application security testing is a key to this
practice. These tools enable someone with little knowledge of Web application
security testing to perform a vulnerability assessment.
As mentioned earlier, to ensure that the vulnerability assessments performed
by the Development team are effective, they should be guided by the Security
team. It is the responsibility of the Security team to develop a security test
policy that describes how applications are to be tested and to develop tool
configuration templates.
When adopting this model, it is best to engage the Development team gradually.
You could start by adding security testing to the functional, performance, and
usability testing that is already performed by the QA team. Then, at later stage,
developers could be equipped with tools and processes for performing security
assessments of the application components that they are working on.
A successful adoption of this practice cannot occur without a Web application
security awareness program. Educating the Development team on common security
vulnerabilities and on principles for secure coding is essential for addressing
the Web application security challenge. |