Roadmap: How to Adopt the Application Vulnerability Assessment Practice
This roadmap describes how to adopt the Application Vulnerability Assessment practice.
Main Description

This practice involves engaging the Development team (developers and QA specialists) to perform basic vulnerability assessments during the implementation and pre-production stages of the software development life cycle (SDLC). These assessments are directed by the Security team and target key issues that the Development team is able to understand and act on. More complex tests are still handled by the Security team. This significantly alleviates the burden on the Security team and reduces the cost of fixing security bugs, because the earlier an issue is discovered, the less it costs to fix.

Using automated tools for Web application security testing is a key to this practice. These tools enable someone with little knowledge of Web application security testing to perform a vulnerability assessment.

As mentioned earlier, to ensure that the vulnerability assessments performed by the Development team are effective, they should be guided by the Security team. It is the responsibility of the Security team to develop a security test policy that describes how applications are to be tested and to develop tool configuration templates.

When adopting this model, it is best to engage the Development team gradually. You could start by adding security testing to the functional, performance, and usability testing that is already performed by the QA team. Then, at later stage, developers could be equipped with tools and processes for performing security assessments of the application components that they are working on.

A successful adoption of this practice cannot occur without a Web application security awareness program. Educating the Development team on common security vulnerabilities and on principles for secure coding is essential for addressing the Web application security challenge.