Way back in the 1990’s I worked for the MoD in a testing department where we wrote programs to test complex circuit boards.
At that time one of the questions some of my colleagues and friends discussed was the security of applications. We were all aware of vulnerabilities in commercial software that we all used on our PC’s.
As testers we wondered about how to approach software development from a security standpoint.
Years later, I worked for a software company that developed “in vehicle” systems. Security was mainly focused on protecting the server platforms wit hlittle consideration of code security and potential vulnerabilities. In testing we were “told” to focus on black box testing.
These days, there are a multitude of web based applications released every week and you have to wonder about security. Having secure communications with visitors is great but rather pointless if there is a gaping vulnerability in the system on which the site is hosted or in the code that makes up a page.
The Open Web Application Security Project (or OWASP for short) takes this sort of issue seriously (as do we). The implementation of Software Development Life Cycle (SDSL) that has security testing as a core of each test phase (with many test phases) is the right way to go.
You can download the full 224 page Testing Guide HERE and it is a good, in depth and practical read. What’s more, you are able to adopt it, modify it and reproduce it for your company.
Need some advice?