Why app sec and QA testing teams need to partner
Dan Cornell, CTO at application security services consultancy Denim Group, said combining the strengths of the QA team with the app sec team creates critical mass.
“QA teams are large and well-established when compared to app sec teams. Incrementally expanding their mandate to include aspects of the app sec program is a great way for app sec teams to gain leverage.”
In the early stages of the development process, Cornell said, QA can help craft testing scenarios that include “abuse cases”—in other words, how a particular software release is likely to be abused. Such testing scenarios can inform developers and help them find ways to avoid introducing code that could result in abuse.
QA’s role in static testing
Given proper training and support, QA can certainly take over aspects of security static analysis testing (SAST) and running SAST tools. But hardcore security code reviews such as those performed during penetration tests are best left to security teams that have the training and specialization for the task, Cornell said. “QA teams are best-suited to incorporating application security testing tools—both static and dynamic—into their use of other automated testing tools.”
About Denim Group
Denim Group is the leading secure software development firm, serving as a trusted advisor to customers on matters of software risk and security. The company builds software for the most security conscious while helping organizations assess and mitigate risk within their existing software. Denim Group's flagship ThreadFix product accelerates the process of software vulnerability remediation, reflecting the company's rich understanding of what it takes to fix application vulnerabilities faster. Denim Group has emerged as a strong contributor to the larger application security community and has actively participated in the Open Web Application Security Project (OWASP) since shortly after its inception.
Among many other awards, Denim Group has landed on the "Inc. 5000" list - which recognizes the country's 5000 fastest-growing private companies - for five years in a row. In addition, the San Antonio Business Journal named Denim Group as one of the "Best Places to Work" in the city.
Denim Group is a registered service mark of Denim Group, Ltd.
Other names and brands may be claimed as the property of others.