Denim Group has been acquired by Coalfire. Learn More>>

Search Software Quality: Who Is Responsible for Software Security Testing?


Search Software Quality published another of my answers to reader questions:

When devising an application security plan, how do you get developers and testers to assume responsibility for security when many don’t see it as part of their jobs?

You can see my full answer online where I talk about different strategies for assigning responsibility for testing (sorry – registration required). For those looking for a quick preview, I talk about:

  • Is this actually something you want developers and QA to be responsible for?
  • Crafting rewards (and penalties) to be applied to development and testing teams
  • Common drivers that help justify the need for application security testing

Developers and QA teams definitely have a role to play in building and deploying secure applications, but you need to understand what role you want them to play in your organization and craft incentives accordingly. Often, getting the required clout to make this happen often requires some external factors to help justify the invesment.

Contact us for help building an effective software security program for your organization.


dan _at_


About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

One Response to “Search Software Quality: Who Is Responsible for Software Security Testing?”

  1. ISTQB

    For many developers, security is the last thing on their mind when developing an application. Most of them concentrate on the functionality and bug fixes first. Organizations need to emphasize the importance and rigor in developing secure applications by implementing vulnerability scanning as part of the development life cycle.

Leave a Reply

Your email address will not be published. Required fields are marked *