When devising an application security plan, how do you get developers and testers to assume responsibility for security when many don’t see it as part of their jobs?
You can see my full answer online where I talk about different strategies for assigning responsibility for testing (sorry – registration required). For those looking for a quick preview, I talk about:
- Is this actually something you want developers and QA to be responsible for?
- Crafting rewards (and penalties) to be applied to development and testing teams
- Common drivers that help justify the need for application security testing
Developers and QA teams definitely have a role to play in building and deploying secure applications, but you need to understand what role you want them to play in your organization and craft incentives accordingly. Often, getting the required clout to make this happen often requires some external factors to help justify the invesment.
dan _at_ denimgroup.com