Search Software Quality published another of my answers to reader questions:
When devising an application security plan, how do you get developers and testers to assume responsibility for security when many don’t see it as part of their jobs?
You can see my full answer online where I talk about different strategies for assigning responsibility for testing (sorry – registration required). For those looking for a quick preview, I talk about:
- Is this actually something you want developers and QA to be responsible for?
- Crafting rewards (and penalties) to be applied to development and testing teams
- Common drivers that help justify the need for application security testing
Developers and QA teams definitely have a role to play in building and deploying secure applications, but you need to understand what role you want them to play in your organization and craft incentives accordingly. Often, getting the required clout to make this happen often requires some external factors to help justify the invesment.
Contact us for help building an effective software security program for your organization.
–Dan
dan _at_ denimgroup.com
For many developers, security is the last thing on their mind when developing an application. Most of them concentrate on the functionality and bug fixes first. Organizations need to emphasize the importance and rigor in developing secure applications by implementing vulnerability scanning as part of the development life cycle.