Who should perform security testing

What does the testing process incur with most applications today? The fact is that it is almost entirely functional in nature, done with automated tools run with preconfigured scripts that have little to do with security. Furthermore, most of the testing is done by testers, not developers. OK, the unit testing was done by developers, but what developer with time constraints writes JUnit tests that have anything to do with security? Managers and executives are only concerned with the functionality anyway so why waste your time right? Well, that depends on one question: Do you, the developer/manager/senior executive consider security as a feature of your application, or is it considered something that just adds time, resources, and therefore expense to the project's total cost?

Since you are reading this post I will assume that you are one of the enlightened ones that consider security a feature. For that, I applaud you and hope that you evangelize as much to the rest of your organization and to everyone that you meet. So the question now becomes, how do you do proper security testing of an application? You actually have many options available though they can be categorized into three somewhat broad categories: Manual Testing Only, Automated Testing Only, and Automated Testing along with Manual Testing and Review. Obviously, the last option is the best as it provides a quick overview of the application and will in most cases find almost all the low hanging fruit through the use of the automated tools, but it also provides in depth analysis through human intervention by having security testers probe the application in ways that the scanning tool may not be able to. The other two options, though still somewhat viable for those that do not have a large enough budget or time frame for option three, will always lead to problems and undiscovered vulnerabilities. If you are wondering, there are also various issues in regards to option three, and most of these issues will lead to undiscovered vulnerabilities in any application no matter what technology is used.

The problem with current testing practices is that is mostly performed by testers. If you are wondering what I mean look at it this way - many testers have no development background, they simply know the tools they are accustomed to and have no knowledge of the underlying infrastructure required to produce the applications they are testing. Some are not even familiar with simple HTML and JavaScript. A subsequent issue is that many testers are not even aware of many of the security issues plaguing applications today. So how do you handle this situation?

In my opinion, Microsoft has a good strategy. They actually have a position known as a Software Development Engineer in Test. These people actually write code, but the code that they write is to scrutinize the production code and applications that they are testing. They know how the applications work and are in a great position to find both functional and security related issues. Another option would be to hire testers that have proven security relevant experience. The testers should be quizzed thoroughly before being hired and prior experience should be mandatory and verified. As a third option, and best when used in conjunction with one of the previous two options, is to establish an application security team that consults with developers as they write applications and gets awareness out to the developers to further educate them of the risks present in today's world.

In any case, the only way to get "good" security testing results and maximize ROI is to have testers who understand the technologies in todays applications and have solid security testing knowledge. If these testers happen to be developers or even previous developers who are now testers, it doesn't really matter. The point is to have testers that understand the technologies. not testers who are experts at pushing the "test now" button on the latest and greatest functional testing software package.