Tuesday, 22 March 2011

Tuesday Top Tip - Penetration Testing

Most companies use application penetration testing towards the end of the development life cycle in order to identify security vulnerabilities. This can be a problem - especially if you had not thought about security earlier in the development process.

What do you do if the pen test throws up major security issues?

If it's late in the development cycle, then these issues will be expensive to address. So you are more inclined to ignore them. That could leave you vulnerable.

Have you been in a position where a serious SQL injection vulnerability has been discovered two days before product launch? What to do? You know it would have been fairly simple to address if it had been discovered a lot earlier - but now it's not so simple.

So here are some Tuesday Top Tips:
  1. You should think of application pen testing as a way to confirm that all your planned security measures have been implemented properly during the earlier development phases.
  2. Try to do some pen testing as early as possible in the development. If you discover issues, they should be less expensive to address - and you can integrate the lessons learned into the rest of the development.

All this assumes that you have integrated security into the development lifecycle.

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

1 comment:

  1. Multichannel access through multiple devices that include web browsers, rich clients, portals, mobile gadgets, sensors and other pervasive devices, as well as programmatic, service-oriented and event-driven interfaces open up multitude of wicket gates for penetration. Having penetration testing (or for that matter testing) done at the fag-end of development is like papering on the gaps. Enterprises that don’t incorporate testing as a part of SDLC are the ones that don’t take security aspects seriously, needless to mention they risk performance limitations, security failures, overspending and above all, run the risk of becoming headlines in leading newspapers for the wrong reasons!

    ReplyDelete