Most companies use application penetration testing towards the end of the development life cycle in order to identify security vulnerabilities. This can be a problem - especially if you had not thought about security earlier in the development process.
What do you do if the pen test throws up major security issues?
If it's late in the development cycle, then these issues will be expensive to address. So you are more inclined to ignore them. That could leave you vulnerable.
Have you been in a position where a serious SQL injection vulnerability has been discovered two days before product launch? What to do? You know it would have been fairly simple to address if it had been discovered a lot earlier - but now it's not so simple.
So here are some Tuesday Top Tips:
- You should think of application pen testing as a way to confirm that all your planned security measures have been implemented properly during the earlier development phases.
- Try to do some pen testing as early as possible in the development. If you discover issues, they should be less expensive to address - and you can integrate the lessons learned into the rest of the development.
All this assumes that you have integrated security into the development lifecycle