It should only be considered as an implementation technique, or to raise awareness of production issues. As discussed in the previous chapter, while penetration testing has a role to play, it is generally inefficient at finding bugs and relies excessively on the skill of the tester. Many security practitioners still see security testing in the realm of penetration testing.
With economics like this, it is little wonder why software vendors move from solely performing black-box security testing, which can only be performed on applications that have already been developed, to concentrating on testing in the early cycles of application development, such as during definition, design, and development. They also note that the US government’s CyberCrime web site details recent criminal cases and the loss to organizations.
In Writing Secure Code, Howard and LeBlanc note that issuing a security bulletin costs Microsoft at least $100,000, and it costs their customers collectively far more than that to implement the security patches. It is critical to understand why building an end-to-end testing framework is crucial to assessing and improving software security. This section aims to help organizations build a complete strategic testing process, and is not aimed at consultants or contractors who tend to be engaged in more tactical, specific areas of testing. This framework should not be seen as prescriptive, but as a flexible approach that can be extended and molded to fit an organization’s development process and culture. Companies and project teams can use this model to develop their own testing framework, and to scope testing services from vendors. It can be seen as a reference framework comprised of techniques and tasks that are appropriate at various phases of the software development life cycle (SDLC). This section describes a typical testing framework that can be developed within an organization. Home > Stable > 3-The OWASP Testing Framework The Web Security Testing Framework Overview
0 kommentar(er)
