Imagine we have a dev team
When a new feature is planned to be implemented, should it be sent to the security team by the dev team lead (to evaluate whether it needs to be tested) or the someone from the security team should seek for them by himself by attending to meetings? We have like 10 different products.
There's no scripted answer to this.
This aspect is to be discussed and agreed to by the devs, the security team, their managers, the board, etc. Development and security are tools, the means to an end. If they don't happen consistently and collaboratively you're not being efficient.
a) new features should be planned with security in mind, with the input from the security folks;
b) features are implemented with the intention of being pentested regardless of by whom;
c) issues/faults are supposed to be found, info loops back to the devs and the cycle continues;
According to Microsoft Security Development Lifecycle (SDL):
Practice #11 - Perform Penetration Testing
Penetration testing is a security analysis of a software system performed by skilled security professionals simulating the actions of a hacker. The objective of a penetration test is to uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses, and as such the test typically finds the broadest variety of vulnerabilities. Penetration tests are often performed in conjunction with automated and manual code reviews to provide a greater level of analysis than would ordinarily be possible.
Microsoft SDL (currently 5.2) details how security is baked into the development process. Thus Penetration Testing will be a topic of discussion from the very start as shown from the following:
Phase One: Requirements
- What portions of the project will require penetration testing (pen testing) by a mutually agreed-upon group that is external to the project team. Any portion of the project that requires pen testing must resolve issues identified during pen testing before it is approved for release.
The topic continues to be discussed throughout the SDL phases. While I could reference each of those instances, better advice would be to recommend that you read the document (Microsoft SDL 5.2) and become familiar with the process to the point where you become the subject matter expert for your organization. Then incorporate the SDL principals into the development of your 10 products.
The biggest thing I try to do with clients,a cross all Non-Functional Testing, is to educate them. If they know when to reach out to you then it will make your life a lot easier. If you can design a basic questionnaire, and get it approved by all relevant developers, solution architects, and main stakeholders that would sign off on projects, that will give the basic questions that you would ask in a kick off meeting and if you can get it to a robust enough state then the PM will be able to sign off that security testing is not required just with this document. Get the tech lead to fill it out. Questions such as: is there a change to a database, is there a new API, is there new days being presented to a web front end. It would depend on the usually and products that you support.
