April 26, 2007

Testing for security

I was moderating a panel tonight at OSEF about Security Testing - we had people from Kynaxis, Cognos, and Entrust It's great to hear from top notch companies how they do things. Their insight into best practices and the mistakes they have done area great way to fast track smaller firms into doing things right from the get go. The key take aways
  • build security in - not bolted on - it's a myth that security slows things down if you build it in.
  • training - document best practices, train your QA to ask the right questions about what they will be testing, understand the risk level of the module, so that they spend their limited time on the riskier parts.
  • Awarness - security is not only for developers and qa - it's for every one in the organization, it's like an onion, their are many layers to it

No comments: