0

I have a web application and we are working in an agile environment, and the QC team working and need to run security testing. When I can run the security test?

I searched for this topic and can't reach an acceptable result for the team.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Mohamed Elgamal
  • 3
  • 3
  • You were already provided with material in the comments to your last question. It ***directly*** answers your question. With a handy chart. https://owasp.org/www-project-web-security-testing-guide/latest/2-Introduction/ – schroeder Nov 30 '20 at 20:15
  • I already checked it but I need to know more opinions and share knowledge it would help later – Mohamed Elgamal Nov 30 '20 at 23:20
  • Mohammed - this site is not for opinions. – Rory Alsop Dec 16 '20 at 09:28

2 Answers2

1

The short version is: as soon as there is something to test.

There are two common challenges that normally impact this on teams newer to agile development:

  1. Teams still batch work. They do all of the design up front, then all of the development, then hand it over for testing. This often runs late and leaves little or no time for testing. This can be addressed a few different ways but they all boil down to building in very small pieces that take at most a few days to complete and those can go through testing steps (including security testing) early and on a continuous basis.

  2. Testing is done in a manual or ad hoc way that assumes you will only test once. Again, regardless of if you are doing security testing or other testing, you're in an environment where you expect things to change frequently. This means that what was secure yesterday may not be secure tomorrow. Your security testings toolset needs to support this. A vast majority of things will need to be automated. Also, if all of your security testing is black-box, this will get away from your quickly. You want to target root causes of problems more than symptoms. Scan config files, use static code analysis, etc.

Daniel
  • 151
  • 2
1

It really depends on the available resources. If you can only afford to make a penetration test ONCE for the application, then do it when it's 100% finished. If you can afford to make a penetration test every day, then start it as soon as possible. In my experience, in a typical pentest by a third party, it makes little sense to test something that's still in the works, because the developers tend to make the same mistakes over and over again, and in the end you end up with an application that's got most of - if not all of the same security issues again, once they have finished. But it also depends on the skills of the pentesters, to a degree. I would say, let a team of less experienced pentesters start early, so they can explore the app, and learn.

Martin Fürholz
  • 795
  • 9
  • 21