[WEB SECURITY] The security industry needs to re-align its training expectations for QA

[Andy Steingruebl]

On Tue, Feb 3, 2009 at 1:18 PM, Rafal @ IsHackingYou.com
<rafal at ishackingyou.com> wrote:
> Hi folks,
>    After reading Robert's post, and having a very brief conversation I've
> decided to post the follow-on that I wrote this afternoon, to further
> discussion on the matter.  I strongly believe that QA teams are the next
> logical stop, and part of the critical-path to overall good security... I
> welcome comments and feedback of course!  The link is back over to the blog
> I write for HP/Application Security Center... enjoy!
>
> _http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2009/02/03/qa-lesson-defect-vs-vulnerability.aspx

I tried to post a comment to your blog but it didn't work, so I'll put
it here instead.

I think what you've hit on with vulnerability vs. defect is due to a
problem with under specified security requirements.  When security
requirements actually make their way into the functional
specifications for things, its a lot easier to treat an instance of an
authorization problem, information leakage, etc. as defects than just
interesting flaws.  They violate the requirements for the specific
application and so are easier for QA to understand.

That said, it also helps to have some standard sort of bug priority
matrix that maps specific statements about security and some examples
to the regular priority levels that your QA team already uses for
assigning defects.  That way you're again speaking exactly the same
language.

-- 
Andy Steingruebl
steingra at gmail.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA