How often should you perform security testing?

I’m interested to know how often you perform security testing?

If anyone is doing it as part of regression, what tools do you use, and are they automated?

I’m not a security tester (would love to give it a go however!), but with everything the answer is probably “it depends” in terms of how often.

For tools, are you aware of OWASP?

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents has lots of useful information, including tools.

None at all.
I do from time to time try to ‘play around’.
Some developers also ask some security questions for backend, server side things they touch or implement, and they might come up with the solution themselves.
The company asks for regular security audits of the applications(from a security consultancy company) - which seem to most of the time be useless as they are just extracts from a tool scan.

In the context of web applications I think security can’t be considered a second class citizen. Tests should be running at least before each major release.
Regarding tools we are using OWASP Zap and Checkmarx. Also from time to time, the company hires an external security company to perform further tests.

@nufenix Yeah I use to the OWASP cheat sheets a lot :grinning:

I’m not much of a security tester though either but will look into more automated tools for each release.

@jayharris_sec might be able to help here. He just gave an amazing live hacking session at Testing Atelier in Leeds.

At my work we run weekly Veracode sandbox scans and have verification / security testing as part of our regression. It’s also something we discuss when starting on new stuff just like automation and load. The earlier we think about all those the better the product becomes.

Bug Magnet is a cool extension that has some SQL Injection built in but as Jay showed up, you can just put ’ to find security issues in forms, logins etc.

1 Like

Thanks for this :slightly_smiling_face:

1 Like

We perform security testing anytime we perform a major release of a externally facing application - including a change to API’s.

We use Webinspect, which seems to do the trick (think we have 1 license and we have it running on an independant server). If there is a real risk (so doing something with very senstive user data) we would get a 3rd party to test - mainly as it gives us some back up!

Oh and the OWASP stuff is great, we’ve just launched an app and based the whole security and dev principles around OWASP which has worked really well.

The upcoming Power Hour might interest you too :slight_smile:

3 Likes

We’re making security testing part of our workflow. For PHP development, we’re integrating RIPSTECH Security Scanner in our IDE and CI/CD to perform on-the-fly code analysis for security vulnerabilities.

Last week I gave a presentation on “Testing to reduce support calls” where I had a slide focussing on security testing where I listed a couple of tools we use to have security testing closer into the development phase.

Of course, manual penetration testing is the ultimate test for security vulnerabilities and should occur more regularly than the required x times a year to meet a compliance. Using automated tools to eliminate the “low-hanging-fruit” of vulnerabilities you gain lots more value from these pentests as they can now find and discover the more complex type of vulnerabilities instead of spending time “collecting common flaws”.

From my experience: having tools that will do deep-code analysis and vulnerability checks, manual security testing every 3 months should be enough. More is better, but that often relates directly to the budget available.

Learning the basics of security testing and understanding how the OWASP Top 10 still remains the most common way to break into web applications, is still golden for any IT profession.

1 Like

We use Acunetix for Application Security and Nessus for Network Security. We run these scans on every release candidate after regression testing. Anything we find is likely to be a quick fix, so last-minute is ok.