[OWASP-Bangalore] Application Pent Test Process query (N. V. R. K. RAJU)

Kiran Sharma KiranSharma at fico.com
Wed May 14 12:09:26 UTC 2014


Hi Raju,

Here is what we do in our organization, we do run a full scan of the application on Pre-production environments(which are similar to the live or production environments).
Once the full scan/Full testing is done, we are aware of the application behavior from there on its only the patches or small defect changes in the code or the functionality.
You could probably test the delta(change in functionality/code) which would take much less than a week which would inturn help the application team to concentrate on the release every fortnight. 

Please let me know if it helps. 

Thanks & Regards

Kiran Sharma
CEH ECSA ITIL
Fair Isaac India Pvt Ltd
T(O): +91-80-413-71952 F(O): +91-80-413-71701 M(P): +91-963-266-6900

-----Original Message-----
From: owasp-bangalore-bounces at lists.owasp.org [mailto:owasp-bangalore-bounces at lists.owasp.org] On Behalf Of owasp-bangalore-request at lists.owasp.org
Sent: Wednesday, May 14, 2014 5:30 PM
To: owasp-bangalore at lists.owasp.org
Subject: OWASP-Bangalore Digest, Vol 76, Issue 1

Send OWASP-Bangalore mailing list submissions to
	owasp-bangalore at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.owasp.org/mailman/listinfo/owasp-bangalore
or, via email, send a message with subject or body 'help' to
	owasp-bangalore-request at lists.owasp.org

You can reach the person managing the list at
	owasp-bangalore-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of OWASP-Bangalore digest..."


Today's Topics:

   1. Application Pent Test Process query (N. V. R. K. RAJU)


----------------------------------------------------------------------

Message: 1
Date: Tue, 13 May 2014 16:18:04 -0700
From: "N. V. R. K. RAJU" <nvrkraju4 at gmail.com>
To: "null-co-in at googlegroups.com" <null-co-in at googlegroups.com>,	OWASP
	Bangalore Mailing List <owasp-bangalore at lists.owasp.org>,	OWASP
	Hyderabad <owasp.hyderabad at gmail.com>,	OWASP Hyderabad
	<owasphyderabad at gmail.com>,	securityxploded at googlegroups.com
Subject: [OWASP-Bangalore] Application Pent Test Process query
Message-ID:
	<CAO_7Mb3H49qUbdWEw11Wn0OxuipMZHovyRpFTGi9imCiqTLAqw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi All,

I had been struggling to give a business justification to my application owners about application pen test timelines.

We usually quote 2 weeks of application pen test time for any major releases and new applications.
Our application owners has a constraint for 2 weeks of pen testing time for getting their applications live.

They understand security risk and get the application tested by squeezing the timelines to a week or so. And they also aware of risks imposed by squeezing pen test timeline. However, they have a valid justification for their own application releases which are frequent every month or so.

What is the best security solution that we can provide to them? They also take examples of Ebay or other big sites how do they manage security testing of applications for which they will push updates every overnight?

Any possible process/procedure/solutions/suggestions are welcome.

--
Regards,
Raju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20140513/4ee5dbfb/attachment-0001.html>

------------------------------

_______________________________________________
OWASP-Bangalore mailing list
OWASP-Bangalore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-bangalore


End of OWASP-Bangalore Digest, Vol 76, Issue 1
**********************************************

This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately.


This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately.



More information about the OWASP-Bangalore mailing list