[OWASP-Bangalore] [null] Application Pent Test Process query

N. V. R. K. RAJU nvrkraju4 at gmail.com
Wed May 14 16:52:21 UTC 2014


Thank you all for your valuable responses.

To conclude from various responses I have few data points collected and
listed in below;

*1. Follow Risk Based Approach - For the security issues that app team
cannot fix in stipulated time-frame. Let the app team release the app with
accepting the risks however, take confirmation from the team to have the
fix release in future releases. We do have an exemption process for High,
Medium.*

*2. Delta Testing - For new releases only test for the changes between the
gaps. If it seems to be huge application - test for the delta only on
sensitive interfaces. And again follow the Risk based approach on gaps
which were not covered.*

*3. Having more resources*

*4. Automating application testing *

*5. And reduce documentation*




On Tue, May 13, 2014 at 9:43 PM, <khushal201301 at gmail.com> wrote:

> Hi,
>
> You can suggest them Agile model . Agile is the only method where you can
> meet the timeline constraint
>
> Regards
> Khushal
> Sent from BlackBerry® on Airtel
> ------------------------------
> *From: * "N. V. R. K. RAJU" <nvrkraju4 at gmail.com>
> *Sender: * null-co-in at googlegroups.com
> *Date: *Tue, 13 May 2014 16:18:04 -0700
> *To: *null-co-in at googlegroups.com<null-co-in at googlegroups.com>; OWASP
> Bangalore Mailing List<owasp-bangalore at lists.owasp.org>; OWASP Hyderabad<
> owasp.hyderabad at gmail.com>; OWASP Hyderabad<owasphyderabad at gmail.com>; <
> securityxploded at googlegroups.com>
> *ReplyTo: * null-co-in at googlegroups.com
> *Subject: *[null] Application Pent Test Process query
>
> Hi All,
>
> I had been struggling to give a business justification to my application
> owners about application pen test timelines.
>
> We usually quote 2 weeks of application pen test time for any major
> releases and new applications.
> Our application owners has a constraint for 2 weeks of pen testing time
> for getting their applications live.
>
> They understand security risk and get the application tested by squeezing
> the timelines to a week or so. And they also aware of risks imposed by
> squeezing pen test timeline. However, they have a valid justification for
> their own application releases which are frequent every month or so.
>
> What is the best security solution that we can provide to them? They also
> take examples of Ebay or other big sites how do they manage security
> testing of applications for which they will push updates every overnight?
>
> Any possible process/procedure/solutions/suggestions are welcome.
>
> --
> Regards,
> Raju
>
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/
> ---
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> _______________________________________________________________________________
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/
> ---
> You received this message because you are subscribed to the Google Groups
> "null" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to null-co-in+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Regards,
Raju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20140514/9177f4a0/attachment.html>


More information about the OWASP-Bangalore mailing list