SBN

Web Application Security Testing in an Agile Software Development Life Cycle – A Technical Case Study

We’ve teamed up with Acme Corporation (name changed for privacy and security reasons) to bring you a very detailed look at how a medium-sized business managed to successfully include web security testing in their SDLC processes.

Before introducing Acunetix, Acme had major problems with web application security. These security flaws were partially caused by reliance on external penetration testing (external manual testing). Therefore, the company wanted to focus completely on internal automation testing and the key aspect of any considered software security solution was the ability to integrate into the software development process.

In this document, you will get to know their whole story. You will learn what challenges they faced and how they handled them. You will learn why they chose Acunetix and how they made the best use of it.

Here are some highlights from this technical case study.

Challenges of Introducing Security Testing in the SDLC

Both Acme and other customers say that most problems with introducing security testing in the SDLC are not due to technical issues. It is very easy to configure CI/CD software to include web software testing in pipelines. This applies to black-box testing tools (DAST) as much as to white-box source code static analysis tools (SAST).

One of the major problems that Acme came across was to figure out how to make sure that negative test results don’t cause major development process delays but at the same time, security issues are not being ignored. Another problem was the fact that once a security-focused software testing life cycle was introduced, Acme expected a large number of security vulnerabilities to pop up.

Luckily, Acme is a truly agile company and they did not have to fight the biggest enemy – inertia. Everyone at Acme was interested in making the project a success and resistance was minimal. What also helped greatly with introducing a secure software development life cycle was the fact that the manager behind the project of introducing web application security testing was very experienced and that the company hired people with the right mindset.

THE AUTHOR
Tomasz Andrzej Nidecki
Technical Content Writer

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.


*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/wntdSkAnMp8/