QASEC Announcement: Writing Software Security Test Cases

[bugtraq at cgisecurity.net (bugtraq at cgisecurity.net)]

> This is great, and something I have incorporated into our own cycle
> previously, as carving out a spot on our team as the "security engineer"
> didn't seem to work. But by creating a process for including security
> testing, abuse cases, etc. I was able to incorporate security without a big
> hit to the team. This sold management on the fact that it can be a simple
> and seamless process and soon became adopted. The other half of it is that
> you have to be the person on the team who always is thinking in terms of the
> corner cases, the worst case scenarios, the one who aggravates the
> development team the most.


The fact of proving to management that this isn't an expensive decision is 
something that I think will start to catch on. By making this part of the process
if an issue is discovered you have already scoped out that additional time needed to
research and address the issue. QA has always aggravated development this isn't new :) 

Regards,
- Robert
http://www.cgisecurity.com/
http://www.qasec.com/