This series, and my blog, have moved! Check it out!
It is my belief that testing should be done throughout the development lifecycle, and not only during the testing phase. We want feedback as soon as possible, to ensure we make a high-quality product that customers actually want. Below I will lay out some strategies for security testing.
Provide Developers with security scanning software (such as OWASP Zap), teach them to use it, and ask them to fix everything it finds before sending it to QA.
Add automated security testing into your pipeline, specifically:
- VA scanning of infrastructure (missing patches/bad config - this is for containers or VMs, but you use different tools to scan them)
- 3rdparty components and libraries for known vulnerabilities
- Dynamic Application Security Testing (DAST) - only do a passive scan so that you don't make the pipeline too slow
During the testing phase I suggest doing a proper Vulnerability/Security Assessment(VA) or PenTest (if you need management's attention), but early enough that if you find something you can fix it before it's published.