Integrating Security into SDLC – Part5

4. Vulnerability Assessment and Penetration Testing (VAPT): Testing phase activities help to identify and address various bugs related to Functionality, User Specification and even to some extent Security aspects that were initially agreed between the Service Provider and their respective Clients/Customers.

Testing Phase: VAPT
Testing Phase: VAPT

Like all the previous phases, security again plays an important role in this phase. A dedicated Security Testing team is put in place whose core responsibility is to identify security vulnerabilities by using some automated penetration testing tools and even manual security analysis to filter out false positives (if necessary).

VAPT is also called as ‘Blackbox Testing’ as the Security professionals have No / very minimal access to the source code and are totally dependent on their past experience, Industry Standards, Organization’s Security Standards and automated tools to identify security vulnerabilities.

The methodology followed in this phase is similar to the one from Develop phase. An example of VAPT Methodology can be something as follows:

Secure Code Review Methodology
VAPT Methodology

To sum it up:

  • Prepare and follow a VAPT Methodology
  • Identify security vulnerabilities (always consider an Hybrid approach, that is a combination of Automated tool and Manual Security analysis)
  • Risk rank each identified vulnerability
  • Provide relevant fix recommendations
  • Carry forward all artifacts and observations to the next phase of SDLC

 

Benefits of integrating Security in Phase4:

  • Real time security vulnerabilities are addressed
  • Some of the Critical vulnerabilities related to Cross-site Scripting (XSS), URL redirects and tampering, Request/Response splitting and more that cannot be identified by SAST tools can be easily identified and fixed

<<Previous       Next >>

Author: admin

Raghavendra Rao PV has more than 11years of experience in Information Technology. He started his career as a software developer at Accenture in the year 2006 and then moved to Information Security. Prior to starting SecureFirst Solutions Private Limited, he worked with Organizations namely; Accenture Services Private Limited, TATA Consulting Services, Dell International Services. He is a Certified Ethical Hacker (CEH) and IBM Rational AppScan Certified.

Leave a Reply