I had the privilege of sitting down with Rafal Los & Glenn Leifheit at OWASP AppSecUSA 2011 in Minneapolis to talk about how we can embed security in QA. Raf was nice enough to record our conversation on his popular Podcast series, Down the Rabbithole.
We are big fans of finding practical, repeatable ways to build a subset of security testing into QA. We like to delineate between the easily repeatable stuff (“does your cookie have the secure flag set?”) from the kinds of domain-specific or obscure attacks that require years of penetration testing experience. The former can belong to QA, while the latter belongs to pen testers. We believe in this so strongly that we’ve incorporated test instructions and videos on how QA can manually look for basic security issues as part of SD Elements.