12 Testing security
This chapter covers
- Building a security-testing strategy for the organization
- Applying four techniques to manually audit application security
- Working with external security firms efficiently
- Establishing and maintaining a bug bounty program
The concept of test-driven security (TDS) that we followed throughout part 1 of the book integrated security testing directly inside the CI/CD pipeline. By doing so, we tested new versions of services and applications before they reached production. It’s an ideal state that yields the fastest turnover between discovering security issues and fixing them.
Yet, the reality for most organizations is that only parts of applications and services can be properly tested from within the pipeline. TDS will catch obvious mistakes and ensure that what reaches production complies with the security baseline of the organization, but it won’t catch the subtle vulnerabilities hidden deep in the code or the infrastructure. To find those, we need more-sophisticated testing methods.