Besides CGISecurity.com I'm involved with my other project QASec.com a new website aimed
at teaching security throughout the development cycle with a heavy focus on security testing
I've just written an article explaining how Quality Assurance Engineers can include security testing
into their test plans.
"Part of software testing involves replicating customer use cases against a given application.
These use cases are documented in a test plan during the quality assurance phase in the development
cycle to act as a checklist ensuring common use cases aren't missed during the testing phase. People
within the quality assurance community are starting to understand that checking an application for
security issues (defects) isn't just the responsibility of the security department (if one exists),
or the software architects. While typical QA Engineers don't understand the scope or inner working
of specific software vulnerabilities, they do go about testing an application in a similar fashion
to how the penetration testing community does. Unlike typical penetration testing the QA has access
to internal documents and insider information giving them advantages to aide in the testing of an
application. In addition to documenting customer use cases it's important to begin the process of
documenting what an attacker may attempt against your application as well and incorporating these
attacker 'use cases' into a security section of your standard test plan."
Article Link: http://www.qasec.com/cycle/securitytestcases.shtml
