- Key Mistake 1: Separate Camps
- Key Mistake 2: Uncommon Standards
- Key Mistake 3: Treating Business Processes and Usability as an Afterthought
- Key Mistake 4: Inadequate Security Testing
- Moving Toward Confluence in Enterprise Security
Key Mistake 4: Inadequate Security Testing
Functional specifications outline what a system is intended to do. But security vulnerabilities are often tied to the nonfunctional aspects of the application—exploits of what the system is not intended to do. Unfortunately, many organizations focus security testing to narrow tests of functionality, without testing for the system's ability to do things that should be prohibited. Even with the addition of cursory penetration tests performed prior to shipping, security testing is often inadequate to identify the breadth of potential flaws that could be exploited by the highly capable adversaries who characterize today's threat environment.
Starting point for addressing this issue
Expand the idea of functional specifications to include both what you want the application to do and what you don't want it to do. The corresponding expanded view of security testing then gives attention to both intended functional specifications and unintended functional possibilities. Testing with this broader view also includes recognizing that adversaries are increasingly resourced and able to adapt techniques to outmaneuver protections. With that possibility in mind, diversifying your testers and your testing techniques is a good approach. Adversaries are diverse (with varying motives, backgrounds, and approaches), so too should be the teams protecting your organization against them.