Your security testers are sad.
You brought them in under NDA, gave them a copy of the code and access to a test environment, and let them loose to do a penetration test. A week later they came back to you with a report of vulnerabilities they found. They listed each bug and how to recreate it, what the impact could be, and how likely it is to be exploited.
If you have been following along with my posts you will realise that my company SafeStack has been working with a range of fast moving and fast growing organisations in Australia and New Zealand. We help rethink the way these teams and companies approach security to try and bake this in from the start.
At the core of introducing security to an environment is change. Change is an interesting and sometimes scary thing, especially if you are meddling is someone else’s workflow or domain.
The one question that security consultants and penetration testers are asked regardless of how big or mature their clients are.
Whether it came to you as a sudden epiphany or a growing acceptance, deciding to integrate security into your application and development culture is no minor decision.
