APPL-07

Do you have software testing processes (dynamic or static) that are established and followed?

Explanation

This question is asking whether your organization has established and follows formal processes for testing software, either through dynamic or static methods. Static testing involves examining code without executing it, looking for vulnerabilities, bugs, and security flaws through code reviews, static analysis tools, and architectural reviews. Examples include tools like SonarQube, Checkmarx, or manual code reviews. Dynamic testing involves executing the code and testing it during runtime to identify issues that might not be apparent in static analysis. This includes penetration testing, vulnerability scanning, and functional testing. This question is asked in security assessments because proper software testing is fundamental to developing secure applications. Without rigorous testing processes, vulnerabilities may go undetected until they're exploited in production environments. Established testing processes demonstrate a commitment to security throughout the development lifecycle. To best answer this question, you should: 1. Clearly state whether you have established testing processes 2. Describe both static and dynamic testing methodologies you employ 3. Mention specific tools used in your testing processes 4. Explain how testing is integrated into your development lifecycle 5. Note how frequently testing occurs and how findings are addressed 6. Reference any standards or frameworks that guide your testing approach (e.g., OWASP)

Example Responses

Example Response 1

Yes, our organization has established comprehensive software testing processes that include both static and dynamic testing methodologies For static testing, we use SonarQube and Checkmarx to analyze our codebase during development, with automated scans triggered on every pull request Our development teams also conduct regular peer code reviews before code is merged For dynamic testing, we employ Burp Suite for web application security testing, OWASP ZAP for automated scanning, and conduct quarterly penetration tests using both internal resources and third-party security firms All identified issues are tracked in our vulnerability management system with remediation timelines based on severity Testing is fully integrated into our CI/CD pipeline, with security gates that prevent deployment if critical vulnerabilities are detected We follow OWASP ASVS as our testing standard and maintain documentation of all testing procedures that development teams must follow.

Example Response 2

Yes, we have established software testing processes that are integrated into our development lifecycle Our static testing includes automated code analysis using ESLint and StyleCop with custom security rules, as well as manual code reviews that follow a security-focused checklist These are performed on all code changes before they can be merged into our main branch For dynamic testing, we run automated functional tests with security assertions and conduct monthly security scans using Nessus and Acunetix Our QA team is trained in security testing techniques and incorporates security test cases into their regular testing activities We also conduct annual penetration testing with a third-party security vendor All testing processes are documented in our security policies, and compliance is monitored through regular audits Testing results and remediation efforts are reviewed in our monthly security steering committee meetings.

Example Response 3

No, we currently do not have formally established software testing processes While our developers do perform ad-hoc testing of their code and occasionally conduct peer reviews, we don't have standardized procedures or tools for either static or dynamic testing We recognize this as a gap in our security posture and are in the process of evaluating testing tools and developing formal testing procedures We plan to implement static code analysis tools in the next quarter and establish a relationship with a third-party penetration testing firm by the end of the year In the interim, we are mitigating risk by leveraging secure coding training for our development team and implementing additional monitoring in our production environment to detect potential security issues.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron