Creating a Web security testing policy

If you’re reading this blog, Web security testing is undoubtedly on your radar. You may have an ongoing process for testing Web vulnerabilities but do you actually have a policy for it? I’m all about keep things simple with security and, when you think about it, adding more documentation, more rules, and more process often creates more complexity – especially if it’s all managed incorrectly. The reality is with today’s compliance regulations, customer and business partner demands, and information systems complexities you really do need some formal documentation – specifically, a security policy – governing your Web security testing program.
Security policies state nothing more than “This how we do things around here”. They help set everyone’s expectations, ensure things get done, and – most importantly – hold people accountable. Whether you have an existing Web security testing policy or you need to create a new one, it’s good to have a formal structure to the document that clearly conveys the right information. The following security policy template can do just that:

Introduction: An overview of what the policy covers such as vulnerability testing for all Web-based production systems.
Purpose: The high-level goals of the policy such as ensuring application vulnerabilities are analyzed on a periodic and consistent basis in order to minimize (continue reading...)