How often should you test your web applications?

Periodic and consistent security checks – that’s the recipe for effective Web security, right? We hear this “best practice” recommendation all the time. It’s true but what exactly does it mean? How often do you really need to test your websites and web applications? Do you go by what the PCI Security Standards Council recommends? Probably not. Perhaps your internal auditor or compliance manager knows best? Possibly. Maybe you should buy into the sky-is-falling scare tactics that some people in our field like to spread around and do nothing but Web security testing 24/7. Not a chance.

The reality is every environment is different and every business has a unique set of needs. No one knows what these things are better than you. You presumably know the level of risk your business is willing to tolerate. You know what management is expecting (or at least should be expecting). You understand the complexity of your environment. You understand which systems are critical and which ones may not matter quite as much. You’re familiar where PII is located. You know exactly what’s accessible from the LAN and the Internet. You understand what level of resources you have at your disposal and, therefore, how much time and focus you can give to Web security testing.
Taking all of this into (continue reading...)