There’s another, widely used, approach to using external people to improve your software security. It’s called ‘Penetration Testing’.
An external ‘white hat’ security team simulates what an attacker would do to attempt to gain access or disable the service. The white hats then feed back any ‘successful’ exploits they have found to the development and operations teams.
[Ensuring software security] tends to get handed off, in most companies I've worked with, to a white-hat hacking team. [They] don't do it a code level. (Developer, Security-oriented phone manufacturer)
Would Penetration Testing make sense for you? On the one hand, it requires specialist skills, which are in short supply: if is internal to the organisation, it requires expensive staff; if external, the cost is significant.
[The problem about recruiting a pen tester is that that knowledge is really quite rare, and the attitude … is also quite rare] And finding them together is difficult. The people who do have both of those things are always in high demand. Most of them are contractors, because they can make a lot more money that way, and why wouldn’t you be. (CEO, outsourced secure web developer)
On the other hand, Penetration Testing can find a range of possible security problems, including various types of misconfiguration, and vulnerability to injection attacks.
Penetration Testing cannot prove that a system is secure; merely that it lacks some common security faults. Some experts, therefore, prefer not to use it at all:
I don’t believe in [penetration] test teams, because I believe that takes away responsibility from people to do the right thing. (Security expert, Security and military supplier)
The decision whether to use Penetration Testing, as with other security decisions, is a business decision. It requires the approach discussed in our section on Security Negotiation.
A variation, requiring even more skill from the practitioners, is ‘Red Teaming’. A Red Team may use more sophisticated tactics, such as social engineering (persuading an employee to do something that assists them) or physical access to the systems involved, to achieve their goal of ‘breaking’ the system. Currently, unfortunately, setting up or employing a red team is impractical for most development groups.