Security is becoming an all-important feature of every enterprise solution, and IT companies are looking for ways to scale up without losing focus. The question is, are you better off outsourcing security testing or doing it on your own? It turns out the decision is not that easy, and requires an understanding of the contemporary testing techniques such as code scanning.
Types of security testing
Security testing, as regards the methods of scanning executable code, can be broadly classified into static testing and dynamic testing. Static testing is what companies do in-house, especially if the product has been developed by them. Part of the reason is that businesses are not usually comfortable with releasing their source code to third parties. By contrast, dynamic testing is done by a vendor, and works by scanning only the executables.
Choosing an approach
Note that static testing is far more thorough, as it involves a detailed analysis of the development language and scans for many possible security loopholes and pitfalls. It also takes more time and is expensive, and the higher cost will creep into the final price of the product. On the other hand, dynamic testing is good enough for most applications because it works on the most common causes of security breaches. Also, a vendor is likely to have broader experience, and this insight can be crucial in fixing some of the elusive security issues.
The on-demand advantages of outsourced security testing can’t be ignored. It’s now possible to use testing tools only as you need them, without having to put together a large testing team.
image source : http://www.flickr.com/photos/