The vast majority of the firms observed in the BSIMM study use external penetration testers to find problems in the software. Penetration testers could be brought in to break a high-profile application in order to demonstrate that the organization’s code needs help, the study participants said. External tests validate the software quality before it is put into production.
An internal memo obtained by the Washington Post found some security tests were not conducted due to ongoing development. A thorough pen test would check to see if a Web application can identify an automated attack against contact forms. A test can verify that information stored in cookies is not stored in a readable form and help identify and prioritize vulnerabilities based on the risk they pose to the underlying data and the potential for exploitation by an attacker.