How to convince manager of need for additional security testing before release

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
0
down vote

favorite












I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.



One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.



Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.




How do I make a business case to convince my manager of additional testing?










share



























    up vote
    0
    down vote

    favorite












    I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.



    One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.



    Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.




    How do I make a business case to convince my manager of additional testing?










    share























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.



      One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.



      Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.




      How do I make a business case to convince my manager of additional testing?










      share













      I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.



      One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.



      Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.




      How do I make a business case to convince my manager of additional testing?








      manager security





      share












      share










      share



      share










      asked 9 mins ago









      Anthony

      5,4201456




      5,4201456

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "423"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f120490%2fhow-to-convince-manager-of-need-for-additional-security-testing-before-release%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f120490%2fhow-to-convince-manager-of-need-for-additional-security-testing-before-release%23new-answer', 'question_page');

          );

          Post as a guest













































































          Comments

          Popular posts from this blog

          What does second last employer means? [closed]

          Installing NextGIS Connect into QGIS 3?

          One-line joke