How to convince manager of need for additional security testing before release

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
0
down vote

favorite

I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.

One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.

Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.

How do I make a business case to convince my manager of additional testing?

manager security

share

asked 9 mins ago

Anthony

5,4201456

add a comment | 

up vote
0
down vote

favorite

I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.

One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.

Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.

How do I make a business case to convince my manager of additional testing?

manager security

share

asked 9 mins ago

Anthony

5,4201456

add a comment | 

up vote
0
down vote

favorite

up vote
0
down vote

favorite

I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.

One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.

Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.

How do I make a business case to convince my manager of additional testing?

manager security

share

asked 9 mins ago

Anthony

5,4201456

I work in the InfoSec profession as an IT auditor. One of my duties at work is testing and verifying that necessary security controls are in place before builds and application updates are promoted to production environment. Our team in conjunction with QA function signs off on documentation indicating successful completion of testing. I am the team lead of my team.

One of our PCI scoped applications will be upgraded in production soon, and updates to be deployed are being tested. This application directly interfaces with credit card information of customers in addition to other sensitive customer data. Automated security testing have been completed already and results are OK. I wrote additional test cases today, intending to perform manual security testing later this week to supplement the results of automated scanning tools, given the data sensitivity. However my manager told me that he does not feel additional testing is necessary due to coverage and the business need to deploy to PROD timely. I anticipate execution of manual test cases to take at most 2 - 3 days.

Automated testing (e.g: Metasploit, Nessus etc.) excels in detecting commonly known vulnerabilities such as SQL injection, but are often insufficient to detect more complex issues or flaws in business logic of application. Without additional manual testing, at least of what I feel would be high-impact vulnerabilities, I am not comfortable in signing off on security controls testing results.

How do I make a business case to convince my manager of additional testing?

manager security

manager security

share

asked 9 mins ago

Anthony

5,4201456

share

asked 9 mins ago

Anthony

5,4201456

share

share

asked 9 mins ago

Anthony

5,4201456

asked 9 mins ago

Anthony

5,4201456

asked 9 mins ago

Anthony

5,4201456

5,4201456

add a comment | 

add a comment | 

active

oldest

votes

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f120490%2fhow-to-convince-manager-of-need-for-additional-security-testing-before-release%23new-answer', 'question_page');

);

Post as a guest

Name Email

active

oldest

votes

active

oldest

votes

active

oldest

votes

active

oldest

votes

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f120490%2fhow-to-convince-manager-of-need-for-additional-security-testing-before-release%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email