Do we need a security officer to safeguard security of an application?
Currently I am thinking about how we can improve the focus of security testing and integration it into our development cycle.
Now I am wondering, do we need a CSO or Security Officer role? Or is it acceptable to place this responsibility with the QA role, where he/she safeguards that security measures are executed regularly.
- Are there documented standards on applying security testing that define a security role?
- When is a security officer mandatory?
- Should there be a difference between during and after development security responsibilities?
Not really, at least not in this case, but also is not a good thing to place this responsibility to the QA team or to another member of the team, especially if that someone does not have a security training or does not have the right technical skills and level.
What you need is a skilled penetration tester.
If you wish to improve the security of your application you some of the options are: 1. pay some 3rd party company that does penetration testing 2. train someone from the company that is interested and already has understanding of security implication and also technical skills
If you choose the first option then you should investigate what to keep in mind when you choose the right people because there is also a chance that you might get some poor reports.
If you are choosing the second option, which is a long term investment, you might have to risk at the beginning since the experience is missing. For the second option you can search for posts in here an also on security.stackexchange
My opinion is that you can think to hire a CSO when you plan to open a security department to handle all the company security and choose the second option if you plan to have your own security team.
Related to the penetration testing approach you should research for penetration testing methodologies and approaches to find out more the steps to follow in the first phases of the design, during the development of the application and after the application is final stage before is released live.