Steven Hutchison, test and evaluation executive for the Defense Information Systems Agency (DISA), one of the world’s largest testing operations, in an article on NetworkWorld says that his biggest piece of advice for corporate CIOs is to get security testing experts involved at the earliest possible stage of software development.
“We try to get the security tests involved right from the beginning,” Hutchison said. “We’re running the tests and finding and fixing problems very early on so we have a high degree of confidence when we can get the systems fielded.”
DISA uses internal hackers, which it calls “red teams,” to continue security testing once systems are operational. Red teams try to penetrate systems and take action, such as stealing data. Hutchison says using internal hackers is something he would “absolutely” recommend to CIOs so they can find and fix their own vulnerabilities.