Introducing The Yellow Team, known as the builders of systems and solutions, is the collection of individuals who are responsible for the design and build of information systems and solutions, created to meet an organisation’s requirements.
Typically, The Yellow Team are made up of;
- application developers
- software engineers
- testing teams
If we look at the function of The Yellow Team, the architects and software engineers design a solution to meet the business requirement. The application development team write the code according to the requirements and the testing team check it does the job according to the specifications Due to the rapid speed of business change, resources, and budget constraints, application releases are normally under tight time restrictions which can lead to corners being cut. Security testing is often seen as a blocker or a timely event. Thus, security is often overlooked, or only visited annually with an annual penetration test.
The above are not the sole reasons for weakness in an application’s security. Internal issues such as ineffective secure coding frameworks and policies, lack of investment in developmental training and poorly managed or unrealistic production testing environments are just a few internal factors. Often it is the builders who are blamed for a poor or vulnerable application.
If we are to improve application security, we must act. We cannot affect business change requirements or increase resources, but we can look for new and innovative ways of working.
- Education: Regularly run secure coding workshops or coding challenges.
- Convert to infrastructure as code: Automating refreshing of the testing environment to mirror production systems for each release.
- Automate security testing: This can be done with various SAST, IAST and DAST integrated into CI/CD pipelines.
- Bug Bounty: Sign up with a bug bounty program, to help identify vulnerabilities before they are exploited.
To read our other InfoSec articles please follow the link below:
Contact us to find out how we can assist you in the development and build of your teams’ skills, and in the testing of your cybersecurity capability.