Indeed, what about HP QAInspect? I am amazed this product has not taken the Quality Center installation market by storm, or at least as much of the market as QTP has. QAInspect finds most of the same things WebInspect does, has the same report options, most of the same tools, can schedule or run tests from remote QAInspect-enabled hosts, better/richer real-time scan UI than previous QAInspect releases, and has the ability to control or throttle the findings prior to delivery into QC. What's not to love?
Let's look at the QAInspect line. This product was created in 2003/2004 by SPI Dynamics. Their customers came to them because security teams had acquired the shiny new WebInspect scanner, and suddenly all their projects were being held up prior to release due to unforeseen security defects found during pre-production security scans. So the customers wanted something to find these defects themselves, earlier, where they can be fixed more cheaply and without the security team acting so superior. But they had two caveats. One, they did not want to become security experts or ethical hackers themselves. Two, they did not want to be forced to learn and integrate yet another tool. With Mercury's Test Director owning the testing market, SPI Dynamics naturally built "QAInspect for Test Director". They even built a "QAInspect for IBM ClearQuest", but that market was substantially smaller and eventually that product was EOL. In 2007 HP Software acquired Mercury, and then SPI Dynamics, and this same tool became known as "HP QAInspect for HP Quality Center" although it works for either Quality Center (QC) or the new HP Application Lifecycle Management (ALM) product.
Yet when was the last time anyone saw a demonstration on Quality Center or ALM and the presentation even discussed or included security testing? They currently show many other plug-ins that fit the QA auditing mindset (and HP has a lot of great ones in the stable), but security testing still seems to be held at arm's length. It seems that the QA audience still is reluctant to look into security testing, even to this date, and the vendors are not leading them there much either.
The fact is, security testing needs to be done by many more teams than the security office. Who better to know the application under test than the QA group? Who has more manpower and equipment at their disposal? Who already performs or attempts to perform 100% functional code coverage with automated testing? So if that same (overworked) team be augmented with a solution that works inside their current environment and processes and that allows them to fulfill their mandate to produce good software, why has it not been snapped up? By finding defects earlier with an automated scanner, they should see savings in rework time, as well as an improvement to departmental reputations. By testing all of the application for the simpler things, the security team will be able to focus on the tougher application logic issues and serve as an advisory role to the QA group performing security testing.
I will follow this posting up with some entries specifically on working with QAInspect and HP ALM, the latest "version" of Quality Center.
~~ Habeas Data