Code testing is something that should have been taken care by a lot of companies a long time ago before their first software releases. Unfortunately that is not the case.

One thing that I have learned during the years is that if you do the software development in-house you should hire small group of excellent programmers instead of a large group of not so experienced people. This will save you time and money even it will cost a little bit more in the beginning. Good programmers are able to do the code testing for their own software modules at the same time when they program those. They also exchange modules to do cross testing which again decreases the possible flaws in the code. Seen it happen in the companies where I have been working previously.

If you outsource your code development then you better be sure about the quality of the software testing done in the programming side. I would use a third party company to do the testing instead of the company who has done the code. Just to make sure that there are now holes or flaws in the code.

I am not even going to touch the case of API testing as it is a whole new world when implementing a new code to a existing system which is not even yours...

and now the article:

By Vivian Yeo, ZDNet Asia
12/05/2008
URL: http://www.zdnetasia.com/news/security/0,39044215,62041217,00.htm

Businesses in Asia are increasingly taking steps to ensure software code developed by third parties are as secure as can be.

Foo Meng Yiah, chief of business management office at NCS Group, told ZDNet Asia that the company has seen a rise in the number of requests from customers in Asia to perform mandatory code testing as well as build security features into the code.

Mandatory code testing, said NCS, is one way to verify if security policy requirements have been implemented in the code.

In addition, customers are also asking for their in-house IT security or audit teams to be involved in application development projects, Foo said in an e-mail. This helps to ensure compliance of the customer's security needs.

"Over the last few years, security concerns have been one of the areas raised in software development in Asia," noted Foo. "Customers, aware of the importance of application security, are seeking more information on security issues and how to build security in the source code during the development stage."

Foo said for software development projects, NCS has a team of specialists to test code using tools such as static source code analyzer.

"This team will scan the codes and a report will be sent to the project team to fix any security violations flagged," she said. "Any security violations will be resolved and the source codes passed to the test team to be analyzed again."

Over at Parkway Group Healthcare, Kenneth Thean, group vice president for IT and CIO, said the organization has a set of standard guidelines for application security and design that vendors need to adhere to.

Parkway is in the midst of rolling out its Enterprise Wide Hospital Information System integrated with Oracle E-Business Suite applications, which is undertaken by Tata Consultancy Services.

"We did not focus on malicious ware or backdoors being embedded within the application code itself, [mainly because] our applications are within the organization's internal network and there are stringent policies and audit measures in place to prevent any abuse by staff," said Thean, who is also the chief medical information officer of Parkway. "We also carry out regular internal and external audits to identify any flaws in the organization's system--including application environment and policies--and network security and quickly rectify them as and when they are found.

"Moving forward, Parkway does recognize that, as we expand our systems across the regions, a re-look at our existing policy [is necessary]," he added.

Upon completion of the project next year, Parkway will have full access to the source code, paving the way for in-house review and testing. But Thean pointed out that given the complexity and labor required for the task, the group will explore using tools to automate the processes.

Another issue to consider is the objectivity of security testing, said Thean. Testing done in-house or by the vendor engaged to deliver the applications may not be the best option; instead an independent third party audit should be commissioned.

Elsewhere, however, not all companies pay as much attention to application security testing. Referring to findings of a study of 250 C-level executives in the United States, United Kingdom and Germany, application security testing company Veracode said last month that 60 percent of companies that outsource the development of critical applications do not demand for security to be built into their applications.

The report, released by U.K.-based business and IT analyst Quocirca, also noted that 90 percent of organizations outsource over 40 percent of their code.