This topic has come up a few times this year in question period: arguments that quality bugs and security bugs « have equal value, » that security testing and QA are « the same thing, » that security testing should « just be performed by QA » and that « there’s no specific skillset » required to do security testing versus QA. This article will explain why I fundamentally disagree with all of those statements.
First, some definitions.