I can understand why to a point. But in a North American (NA) context where quality is a low priority (based on my experience) this approach is a failure.
Here is why I believe this:
- In a NA context, there are little expectation of a quality group and are often ignored. They have no seat at the table.
- Most security issues can be resolved and avoided during architecture. Unfortunately NA development does not engage (and in one of my experiences even purposely avoids a quality based security group) at this time so architectural mistakes are made and technical debt is incurred.
- Threat models are inconsistent. Because of a low respect given to quality groups in a North American context development groups do not respect any group in a quality organization Therefore, they will not engage and ignore competent penetration testers in group within a quality group.
Fundamentally there is a lack of respect from development management and development members towards quality group members. I know, I have been in both. The different in a NA context is that management has low expectation for quality groups and often put under performing members there. Development then as a whole has lower expectations and less respect for these organizations.
If you then have a group of well trained hackers in a quality group whose expertise crosses between these two divides then there is a problem. Your development organization will not respect or even listen to them and your product security as a whole suffers.
The bandaid solution is to move the red team group to the development management sphere but this avoids the elephant in the room, mainly the problem with how quality groups are managed and the expectations afforded them.
Throughout my career I have extended respect to all colleagues regardless of their position in the organizational structure. Development, Quality, and support.
However based on the unprofessional behavior of Developers towards colleagues in Quality I now have less respect for development teams.
It is development who have the problem. And they are the ones that must fix it.
