You see, when we talk about the security assurance in software, I view the whole process in my head end to end. And the process runs roughly like this:
- The designer has an idea in his head
- The software design is a translation of that into a document
- Development translates the design into the code
- The code is delivered
- Software is installed, configured and run
Security, in my view, is the process of making sure that whatever the designer was thinking about in his head ends up actually running at the customer site. The software must run exactly the way the designer imagined, that is the task.
Now, the software has to run correctly both under the normal circumstances and under really weird conditions, i.e. under attack. So the Quality Assurance takes the part of verifying that it runs correctly under normal circumstances while Security Assurance takes care of the whole picture.
Thus Quality Assurance becomes an integral part of Security Assurance.