« Adobe Client Site Plugin Allows Universal XSS | Main | Web Application Security Professionals Survey (January) »

Writing Software Security Test Cases: Putting security test cases into your test plan

Besides CGISecurity.com I'm involved with my other project QASec.com a new website aimed at teaching security throughout the development cycle with a heavy focus on security testing

I've just written an article explaining how Quality Assurance Engineers can include security testing into their test plans.

"Part of software testing involves replicating customer use cases against a given application. These use cases are documented in a test plan during the quality assurance phase in the development cycle to act as a checklist ensuring common use cases aren't missed during the testing phase. People within the quality assurance community are starting to understand that checking an application for security issues (defects) isn't just the responsibility of the security department (if one exists), or the software architects. While typical QA Engineers don't understand the scope or inner working of specific software vulnerabilities, they do go about testing an application in a similar fashion to how the penetration testing community does. Unlike typical penetration testing the QA has access to internal documents and insider information giving them advantages to aide in the testing of an application. In addition to documenting customer use cases it's important to begin the process of documenting what an attacker may attempt against your application as well and incorporating these attacker 'use cases' into a security section of your standard test plan."

Article Link: http://www.qasec.com/cycle/securitytestcases.shtml


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!