A Security Practices Evaluation Framework

Perform Penetration Testing

Arrange for security-focused stress testing of the project’s software in its production environment. Engage testers from outside the software’s project team.

Description

Testing typically is focused on software before it is released. Penetration testing focuses on testing software in its production environment. Arrange for security-focused stress testing of the project’s software in its production environment. To the degree possible, engage testers from outside the software’s project team, and from outside the software project’s organization.

Practice Implementation Questions

  1. Does the project do its own penetration testing, using the tools used by penetration testers and attackers?
  2. Does the project work with penetration testers external to the project?
  3. Does the project provide all project data to the external penetration testers?
  4. Is penetration testing performed before releases of the software?
  5. Are vulnerabilities found during penetration test logged as defects?

Keywords

penetration

OWASP Web Application Penetration Testing