Perform Security Testing

Consider security requirements, threat models, and all other available security-related information and tooling when designing and executing the software’s test plan.

Description

Testing includes using the system from an attacker’s point of view. Consider security requirements, threat model(s), and all other available security-related information and tooling when developing tests. Where possible, automate test suites, and include security-focused tools.

Practice Implementation Questions

1. Is the project threat model used when creating the test plan?
2. Are the project’s security requirements used when creating the test plan?
3. Are features of the technical stack used by the software considered when creating the test plan?
4. Are appropriate fuzzing tools applied to components accepting untrusted data as part of the test plan?
5. Are tests created for vulnerabilities identified in the software?
6. Are the project’s technical stack rules checked by the test plan?
7. Is the test plan automated where possible?
8. Are the project’s technical stack rules enforced during testing?

Keywords

boundary value, boundary condition, edge case, entry point, input validation, interface, output validation, replay testing, security tests, test, tests, test plan, test suite, validate input, validation testing, regression test

Links

OWASP Identify, implement, and perform security tests, BSIMM ST3.2 Perform fuzz testing customized to application APIs