Task: Refine Security Policy |
|
 |
This task describes the main steps that you need to perform when you develop a test policy with a focus on security. |
|
Purpose
To specify the types of security tests to perform. |
Relationships
Inputs | Mandatory:
| Optional:
| External:
|
Outputs |
|
Main Description
In this context, a Test Policy describes the types of tests to perform to test a Web application for security
vulnerabilities. The types of tests included in a test policy depend on the vulnerability assessment objectives,
and on the role of the person performing the assessment.
For example, a Security Lead may decide to focus on addressing some key, high severity issues first. She will
then include in the test policy only tests for those types of issues. The user performing a vulnerability assessment
has to be able to act on the results (that is, he has to have that necessary skill set to address the discovered security
issues. A test policy for a security auditor should be comprehensive and include both infrastructure and application
tests). A test policy for developers should include only some key application tests that are easy for developers to
understand and address (for instance, SQL Injection and Cross-Site Scripting).
|
Steps
Determine the Main Types of Security Issues
Based on the application characteristics, industry standards and data, and your previous experience, define the main types of
security issues that need to be tested. |
Identify the Users of the Test Policy
Categorize the potential users of the test policy, based on their security skills, application knowledge, testing
experience, familiarity with different tools and methodologies, and so on. |
Select Types of Security Tests to Include
Select the types of security tests based on the user types, potential security issues, and the timing of the test execution
within the overall development lifecycle. |
Publish the Security Test Policy
Review the changes to the Security Test Policy, and make it available to the target audience.
|
|
Properties
Predecessor |
|
Multiple Occurrences |  |
Event Driven |  |
Ongoing |  |
Optional |  |
Planned |  |
Repeatable |  |
More Information
© Copyright IBM Corp. 1987, 2008. All Rights Reserved.
|
|