Work Product (Artifact): Security Test Policy
A security test policy describes the processes and types of security tests that should be performed by the different teams involved in Web application security testing.
Purpose
To provide a way to capture the aspects of security testing that are common for all of the applications tested within an organization: types of security tests, who should perform them, at what level and when.
Relationships
Main Description

The policy should include the following information, organized by role (Security Auditor, Tester, Developer):

  • Test environment
  • Test approach, techniques, processes
  • Automated tests to perform
    • Application
    • Infrastructure
    • Noninvasive
    • Invasive
    • Custom
  • Manual tests to perform
  • Vulnerabilities to exploit
  • Vulnerability prioritization criteria
  • Reports to generate
Properties
Optional
Planned