Task: Develop Security Test Policy
This task describes the main steps that you need to perform when you develop a test policy with a focus on security.
Disciplines: Test
Purpose
To specify the types of security tests to perform.
Relationships
Main Description

In this context, a Test Policy describes the types of tests to perform to test a Web application for security vulnerabilities. The types of tests included in a test policy depend on the vulnerability assessment objectives, and on the role of the person performing the assessment.

For example, a Security Lead may decide to focus on addressing some key, high severity issues first. She will then include in the test policy only tests for those types of issues. The user performing a vulnerability assessment has to be able to act on the results (that is, he has to have that necessary skill set to address the discovered security issues. A test policy for a security auditor should be comprehensive and include both infrastructure and application tests). A test policy for developers should include only some key application tests that are easy for developers to understand and address (for instance, SQL Injection and Cross-Site Scripting).

Steps
Determine the Main Types of Security Issues
Based on the application characteristics, industry standards and data, and your previous experience, define the main types of security issues that need to be tested.
Identify the Users of the Test Policy
Categorize the potential users of the test policy, based on their security skills, application knowledge, testing experience, familiarity with different tools and methodologies, and so on.
Select Types of Security Tests to Include
Select the types of security tests based on the user types, potential security issues, and the timing of the test execution within the overall development lifecycle.
Publish the Security Test Policy

Review the changes to the Security Test Policy, and make it available to the target audience.

More Information