Task: Develop Security Test Plan
This task describes the main steps for developing a security test plan. All or some of these steps can be performed when you start from scratch, or when you just refine an existent test plan.
Purpose
Specify the scope and build a plan for performing the assessment.
Relationships
InputsMandatory: Optional: External:
  • None
Outputs
Main Description

Before you start your Web application vulnerability assessment, you need to build a test plan. Building a test plan starts with establishing your test target. Depending on your assignment, a test target could consist of a range of IP addresses, a set of Web applications, or a single Web application. If your target is an IP address range, this means that you have to identify all of the Web properties in the given range first, and then test each of them for security vulnerabilities.

Once you establish your target, you need to select your test environment. A security test could potentially deface or destabilize a Web application. Therefore, it is highly recommended that you test a Web application in a pre-production environment. If you need to test a Web application that is already in production, you must use only tests that are safe.

Defining the test scope or the types of security tests that you will employ during your assessment depends on your security test policy, your role, and the scope of your assignment.

You should also take into account any test restrictions. Perhaps you are testing in a production environment and, by testing certain application functions, you run the risk of crashing the application. It is recommended that you speak with the application owner and application developers to identify any potential risks and corresponding test restrictions.

All application stakeholders should agree on the date and time of the vulnerability assessment. This is necessary to ensure that the test has minimal impact on any of the stakeholders.

Most applications have some sort of a mechanism for identifying and authorizing their users. You will need access credentials to test an application that requires its users to log in. It is best to create a special account for the purposes of the test. After the test is completed, you can simply delete the account, which will make "cleaning up" a lot easier. If the application supports multiple user roles, you may need to obtain an account for each user role.

Conducting a security assessment may involve exploiting vulnerabilities to prove the risks associated with them. Also, as mentioned previously, security testing may have side effects (for example, crashing the application, inserting garbage data into the database, and so on). Therefore, it is important to obtain an approval from all stakeholders before you begin testing.

It is recommended to obtain the contact information of key stakeholders who you may need to contact during your assessment. For example, if the application crashes and you need to reboot the Web or application servers, you will need to know who to contact.

Steps
Establish the Test Target
Clearly state your test target, which could be a range of IP addresses, one Web application, or a set of Web applications.
Select Test Environment
Given the high impact of a security test, it is recommended to run it in a pre-production environment. In the case where you have to use a production application, you need to run only safe tests that will not destabilize the applications under test.
Define Test Scope

Define the security tests that you will run based on the security test policy, your role, and the objectives of the security test.

Determine Test Restrictions
Talk to all of the stakeholders involved (application owners, developers, and so on) in order to determine all of the test restrictions. Special consideration should be given to the applications already deployed into a production environment.
Determine Test Window Details
Reach agreement with all of the stakeholders on the date and time for running the tests, in order to minimize the overall impact of the assessment.
Obtain Access Credentials
Create a temporary, special account solely for the purpose of security testing. Delete or make sure that the account is properly disposed of at the end of the test cycle. For role-based access, multiple accounts might be needed.
Obtain Stakeholder Approval
Given the potential impact of a security assessment, make sure that all of the stakeholders are informed, and any necessary approvals have been obtained.
Obtain Stakeholder Contact Info
Get all of the contact information that you will need in case of an unexpected event (for example, a crash or a reboot).
Properties
Predecessor
Multiple Occurrences
Event Driven
Ongoing
Optional
Planned
Repeatable