Artifact: Security Test Policy
A security test policy describes the processes and types of security tests that should be performed by the different teams involved in Web application security testing.
Domains: Test
Purpose
To provide a way to capture the aspects of security testing that are common for all of the applications tested within an organization: types of security tests, who should perform them, at what level and when.
Relationships
Description
Main Description

The policy should include the following information, organized by role (Security Auditor, Tester, Developer):

  • Test environment
  • Test approach, techniques, processes
  • Automated tests to perform
    • Application
    • Infrastructure
    • Noninvasive
    • Invasive
    • Custom
  • Manual tests to perform
  • Vulnerabilities to exploit
  • Vulnerability prioritization criteria
  • Reports to generate