This email is to be read subject to the disclaimer below.

Security Test planning
1. What do I want to achieve from testing (what level of assurance)?
2. What are the risks I want to address through this testing (sources and
methods)?
3. What perspectives do I need to achieve this?
4. From each perspective:
     What access levels exist within each perspective (functional and
security management)?
     What application processes or security functions are available at this
level
     Document classes of inputs (what should be allowed, what shouldn't be
allowed)
     Document associated expected/desired outputs for each process (what
should happen based on positive and negative inputs)
     Check does this address all possible paths through the relevant
process based on the security design (testing of lower level access against
higher level functions - sought of regression testing)?
     What information should be captured, how and who should have access on
what basis (don't forget the detective controls in the environment)?

Functionally testing of the security architecture should address:
- legislative constraints (such as auditability, compliance, privacy,
independence/securities, evidence/investigations, crimes, etc)
- business constraints (such as segregation of duties, authentication,
non-repudiation, contractual, government regulations)
- business requirements (data and program integrity and availability,
authentication)

                                                                                                                   
                    The Owasp
                    Project To: webappsecsecurityfocus.com
                    <owaspowasp. cc:
                    org> Subject: Planning a test
                                                                                                                   
                    22/01/2002
                    02:23 PM
                    Please
                    respond to
                    owasp
                                                                                                                   
                                                                                                                   

We have captured most of the dicsussion last week
(white-box vs black box etc) although not yet got it
up in the site. Give us a few weeks, things very
hectic. So far I think we have a good first draft of
most of the Why test ? What to test ? and How to
test ? with an exception about how to plan a test. I
know how I do it (paying special attention to legal
contracts, project plans, permissions, laws etc) but
it would be really good if other people share how
they plan a test.

We will get this first section written up by mid-Feb
(with some details about Attack Trees so they can be
used in descriptions) and we can then start the
technical details about testing for specifics like
cross site scripting etc

So how do you plan a test ?

--------------------
NOTICE - This communication contains information which is confidential and
the copyright of Ernst & Young or a third party.

If you are not the intended recipient of this communication please delete
and destroy all copies and telephone Ernst & Young on 1800 655 717
immediately. If you are the intended recipient of this communication you
should not copy, disclose or distribute this communication without the
authority of Ernst & Young.

Any views expressed in this Communication are those of the individual
sender, except where the sender specifically states them to be the views of
Ernst & Young.

Except as required at law, Ernst & Young does not represent, warrant and/or
guarantee that the integrity of this communication has been maintained nor
that the communication is free of errors, virus, interception or
interference.

Liability limited by the Accountants Scheme, approved under the
Professional Standards Act 1994 (NSW)
--------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]