Security requirements checking and testing
Assign topic to the user
1. Is there any methodology ?
Answer: For security requirements checking and testing you can use the same methodologies used for software development: individual testing, independent testing, integration testing, and the last two can consider black and white box approaching (without or with information about the implementation).
2. What is test inputs and expected outputs, code analysis tools or vulnerability scanners
Answer: the inputs, outputs and tools to be used will depend of which requirements you will test. For example for testing access control and communications security you will need different sets of inputs, outputs and tools.
For example, for testing access control the inputs are correct and incorrect combinations of login and password, and the expected results are, respectively, access granted and access denial. A password cracking tool can be used to check the quality of passwords.
These articles will p rovide you further explanation about security testing:
- How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
This material will also help you regarding security testing:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Question: you mean to say after applying all the security controls, the system in question, should go through all the software test. is that, what you mean by?
Answer: What I mean is that the implemented security requirements (e.g., two factor authentication to support an access control requirement, secure communication protocol to support a protected communication requirement, etc.) should go through the same testing process you apply in your software development. You should consider them the same way you consider the tests for your software's functional and non functional requirements.
The tests' coverage and detail levels should be proportional to the degree of confidence you want that the security functions are properly implemented.
For more orientation on security assurance on software development, I suggest you to see the ISO standard 15408-1 at this link:
Comment as guest or Sign in
Apr 27, 2017