Security Testing Methodology

QA Mentor uses one of three different security testing methodologies depending on the application, development status, and development methodology.

Valuable client information and consumer trust can be lost in the blink of an eye if proper precautions aren’t taken.

Download Brochure

Agile Security Testing

This method of testing is driven by iterations in which security requirements are translated into automated security test cases.   By promoting test driven development in this way, security tests are created before the system even exists.

Step 1: Initial Scoping

At this time we also develop the metrics criteria to be used for the duration of the project.

  • Number of Policy Violations
  • Percentage of weak passwords
  • Number of Susceptible Interfaces
  • Number of Defects and their Severity
  • Cost per Defect
  • Number of Security Layers
  • Percentage of System Formally Assessed

Step 2: Design Review

This phase starts with a review of the security requirements. We make sure the following sections are complete, unambiguous, and lacking any gaps in the requirement definitions.

  • User Management
  • Authentication
  • Authorization
  • Data confidentiality
  • Integrity
  • Accountability
  • Session management
  • Tiered systems segregation
  • Privacy

Step 3: Development Walkthroughs and Reviews

During development, the security team will systematically perform code walkthroughs with the developers and architects in order to gain a high level of understanding of the code. Next, security and development teams perform code reviews together to look for security defects.

Step 4: Deployment

Once the code has been deployed, we begin configuration management testing and penetration testing – if applicable.

Step 5: Maintenance

Just because the application is in production doesn’t mean the security testing is done. Operational reviews are scheduled for periodic checks on security risks and application health.

Get a Free Quote

Open Web Application Security Project
(OWASP) Methodology

The OWASP is a non-profit project that enables organizations to develop and maintain secure web applications.  Their security testing framework is based on a generic development model which makes it easy for organizations to pick and choose what will work in their SDLC.  QA Mentor uses the OWASP security testing framework as a foundation for one of our security testing methodologies.

Step 1:Obtain Security Requirements

Security requirements are identified by creating Abuser Stories and Misuse Case models – a take on the Use Case and User Stories. These scenarios are developed by determining how a malicious user might misuse or abuse the system.

Step 2: Employ Testable Architecture

Creating a testable architecture involves adding at test layer on top of each of the application layers.  This makes it possible to employ various security testing techniques throughout the development lifecycle

Step 3: Automate Security Tests

To fully benefit from Agile, automation must be employed as much as possible. Automating the security tests not only speeds up testing, but it increases confidence in the system.

Penetration Testing

QA Mentor employs a structured and ongoing penetration testing methodology that involves using tools and methods in the same way that a malicious user would.

Step 1: Build Threat Model

  • Identify risks and threats
  • Break the threat down into smaller parts

Step 2: Create Test Plan

  • Road map for the security testing effort
  • Deliverables
  • Activities, timelines, and resources needed

Step 3: Execute Test Cases

  • Vulnerabilities in the file system registry
  • UI security – XSS, Injection, etc
  • Design security – unsecured ports
  • Implementation security

Step 4: Create Problem Report

  • Proof of the presence of vulnerabilities
  • Covers the steps to reproduce, the severity of the vulnerability, and the exploit scenarios

Step 5: Perform Postmortem

  • Analyze the bugs found and identify root cause
  • Through RCA, improve the process for future projects
Start a Free Pilot Project

We’re here when you need us. If you have questions about anything on our site or our services, or if you are ready to start a consultation, we want you to contact us so we’ve tried to make it easy.

Scroll Up

Enter your name and email address to Download Brochure


Your Name

Your Email

Enter your name and email address to Download Brochure


Your Name

Your Email

Enter your name and email address to Download Brochure


Your Name

Your Email