Applications are comprehensively tested for vulnerabilities, using static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.
Evaluate whether executable code testing should be performed to uncover vulnerabilities that might not have been identified through prior reviews, analyses, or automated testing. Follow organizational guidelines to select appropriate testing types, considering the software’s current development stage and whether the code is in-house or from third parties. This approach ensures that potential security gaps are addressed comprehensively.
Define a systematic penetration testing process to assess security across various development phases. Use project-specific security test cases to guide manual penetration testing, focusing on both static and dynamic vulnerabilities. Prioritize testing in the pre-release phase, and for systems that require live testing, adopt controlled techniques like blue-green deployments or A/B testing to ensure security without disrupting production environments. Design test cases to cover application-specific scenarios, such as validating business logic, and broader vulnerabilities associated with design and implementation flaws. Empower quality assurance teams and development staff with specialized training to conduct these tests effectively. Monitor and support initial test executions with guidance from a central security team to foster best practices. Encourage external evaluations through bug bounty programs to complement internal testing, leveraging the expertise of external security researchers. This approach broadens talent access and strengthens overall testing capabilities. Before release, review penetration testing outcomes with stakeholders to address identified risks and create a timeline for resolving issues. Disseminate findings across development teams to improve security awareness and practices organization-wide.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-03-01-01 | Develop penetration testing cases | Include test cases for business logic flaws like bypassing payment flows and OWASP Top 10 vulnerabilities such as SQL injection. | Development | Security team, Quality assurance (QA) team |
| SSS-02-10-03-01-02 | Execute manual penetration testing | Test the authentication module for password brute-forcing vulnerabilities and validate session management robustness. | Development | Penetration testers, Security champions |
| SSS-02-10-03-01-03 | Leverage bug bounty programs | Use platforms like HackerOne or Bugcrowd to attract ethical hackers and crowdsource penetration testing efforts. | Deployment | Security team, Bug bounty coordinators |
| SSS-02-10-03-01-04 | Review and address test findings | Document failing test cases, such as insufficient input validation, and assign fixes to development teams with defined deadlines. | Deployment | Development managers, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (PW.8.1) OWASP SAMM: Software Assurance Maturity Model (V-ST-2-B) |