Appsec strategy
Security Testing Methodology
0 - Checklist Summary
1 - Requirements Tracability Matrix
1.1 - Create the Matrix
1.1.1 - Example
2 - Threat modeling and attack surface mapping
2.1 - Component mapping
2.1.1 - Example
2.2 - Critical assessment
2.2.1 - Example
2.3 - Logic Flaws Identification
2.3.1 - Example
3 - Reconnaissance and Preliminary Analysis
3.1 - Code And Route Analysis
3.1.1 - Example
3.2 - Runtime Examination
3.2.1 - Example
3.3 - TestList Formulation
3.3.1 - Example
4 - Tool-Assisted Vulnerability Identification
4.1 - Static Code Analysis
4.2 - Dynamic Analysis
4.3 - Findings Documentation
5 - Manual Review and Dynamic Analysis
5.1 - Review Based on Tool Outputs
5.1.1 - Example
5.2 - Synthesis of Findings and Test Plan Development
5.2.1 - Example
5.3 - Null Safety
5.4 - Unexpected Input
5.5 - Behavioral Logic Flaws Analysis

0 - Checklist Summary

Checklist

This checklist serves as a concise reference for individuals already familiar with the test strategies outlined in the guide. It is designed to provide a quick glance through to ensure that all critical steps and methodologies mentioned in the document have been thoroughly addressed. Use this checklist to verify that each essential task has been completed.

1.1 Identify Application Features and Security Risks
1.1 Define Security Requirements for Each Feature
1.1 Link Security Requirements to Specific Tests
1.1 Assemble the Traceability Matrix
2.1 List All Application Components
2.1 Visualize Data Flow Within the Application
2.1 Map External Interactions and Dependencies
2.1 Identify Security Controls for Each Component and Data Flow
2.2 Identify Business-Critical Components
2.2 Validate Criticality of Components
2.3 Understand the Application’s Business Logic
2.3 Conduct Brainstorming Sessions for Potential Misuse
2.3 Prototype and Test Attack Scenarios
3.1 Analyze the Application’s Codebase for cyclomatic/cognitive Complexity
3.1 Examine Application Routing
3.1 Identify Business-Critical Code Sections
3.2 Identify Key Runtime Components (XML parsers, file upload)
3.2 Compile Initial Findings from Code, Route, and Runtime Analyses
3.3 Draft Preliminary List of Security Tests
3.3 Integrate Test List with Requirements Traceability Matrix
4.1 Select and Configure Static Code Analysis Tools
4.1 Run Scans and Analyze Results from Static Code Analysis
4.1 Document Findings from Static Code Analysis
4.2 Setup Dynamic Testing Environment
4.2 Conduct Live Application Tests
4.2 Analyze and Document Findings from Dynamic Analysis
4.3 Document Findings in DefectDojo
4.3 Review and Validate Findings
5.2 Synthesize Findings and Develop Strategic Test Plan
5.2 Manual verification and security testing

0 - Checklist Summary

0 - Checklist Summary

Checklist

results matching ""

No results matching ""