3.3 - TestList Formulation

Goal

The objective of this activity is to utilize the findings from the initial reconnaissance and the detailed runtime examination to draft a preliminary list of security tests. This list will be specifically tailored to address the vulnerabilities and risks identified, guiding the more detailed testing phases that follow.

How to Execute

1. Compile Initial Findings
   • Description: Gather all the data and insights obtained from the code and route analysis, as well as the runtime examination. This compilation will include detailed notes on identified vulnerabilities, their potential impacts, and observed weaknesses in the application’s operation.
   • Tools/Techniques:
     • Review documentation and reports from the previous activities to ensure all relevant findings are considered.
     • Use a collaborative approach, involving team discussions to ensure that all significant vulnerabilities are captured and nothing is overlooked.
   • Output: A comprehensive compilation of all vulnerabilities and security concerns identified during the earlier phases of reconnaissance.

1. Draft Preliminary Test List
   • Description: Based on the compiled findings, draft a list of targeted security tests. Each test should be designed to specifically address and verify the mitigation of identified vulnerabilities. Consider the nature of each vulnerability and the best testing approach to validate security measures.
   • Tools/Techniques:
     • Use a systematic approach to map each vulnerability to specific tests, such as penetration testing, functional testing, or automated scanning, depending on the nature of the vulnerability.
     • Engage security experts to ensure that the tests are comprehensive and appropriate for the types of risks identified.
     • Utilize the OWASP Testing Guide checklist as a framework to guide the development of test cases. This checklist provides a comprehensive set of guidelines and best practices for testing the security of web applications, which can be adapted to specific vulnerabilities identified in the assessment phase.
   • Output: A preliminary list of security tests, each linked to specific vulnerabilities identified in the reconnaissance phase, ensuring targeted and effective testing.

1. Integrate with Requirements Traceability Matrix (RTM)
   • Description: Integrate this preliminary list of tests into the Requirements Traceability Matrix developed earlier. This integration ensures that each test is directly traceable to specific features and their related security requirements.
   • Tools/Techniques:
     • Use the existing Requirements Traceability Matrix framework to add the newly formulated tests, ensuring each test is aligned with corresponding features and vulnerabilities.
     • Update the RTM to reflect new insights and testing needs, maintaining it as a living document that evolves with the project’s progress and findings.
   • Output: An updated Requirements Traceability Matrix that now includes the preliminary list of security tests, providing a clear and organized view of how testing objectives correspond to specific security requirements and vulnerabilities.