Design and Development (A4): SDL Activities and Best Practices 165
been tested for quality and is good to go. From the authors’ point of view,
QA testing is not complete unless all security tests have been performed
and the security test acceptance criteria are all met. Software cannot be
a quality product unless it has been comprehensively tested for security
issues. Treating security testing as an add-on is a mistake that many com-
panies still make. Once QA testing is complete, the software goes to the
security team for security testing. In our opinion, routine security testing
should be part of the QA cycle. The QA team should treat security testing
just like any other testing, and should create test cases and perform both
manual and automated testing just as they would any other testing. The
QA team, however, often does not have the skills to execute security test
cases, which therefore often means that the QA team relies on the secu-
rity team to perform all testing. This approach is not very effective and
takes time away from the security team, which has to perform basic secu-
rity tests instead of looking at advanced threats/corner cases. QA secu-
rity testing is not meant to replace security testing by the security team.
Instead, it should be looked upon as enabling the security team to focus
on advanced testing. Below are a few examples of issues that QA security
testing should look for:
• Plaintext passwords/weak passwords in configuration files
• Default accounts on the stack (Apache, Tomcat, operating systems)
• Sensitive information in log files
• Input validation (XSS, SQLi)
• Parameter tampering for Web applications
• Insecure services used by the software team (e.g., Telnet)
• Security configurations for various services (e.g., NFS)
The QA team should focus not just on application but also on the
stack on which the software will run. This means testing various configu-
rations of operating systems and related services, Web servers, etc., from a
security point of view. Before QA gives the “Go” for a product, the entire
stack (application, operation system, Web servers, storage) should have
been tested for basic security issues.
Security test case execution is carried out from two primary perspectives:
1. Security mechanisms are tested to ensure that their functionality is
properly implemented; and