https://wiki.owasp.org/index.php?action=history&feed=atom&title=SAMM_-_Security_Testing_-_3 SAMM - Security Testing - 3 - Revision history 2026-04-10T21:20:39Z Revision history for this page on the wiki MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=SAMM_-_Security_Testing_-_3&diff=193645&oldid=prev David Fern at 00:49, 20 April 2015 2015-04-20T00:49:01Z <p></p> <table class="diff diff-contentalign-left" data-mw="interface"> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;' lang='en'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:49, 20 April 2015</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l63" >Line 63:</td> <td colspan="2" class="diff-lineno">Line 63:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>----</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Additional Resources===</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>===Additional Resources===</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">[[:Category:SAMM-ST-3]]</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/div&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/div&gt;</div></td></tr> <tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l69" >Line 69:</td> <td colspan="2" class="diff-lineno">Line 69:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>__NOTOC__ __NOEDITSECTION__</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>__NOTOC__ __NOEDITSECTION__</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:SAMM-ST-3]]</ins></div></td></tr> </table> David Fern https://wiki.owasp.org/index.php?title=SAMM_-_Security_Testing_-_3&diff=60122&oldid=prev Pravir Chandra at 00:54, 5 May 2009 2009-05-05T00:54:39Z <p></p> <table class="diff diff-contentalign-left" data-mw="interface"> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;' lang='en'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:54, 5 May 2009</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{OpenSAMM}}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{OpenSAMM}}</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">[[Category:OWASP Software Assurance Maturity Model Project]]</del></div></td><td colspan="2">&#160;</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;float:left; width:65%;&quot;&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;float:left; width:65%;&quot;&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{SAMM-BadgeList|name=Security_Testing|abbr=ST|border3=2}}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>{{SAMM-BadgeList|name=Security_Testing|abbr=ST|border3=2}}</div></td></tr> </table> Pravir Chandra https://wiki.owasp.org/index.php?title=SAMM_-_Security_Testing_-_3&diff=59957&oldid=prev Pravir Chandra at 00:41, 3 May 2009 2009-05-03T00:41:23Z <p></p> <table class="diff diff-contentalign-left" data-mw="interface"> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;' lang='en'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:41, 3 May 2009</td> </tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l9" >Line 9:</td> <td colspan="2" class="diff-lineno">Line 9:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;width:100%; float:left;&quot;&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;div style=&quot;width:100%; float:left;&quot;&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''Objective: </del>Require application-specific security testing to ensure baseline security before deployment<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">{{SAMM-ObjectiveV3|name=Security Testing|obj=</ins>Require application-specific security testing to ensure baseline security before deployment<ins class="diffchange diffchange-inline">}}</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; &lt;div style=&quot;width:30%; float:right; padding-top:50px; padding-left:10px;&quot;&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; &lt;div style=&quot;width:30%; float:right; padding-top:50px; padding-left:10px;&quot;&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>====Results====</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>====Results====</div></td></tr> </table> Pravir Chandra https://wiki.owasp.org/index.php?title=SAMM_-_Security_Testing_-_3&diff=59897&oldid=prev Pravir Chandra: New page: {{OpenSAMM}} Category:OWASP Software Assurance Maturity Model Project <div style="float:left; width:65%;"> {{SAMM-BadgeList|name=Security_Testing|abbr=ST|border3=2}} </div> <div style=... 2009-05-02T19:44:26Z <p>New page: {{OpenSAMM}} <a href="/index.php/Category:OWASP_Software_Assurance_Maturity_Model_Project" class="mw-redirect" title="Category:OWASP Software Assurance Maturity Model Project">Category:OWASP Software Assurance Maturity Model Project</a> &lt;div style=&quot;float:left; width:65%;&quot;&gt; {{SAMM-BadgeList|name=Security_Testing|abbr=ST|border3=2}} &lt;/div&gt; &lt;div style=...</p> <p><b>New page</b></p><div>{{OpenSAMM}}<br /> [[Category:OWASP Software Assurance Maturity Model Project]]<br /> &lt;div style=&quot;float:left; width:65%;&quot;&gt;<br /> {{SAMM-BadgeList|name=Security_Testing|abbr=ST|border3=2}}<br /> &lt;/div&gt;<br /> &lt;div style=&quot;float:right; width:30%;&quot;&gt;<br /> [http://www.owasp.org/index.php/SAMM_-_Verification http://www.opensamm.org/downloads/BackButton.png]<br /> &lt;/div&gt;<br /> <br /> &lt;div style=&quot;width:100%; float:left;&quot;&gt;<br /> '''Objective: Require application-specific security testing to ensure baseline security before deployment'''<br /> &lt;div style=&quot;width:30%; float:right; padding-top:50px; padding-left:10px;&quot;&gt;<br /> ====Results====<br /> * Organization-wide baseline for expected application performance against attacks<br /> * Customized security test suites to improve accuracy of automated analysis<br /> * Project teams aware of objective goals for attack resistance<br /> <br /> ====Add’l Success Metrics====<br /> * &gt;50% of projects using security testing customizations<br /> * &gt;75% of projects passing all security tests in past 6 months<br /> <br /> ====Add’l Costs====<br /> * Buildout and maintenance of customizations to security testing automation<br /> * Ongoing project overhead from security testing audit process<br /> * Organization overhead from project delays caused by failed security testing audits<br /> <br /> ====Add’l Personnel====<br /> * Architects (1 day/yr)<br /> * Developers (1 day/yr)<br /> * Security Auditors (1-2 days/yr)<br /> * QA Testers (1-2 days/yr)<br /> * Business Owners (1 day/yr)<br /> * Managers (1 day/yr)<br /> <br /> ====Related Levels====<br /> * Policy &amp; Compliance - 2<br /> * Secure Architecture - 3<br /> <br /> &lt;/div&gt;<br /> &lt;div style=&quot;float:left; width:65%;&quot;&gt;<br /> ==Activities==<br /> ===A. Employ application-specific security testing automation===<br /> Through either customization of security testing tools, enhancements to generic test case execution tools, or buildout of custom test harnesses, project teams should formally iterate through security requirements and build a set of automated checkers to test the security of the implemented business logic.<br /> <br /> Additionally, many automated security testing tools can be greatly improved in accuracy and depth of coverage if they are customized to understand more detail about the specific software interfaces in the project under test. Further, organization-specific concerns from compliance or technical standards can be codified as a reusable, central test battery to make audit data collection and per-project management visibility simpler.<br /> <br /> Project teams should focus on buildout of granular security test cases based on the business functionality of their software, and an organization-level team led by a security auditor should focus on specification of automated tests for compliance and internal standards.<br /> <br /> ===B. Establish release gates for security testing===<br /> To prevent software from being released with easily found security bugs, a particular point in the software development life-cycle should be identified as a checkpoint where an established set of security test cases must pass in order to make a release from the project. This establishes a baseline for the kinds of security tests all projects are expected to pass.<br /> <br /> Since adding too many test cases initially can result in an overhead cost bubble, begin by choosing one <br /> or two security issues and include a wide variety of test cases for each with the expectation that no project may pass if any test fails. Over time, this baseline should be improved by selecting additional security issues and adding a variety of corresponding test cases.<br /> <br /> Generally, this security testing checkpoint should occur toward the end of the implementation or testing, but must occur before release. <br /> <br /> For legacy systems or inactive projects, an exception process should be created to allow those projects to continue operations, but with an explicitly assigned timeframe for mitigation of findings. Exceptions should be limited to no more that 20% of all projects.<br /> <br /> &lt;/div&gt;<br /> &lt;/div&gt;<br /> <br /> &lt;div style=&quot;float:left; width:100%;&quot;&gt;&lt;br/&gt;&lt;br/&gt;&lt;br/&gt;<br /> ----<br /> ----<br /> ===Additional Resources===<br /> <br /> <br /> &lt;/div&gt;<br /> <br /> <br /> __NOTOC__ __NOEDITSECTION__</div> Pravir Chandra