8

What does a security testing plan look like?

Can anyone point out a template for such a document or an example?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
smiley
  • 1,214
  • 2
  • 13
  • 21
  • 6
    Not 100% sure what your aiming for. A test plan may vary very much depending on what kind of enviroment and scope you are testing. E.g. a web application may have a completely different test plan than a permiter network test. – Chris Dale Jul 12 '12 at 11:36
  • 1
    What i am more interested in is what should be in a test plan? Like should i mention the test methodologies? Should I create one out of STRIDE? How? I mean is there even a book? a course on that? – smiley Jul 12 '12 at 12:16
  • 2
    Test plan for what? Penetration testing? Secure application development? –  Jul 12 '12 at 12:37
  • Penetration testing, In between is there a test plan for secure application development! – smiley Jul 12 '12 at 14:31
  • 3
    Penetration testing of what? As @Karrax says, web app, network, server... a bit more detail about your specific requirements would help here – Rory Alsop Jul 13 '12 at 10:07
  • Related, but not duplicate: [Are all security requirements expected to be testable?](http://security.stackexchange.com/q/3255/33) Perhaps this can point you at a general framework, even if its not an example. – AviD Mar 20 '13 at 11:54

6 Answers6

10

There's also the Pentest Standard

Epoch Win
  • 922
  • 2
  • 7
  • 14
6

There is a good resource on MSDN. Did you had a chance to read about this topic in MSDN Magazine?

Well, here you are the links that may help to define what you look:

Yusubov
  • 163
  • 1
  • 5
6

NIST 800-53A and NIST 800-115 That's not strictly a test plan, but it is a catalog of the elements of a test plan. If you're working with a government system, that is a list of test standards for the security controls. If you're working on a commercial system, it is a catalog of resources.

Another resource for test plans is SANS Critical 20 Security Controls; personally I think that is legitimate but overhyped.

Abrams appears to be an example; you can find more by searching for Security Test & Evaluation Plans on Google.

Ultimately however, I think they all miss the mark. Modern security test plans should be done on the basis of risk. In my opinion, you should perform your risk assessment, identify the top N risks, and then develop a standard project plan to test/validate those risks within the resources available ($$, time, expertise, etc.).

MCW
  • 2,572
  • 1
  • 15
  • 26
3

Standards/policies, risk assessment and threat modeling should drive out a set of key risks and controls to mitigate them. What these consist of will depend on what is being delivered.

A test plan should fundamentally set out to evidence these controls. Penetration/vulnerability testing is only part of this. Other aspects could be code/build/configuration review, aspects of functional testing to ensure expected capabilities are present, 3rd party assurance and standards compliance.

flamingm0
  • 31
  • 2
2

Here is a request page for Test Plan Template for Websites and Web Applications provided by XBOSoft - http://www.xbosoft.com/contact/whitepaper/functional-test-plan-for-websites

Cyril
  • 208
  • 1
  • 6
2

This happens to be very pet question from security management perspective. For me it has happened in cases where I'm magically suppose to bring 'a PLAN' which solves all of the management worries. The plan by the definition demands focus and attention to specific details. A successful plan would ALWAYS matches its purpose , efforts and the results it delivers

Let me explain you further.

Firstly, a plan basically should work like a small project have all the ingredients of what should compromise as an effective and cost-effective project. Just like in any project you would discuss

  • Project Scope
  • Requirements
  • Objectives
  • Resources
  • List item
  • Design / Proposed solution
  • Deliverable
  • Project performance metrics / KPI
  • Documentation

Similarly, any plan for that matter should have a decent foot-print of an effective project management activities and planning.

Your statement would have made just the perfect contextual sense; if you added something like i want a testing plan for xyz. XYZ here is arbitrary can be but not limited to:-

  1. Like given and explained in OWASP testing guide a plan or series of test cases which would be prepared to test compliance if the programmer has followed OWASP secure coding guidelines or not.
  2. By saying this i mean a plan can be used , prepared and mentored to test just about anything that fits the requirements and objectives.This is the reason, you would see esp in security that there is a plan or a methodology for everything. Another example there could be made a plan that test on a regular basis your organization access point configuration to weak encryption protocols /standards (WEP) also a plan that does check specifically on unencrypted remote management services (e.g telnet) using a tool (e.g) NESSUS. In lay man terms means, whenever there are two different systematically and environment desperate inputs involved there would always be two plans involved not one. For example. It makes perfect sense depending upon the critical of the use of particular industrial equipment the manufactures could mandate two separate test plans and strategies for nuts and bolts resistance to stresses at rest (hit by fast moving object) and also its resilience of the same thing happening when its motion.

Secondly, a key point related to plans; is there a clean and distinct description of types of tests performed and the expected results. Usually these results are aligned or mapped with an already prepared METRICS to have an understanding on the level of success or failure achieved in performing these tests.

Lastly, you asked about stuff / things that goes in a PLAN. Saying if you have done your homework and know what goes where. You can start with the following outline.

  • Background
  • Target details
  • Scope of work
  • Methodologies adopted
  • List of test performed
  • Analysis of test results
  • Maintenance and updation of plan
  • Recommendations

Hope it helps you:)

Saladin
  • 1,547
  • 3
  • 14
  • 23
  • 1
    this helped me. Also, can you differentiate between a security test plan and a security program. Would it be wise to say a security program can be only a part of the security test plan, since security program can be now-a-days many, e.g: `bug-bounty`, `internal security testing`, `secure coding unit testing`, `penetration testing`, etc..? – Shritam Bhowmick Sep 04 '15 at 23:11
  • thanks @ShritamBhowmick its the other-way around its the program which would define how the thing your mentioned would be rolled out i.e testing. A good sec program which help you plan these activities and provide necessary resources to activate such tasks/ projects. Also, to know planning/strategy will help you in defining "what" for "how" you need low-level documentations , procedures and guidelines e.g OWASP for pen-testing – Saladin Sep 05 '15 at 11:20
  • @ShritamBhowmick Think sec program as "framework" and you do need some form of "engine" to run it. Policies do help in this regard as it allows to bring the vision forward. There is absolute no-sense of use of secure coding if there is no a current standard or policy for "secure coding" or a development and operational environment is not separated. Also one interesting different for any "program" it by definition supports multiple projects. The ones you mention can be activated as projects too. The program will help amount of rigor to apply to retrieve results from these initiatives. – Saladin Sep 05 '15 at 11:27
  • @ShritamBhowmick also is your program "compliance" or "testing focus". A sec-program for NSA/DoD would be more aligned to offensive measures and "detection and response" whereas a drug company be interested more in compliance. Focus is not important. It cannot be desired. You need to know your information protection requirements and what will help what part as well. – Saladin Sep 05 '15 at 11:33
  • So security test plan is sub-set of security program (super-set). Basically what I understand from your input is all organizations have their separate business requirements and these business requirements require different protection scheme to 'secure' information or secure business assets. To *plan* a security can be in many ways and each of these ways depend on the assets that have to be protected. If i understand it right - this is what it is. Like for most retail - PCI DSS can be the plan initiative for compliance, for NSA/DoD - red team, for webapps - OWASP, etc. – Shritam Bhowmick Sep 05 '15 at 16:26
  • Yes you have understood correctly. You must read PNE (protection needs elicitation) document its included as one of the appendix as part of IATF v.3.0 it will help you alot:) – Saladin Sep 06 '15 at 13:25
  • 1
    Know in DoD for e.g DITSCAP and NITSCAP are used as part of "C&A" process which includes extensive testing , but these "fat processes" are aligned to meet up to support with tier-1 organizational functions. This graphic should be your bible oig.federalreserve.gov/images/2013-IT-B-019figure1.jpg – Saladin Sep 06 '15 at 13:34
  • this graphic will help. I am going to read PNE and IATF 3.0 in a while and would come back if anything needs to be asked here. Thanks mate. – Shritam Bhowmick Sep 06 '15 at 15:08