Professional Documents
Culture Documents
Security Testing SDLC: Prepare The Organization (PO)
Security Testing SDLC: Prepare The Organization (PO)
md 07/07/2022
what can an individual developer do, to enhance his code, security wise. I also documented non sast requirements.
Functional
Define policies that specify the security requirements
sec. req. are
PO.1 PO.1.1 Yes for the organization’s software to meet, including secure
to be tested
coding practices for developers to follow.
like another.
Non-
Define policies that specify software architecture
Functional
requirements, such as making code modular to facilitate
sec. req. a
PO.1 PO.1.1 Yes code reuse and easier updates as well as isolating
must be
security functionality from other functionality during
defined how
code execution.
to address
General
governance,
Use automated technology for toolchain management
PO.3 PO.3.1 No not
and orchestration.
particular for
testing
General
governance,
Integrate tools with other tools and with existing
PO.3 PO.3.2 No not
software development processes and workflows.
particular for
testing
General
governance,
PO.3 PO.3.2 No not Update, upgrade, and replace existing tools.
particular for
testing
General
governance,
Monitor tools and tool logs for potential operational and
PO.3 PO.3.2 No not
security issues
particular for
testing
1/5
Security_Testing_SDLC.md 07/07/2022
Sec test
Practice Task Why What
relevant
General
governance, Record security check approvals, rejections, and
PO.4 PO.4.1 No not requests for exception as part of the workflow and
particular for tracking system.
testing
Sec test
Practice Task Why What
relevant
Sec test
Practice Task Why What
relevant
So your
Review the software design to confirm that it
PW.2 PW.2.1 Yes testing is up
addresses all of the security requirements.
to date
General
governance, Define the security-related criteria for selecting
PW.3 PW.3.1 No
not particular commercial and open-source software.
for testing
General
See if there are publicly known vulnerabilities in the
governance,
PW.3 PW.3.2 No software modules and services that the vendor has
not particular
not yet fixed.
for testing
2/5
Security_Testing_SDLC.md 07/07/2022
Sec test
Practice Task Why What
relevant
General
Determine a plan of action for each third-party
governance,
PW.3 PW.3.2 No software module or service that is no longer being
not particular
maintained or available in the future.
for testing
Should be
Validate all inputs, and validate and properly encode
PW.5 PW.5.1 Yes easey to
all output.
implement
Should be
PW.5 PW.5.1 Yes easey to Avoid using unsafe functions and calls.
implement
Should be
PW.5 PW.5.1 Yes easey to Handle errors gracefully.
implement
Should be
PW.5 PW.5.1 Yes easey to Provide logging and tracing capabilities.
implement
Should be a
core Check for other vulnerabilities that are common to the
PW.5 PW.5.1 Yes
functionality development languages and environment.
of the sast
It's esay to
immplement
a check if the
PW.6 PW.6.1 Yes Use up-to-date versions of compiler and build tools.
used
compiler is
newest one
Non-
Functional
sec. req. a Enable compiler features that produce warnings for
PW.6 PW.6.2 Yes
must be poorly secured code during the compilation process.
defined how
to address
3/5
Security_Testing_SDLC.md 07/07/2022
Sec test
Practice Task Why What
relevant
Because the
Implement the “clean build” concept,where all
code can be
PW.6 PW.6.2 Yes compiler warnings are treated as errors and
altered after
eliminated.
the testing
General
governance, Identify and document the root cause of each
PW.7 PW.7.2. No
not particular discovered issue.
for testing
General
Document lessons learned from code review and
governance,
PW.7 PW.7.2. No analysis in a knowledge base that developers can
not particular
access and search.
for testing
It has to be
done by Conduct testing to ensure that the settings, including
human's the default settings, are working as expected and are
PW.9 PW.9.1 No
because it to not inadvertently causing any security weaknesses,
complex for a operational issues, or other problems.
test
Sec test
Practice Task Why What
relevant
4/5
Security_Testing_SDLC.md 07/07/2022
Sec test
Practice Task Why What
relevant
It's a requirement
Configure the toolchain to perform automated
RV.1 RV.1.2 No how the test is
code analysis and testing on a regular basis.
executed
General
governance, not Use issue tracking software (existing software, if
RV.2 RV.2.1 No
particular for available) to document each vulnerability.
testing
General
governance, not Document the root cause of each discovered
RV.3 RV.3.1 No
particular for issue.
testing
General
Document lessons learned from root cause
governance, not
RV.3 RV.3.1 No analysis in a knowledge base that developers can
particular for
access and search.
testing
5/5