Hi, Dear Reader, it's been a while, I know. Will try to do my best and write more often. ;)
Introduction
Often the case (I believe every time, actually) Software developers need to test and verify a product prior to release. I'm convinced Validation team has really sophisticated checks and tools to do quality assurance stuff. However, when Security shows up it's not always obvious how to perform Security validation and what is the right place in the Validation plan for it. Today in this short write-up I'd like to remind you about quite useful guide NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, first time issued in 2008 but still could be useful. Let's highlight the most essential takeaways.
Overview
The document provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. It is organized into 7 chapters and 7 Appendixes.
What I really like is defining benefits:
- Provide consistency and structure to security testing, which can minimize testing risks.
- Expedite the transition of new assessment staff.
- Address resource constraints associated with security assessments.
This allows you to convey not only Security purposes yet to give the Product team the ability
to reuse pre-established resources such as trained staff and standardized testing platforms; decreases time required to conduct the assessment and the need to purchase testing equipment and software; and reduces overall assessment costs. The overall process includes 3 major stages (as usual).
"How-to-do" part is divided into 3 parts.
Short summary
Actually, you may not really read the whole document, because each section is ended up with the short summary. It does make sense to take a look at them and compare with your own practice.
Conclusion
As a result, please do not consider this document as a guide for experienced Pentesters or Read team. It is designed to help your product team figure out what is Security validation process, why it is beneficial and necessary. The most important takeaway is a structured process and practical examples, describing how you can adopt Security validation keeping in mind already established development pipeline.
Stay on the light side. R.Z.