What role does a security tester play outside of the validation phase?
The secure development lifecycle describes/documents/defines the steps an engineering team takes to develop secure applications. Some readers ask what roles a tester plays outside of the validation phase, but you’ll be surprised at the active role a tester plays in nearly every phase of the secure development lifecycle (SDL).
There are numerous resources on the Internet for SDL guidance. My personal favorite comes from the makers of Windows: Microsoft Corporation has spent several years defining and refining their SDL, and they have made their experience public at http://www.microsoft.com/sdl (available for free download). The Microsoft SDL is applicable to non-Microsoft teams developing applications on non-Microsoft technologies, as an outgrowth of the company’s commitment to improving the trustworthiness of computing resources regardless of the vendor.
Another source of secure development methodology comes from the US government. The US Department of Homeland Security and the Software Engineering Institute (SEI) have published a great deal of documentation at the “Build Security In” website https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/sdlc/326-BSI.html. This site is not only for US government agencies; like Microsoft, DHS has opened their information and experience to a worldwide audience, in an effort to secure Web applications throughout the Internet.
Regardless of the SDL you select, each SDL has several distinct phases. Microsoft’s SDL breaks them into seven; some SDLs have five or six. For each phase, I will briefly describe the roles played by a tester.
- Training: In this phase, testers undergo security-related training; sometimes with their development counterparts and sometimes only with fellow testers. The goals of training are to improve awareness of the value of security and provide skills for building more secure software. Without training, teams are doomed to make the same mistakes over and over. It’s important to note that one training per lifecycle is insufficient; every team needs passionate, security-minded individuals (like yourself, if you’re reading this article) who are dedicated to building better software.
- Requirements: In the requirements phase, testers participate to ensure requirements do not violate security or privacy principles. Testers are also on the lookout for missed requirements.
- Design: During the design phase, testers are actively involved in threat modeling and other processes aimed at building secure applications. A key role played by testers in this phase is providing consistent attack surface reduction feedback -- constantly asking what functionality is absolutely necessary and what could be removed (or simply not implemented).
- Implementation: During implementation phase, testers are often involved in writing security test cases. In rapid or Agile organizations, testers may also be involved in acceptance testing, by executing high-level test cases which ensure functionality meets stated use cases. These acceptance cases should include security requirements.
- Verification: It’s during the verification phase that the tester takes center stage. Security testing is performed against code-complete applications; implementation assumptions are validated and security vulnerabilities are sought.
- Release: In the release phase, testers play multiple roles. They are critical in validating the application is appropriately configured and that it continues to function after servers have been hardened. Testers are also involved in ensuring regressions did not occur -- the fixes for security vulnerabilities discovered in the validation phase must be included in code promoted to production servers.
- Response: During the response phase, testers are available to validate reported defects and to test fixes deemed appropriate enough to be put into production between major releases.
As you can see, testers are very much involved at all phases of the development lifecycle. In fact, this is the most interesting aspect of a career in software testing. A tester wears several hats and rarely has the same assignment one week after another.
This was first published in June 2011