Security Testing Standards · ST
Overview
This document provides guidance on best practices for security testing to ensure systems are secure and vulnerabilities are identified and mitigated effectively.
Security scans must be run on a regular basis · ST-01 · MUST · TEST
Security scans must be run on a regular basis (e.g. weekly) to identify vulnerabilities in the system. These scans should include:
- Baseline Scans: Scans performed without authentication to identify publicly exposed vulnerabilities.
- Authenticated Scans: Scans performed with valid credentials to identify vulnerabilities within the authenticated areas of the system.
A vulnerability management process must be documented and followed · ST-02 · MUST · TEST
A vulnerability management process must be documented and followed to ensure vulnerabilities are tracked, prioritized, and resolved. This process should include:
- Identification: Regular scans and manual reviews to identify vulnerabilities, should include how to raise bugs.
- Assessment: Prioritization of vulnerabilities based on severity and impact.
- Remediation: Timely resolution of identified vulnerabilities.
Restricted
Login to display internal content.
For more details, refer to the Vulnerability Management Process.
Authorization tests must be included in automated tests · ST-03 · MUST · TEST
Authorization tests must be included in automated tests to ensure that users can only access resources they are authorized to access. Examples of such tests include:
- Verifying that users with specific roles cannot access restricted endpoints or web pages.
- Ensuring that user without an admin role cannot perform administrative actions.
- Confirming that sensitive data is not exposed to users without proper permissions.