Security Checklist For Software Testers?

There’s been a lot of security breaches in the news recently, I guess there always is. The most recent ones being Ticketmaster and Addidas.

I read a blog a while ago about a web developer security checklist. It looks pretty cool! I was wondering if anyone had something like that for software testers? I’m thinking mind maps, checklists, any kind of list like this, we’ll call it the web testers security checklist :grinning:

There’s obviously the OWASP Top 10 but I’m thinking maybe something a bit less wordy.

3 Likes

Thank you to @danielbilling for this

Some food for thought from Emma

And some great mindmaps from @santhosh.tuppad too

1 Like

Hi Heather
I would still rely on OWASP top 10 because that is the first checklist. That list is formed after collecting knowledge from security experts all around the world and with real-world data. We should be testing those 10 things- however, for the understanding of the testers, the text on the website can be simplified- and there are blogs for that. I had a thorough study of it and have tested the list before- it’s truly amazing!

Hi Prachi,

Could you add some of those blogs here? That would be really helpful :slight_smile:

One of the links is:

https://confengine.com/agiledc-2017/proposal/4761/how-to-test-for-the-new-owasp-top-10-vulnerabilities

It is very short and most practical!

1 Like

Hello ,

Here is a presentation about Web Application Security Testing Essentials , i made it my self a while ago , sorry for the presentation UI i had to remove the branding :blush:
https://drive.google.com/file/d/1Mu2ttdPkkyBAzRcVDabUEbMzu4iKW1kQ/view?usp=sharing

I may post a security testing articles on my blog , i will add the links here once posted

Thanks ,
Mohamed

2 Likes

Also i found this document “A Security Checklist for Web Application Design” which may be useful.
security-checklist-web-application-design-1389.pdf (346.0 KB)

1 Like

I wrote this up last year, following a Test Master’s Conference Workshop I attended regarding Information security, given by @danielbilling, and added my thoughts as it applies to the overall SDLC: