CSSLP Tutorial: Module 05,Part 01 – Quality Assurance

Quality Assurance

Now when we go into part 5, we go into areas of secure software testing. This section for module 5 isn’t terribly huge but there are lots of important aspects. So, the first thing to look at is Quality Assurance (QA) in terms of what they can accomplish, and testing artifacts, with all the aspects that play into the testing processes. Next is looking at the impact of the tests and then the corrective actions that should be taken.

This section specifically is about Quality Assurance (QA).  There are five elements that we’ll focus on in this section.  QA is likely test qualities such as reliability, recover-ability, resiliency, inoperability, and last protection of privacy.   These are the elements which QA involve themselves with dealing with secure software testing. This section will go into a description of each of the five elements, starting with reliability.

 

Reliability is where the focus is on the software of the system and its functionality. The developer usually has some sort of description and so then the check on the system is whether or not the system matches this description or not.  Basically, does the system do what it’s supposed to do? That’s all about the reliability of the design.

Second, is recoverability. Can the software do a restore of itself after a period of downtime. So, if there is some kind of error, can it restore itself?  Can the system do this without compromising the data and avoiding breaking the security policy? Regardless of the reason for the downtime, can we get the software back up and running.

Third, is resiliency.  This is where we are testing the system if it can withstand an attack.  For example, is it going to be able to overcome code injection attacks by having the buffer overflow potentials.  When testing with security scanning or pen testing, basically that is testing for resiliency.

Interoperability is the fourth quality that QA checks on as part of their assessment of the system.   This is whether or not the software can operate in the threat environment.  In other words, some of the vendors, elements and components will meet a certain standard while others won’t.  This question is about the compatibility of the system or software with other components out in the workforce environment.

Last, is over protection of privacy.  This is when we think about the personally identifiable information, personal healthcare information and personal financial information, as to whether or not they are properly protected.  It is incumbent upon the developers to make sure that the information is appropriately protected.