Skip to contentCYBERINFO
|

Control 8.29 : Security Testing in Development and Acceptance

Summary

Security testing activities should be defined and implemented in the development life cycle. This involves verifying that the security controls function as intended and that the application is resilient against common attack vectors before it is moved to production.

Applicability

In-Scope: Mandatory for ensuring that software changes do not introduce new security risks. It bridges the gap between development and operational security.

Out-of-Scope: Only applicable if the organization performs zero software development or system customization.

Implementation Guidance

Microsoft 365 / Entra ID

  • Dynamic Analysis (DAST): Utilize Azure-integrated web vulnerability scanners to test running applications for flaws that are only visible during execution.

  • Acceptance Criteria: Define security gates in Azure DevOps that prevent a release from moving to the production environment if it fails specific security tests.

  • User Acceptance Testing (UAT): Ensure that UAT includes specific test cases for security functions, such as verifying that MFA is enforced and that unauthorized access is correctly blocked.

Evidence Checklist

  • Testing Plan: A document outlining the types of security tests (Unit, Integration, Penetration) required for different classes of software.

  • Test Result Records: Evidence of completed security tests and the subsequent sign-off by the security team.

  • Penetration Test Reports: If applicable, reports from third-party security testers for high-risk, public-facing applications.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What is the process for ensuring that security tests are performed in an environment that is a realistic reflection of the production environment?

  • How are failed security tests handled, and who has the authority to bypass a security gate for an urgent business release?

  • Can you demonstrate that specific security test cases (e.g., testing the login bypass) were executed for your most recent software update?

  • How do you ensure that the data used during security testing does not include actual sensitive production PII?