How to measure and report on your security testing efforts
In the realm of software development and quality assurance, traceability and accountability are extremely important. Quality assurance teams must be able to prove that their initiatives are having beneficial impacts, and do so in a way that is simple to understand. However, measuring and reporting on this information can often be easier said than done. For this reason, we will explore the best ways to measure and report on your security testing efforts.
Establishing solid measurements
With an increasing threat landscape, it can be difficult to know when your efforts are enough to thwart such attacks. However, by creating a comprehensive set of measurements, QA teams can have a better picture of which areas are being successfully protected and which items need to be adjusted. Carnegie Mellon University researchers detailed numerous metrics that organizations could use, including goal-driven objectives, specific definitions for security and procedures for collection, storage and analysis. Each of these elements will have different outcomes that will meld together for a full picture of the security effort.
"The organization should assess the risk environment to address probable threats and translate these concerns into specific requirements addressing security as well as design and implement a development process that will ensure the 'building in' of such requirements," the Carnegie Mellon report stated. "After security-related requirements of the product are specified, measurement objectives may be formulated that will provide insight into achieving the security requirements."
Creating the report
Many test management tools enable QA teams to easily generate and distribute reports, highlighting what defects were found, how they were mitigated and other vital information. However, testing professionals must ensure that their presentations are easy for viewers to understand, which can mean creating supplemental resources or handwriting the report for better comprehension. A white paper by the SANS Institute noted that tailoring the report can often take some time to accomplish. The writer must consider the document's objectives, the audience and the information included. Once these elements are established, making the first draft will be much easier.
The tester must ensure that he has accurate data concerning each stage of testing, as well as the system and tools used to execute the tasks. If even one of these points are off, it can affect decision-making and how well an organization understands its security capabilities. Within the report, QA teams should also recommend alternatives to reduce the risks to critical assets. This will help give stakeholders an idea of what they're up against and what solution will be best for further development.