iSEC’s OnDemand SecurityQA program provides customers with consistent (automated) and targeted (manual) security testing during key parts of the software development lifecycle. Security testing uses iSEC's SecurityQA Toolbar for automation and iSEC’s security experts for manual/targeted attacks.
iSEC performs all testing remotely for each application, which can include the entire application or simply new features. The SecurityQA testing process is coordinated on a product release basis, fitting into the development/QA process accordingly. The following application security classes are addressed during the automated and manual SecurityQA process:
iSEC’s SecurityQA Program involves a variety of testing cycles during an annual development period. For each cycle, the following services are completed:
- QA Setup (once per application)
- Security Testing
- Automated testing using iSEC’s SecurityQA Toolbar
- Manual testing using iSEC consultants
- Vulnerability Filing/Documentation (if desired)
- Retesting of Prior Identified Vulnerabilities
At the conclusion of each testing cycle, iSEC will file all vulnerabilities into the customer’s bug database and/or deliver a report with each security issue identified. Furthermore, at the end of the annual program, iSEC will deliver management reports on the progress of each application tested. Progress reporting will be based upon the security testing created during the initial project. The metrics used to measure the application are expected to include:
- Number of security vulnerabilities identified
- Percentage of security vulnerabilities closed by subsequent testing periods
- Percentage of security attack classes repeated during subsequent testing periods
