Top
Newest White Papers

SecurityQA OnDemand Testing

iSEC’s OnDemand SecurityQA program provides customers with consistent (automated) and targeted (manual) security testing during key parts of the software development lifecycle. Automated testing uses a layered approach, using iSEC’s own SecQA Scanner (command line scanner), iSEC’s SecurityQA Toolbar (GUI BHO for IE6/IE7),and iSEC’s ProxyExtender (iSEC’s customized scripts on top of third party commercial scanners). Manual testing leverages iSEC’s security experts, who frequently present at major conferences such as Black Hat, RSA, and CanSec West. The automated testing targets traditional attack classes across the application (wide/broad coverage, but not very deep) and the manual testing allows iSEC experts to strictly target significant attacks that cannot be automated well (i.e. application logic involving bank transfers).

iSEC performs all testing remotely for each application, which can include the entire application or simply new features. The SecurityQA testing process is coordinated on a product release basis, fitting into the development/QA process accordingly. The following application security classes are addressed during the automated and manual SecurityQA process:

iSEC’s SecurityQA Program involves a variety of testing cycles during an annual development period. For each cycle, the following services are completed:

  • QA Setup (once per application)
  • Security Testing
    • Automated testing
      • iSEC’s SecQA Scanner (command line scanner)
      • iSEC’s SecurityQA Toolbar (GUI BHO for IE6/IE7)
      • iSEC’s ProxyExtender (iSEC’s customized scripts on top of third party commercial scanners)
    • Manual testing
      • iSEC’s Security Experts
      • Vulnerability Filing/Documentation (if desired)
      • Retesting of Prior Identified Vulnerabilities

At the conclusion of each testing cycle, iSEC will file all vulnerabilities into the customer’s bug database and/or deliver a report with each security issue identified. Furthermore, at the end of the annual program, iSEC will deliver management reports on the progress of each application tested. Progress reporting will be based upon the security testing created during the initial project. The metrics used to measure the application are expected to include:

  1. Number of security vulnerabilities identified
  2. Percentage of security vulnerabilities closed by subsequent testing periods
  3. Percentage of security attack classes repeated during subsequent testing periods

General Information info@isecpartners.com
San Francisco
123 Mission Street
Suite 1020
San Francisco, CA 94105
Seattle
720 Third Avenue
Suite 2101
Seattle, WA 98104
New York City
225 Varick Street
Suite 301
New York, NY 10014