Security Testing | Security 4 No0bs - Getting started by using a WBS

Applying Project Management fundamentals to Quality Assurance, as it relates to  Web Application Security Testing (pt.1)

Hey all,

This year, my focus is to ramp up my Info Sec. / Web App Security learning and stumbled upon this gem from last year. Figured I could re-purpose it for Security Testing. The scope of this "part 1" is to take the approach of someone assigned to a project and applying old-school practices to get started.

Some of this may work, some of it may not. But the foundation is laid out and it goes something like this:
 

1.0 - Objective

   1.1 - Define testing agenda and purpose of document as it relates to Security
           1.1.1 - Get Project Summary
           1.1.2 - Get S.O.W

2.0 - Testing Scope

   2.1 - Establish what is to be tested
          2.1.1 - Get Testing Requirements from PO / Project Lead / Devs
          2.1.2 - Get Testing Bounds (what won't be tested / out of scope)

   2.2 - Determine level of effort for test tasks
           2.2.1 - Test Types and Duration
           2.2.2 - Test Task Dependencies & Schedule (when to start a new cycle)

3.0 - Personnel

   3.1 - Who are the Client and Stakeholders involved
           3.1.1 - Get names from PO / Project Lead / Devs

   3.2 - Who are the other members on the team (PO / Devs / BA / QA / etc.)
           3.2.1 - Have Kick-off Meeting
           3.2.2 - Get Names, Roles & Responsibilities

4.0 - Security Software & Test Strategy

    4.1 - What Software will be used
            4.1 - Meet w. PM / Devs / QA
            4.2- Discuss best applications / programs to use
            4.3- Discuss testing strategy (best approach) as it relates to OWASP Top-10

5.0 - Risk

    5.1 - Establish risk matrix from features-in-test
            5.1.1 - Meet with PM / BA / Devs
            5.1.2 - Get Risk Analysis from BRD

6.0 - Entrance / Exit Criteria

     6.1 - Determine when testing is to begin
            6.1.1 - Meet with PM / Devs / QA Team
            6.1.2 - Get Release schedules / Test Cycle schedules

7.0 - Completion Criteria

     7.1 - Determine when testing is complete
            7.1.1 - Establish sweep-completion ETA

8.0 - Glossary

      8.1 - Write up all terms, acronyms, and defined language in use
             8.1.1 - Draft list of terms and definitions (including CTAs, navigation end-points)

9.0 - Approval

      9.1 - Sign-off by all parties involved

01.01.2017 Growth! and the changes I want

Act of contrition, take 1

forgive me blogger for I have sinned. It has been too long since my last post. Here's what went down:

2016 can best be described "episodic" - since it started bad, ended great, and marked along they way by lessons learned and awakenings.

Q1 - Winter of discontent

Let me start of by saying that vanity got the better of me in 2016. I let myself get caught up in the fight to make things happen and get sh@#$% done; enamored with the need to feel validated by having a title proper pay. I took a job that gave me just that, proper title and decent pay with the opportunity to make things happen and grow a team with the knowledge and skills I had acquired so far. A win, right!

No. Not even in the slightest.

You see, I took a job that had the promise of everything I was looking for. However, this became a "be careful what you wish for" moment. In my vanity - loving the title of "Manager" - I failed to read the fine print. I failed to see the bigger picture. I failed to do the very job I was hired to do. How, you ask?

Well, the environment I worked in was quaint. The people I worked with were friendly albeit somewhat distant. But the product I worked on bored me. Testing the same thing over and over became routine and monotonous. I fell out of love with this thing I was supposed to be responsible for. I stopped caring about the very thing QA Managers are supposed to care about. (Confession: I was a bad tester, not bad at testing, but unmotivated to be better)

I embraced the quality thereof, but I wasn't sold on its appeal. Worse, I didn't care anymore. As time went on, I began to feel more isolated and alone. I was frustrated and lonely, and craved change. I wanted camaraderie but found none. I wanted to learn new things, but was getting tasked with menial assignments. And this eventually reared its ugly head in my work performance, which greatly suffered. The consequence: termination. The feeling: elation!

Q2 - The turn-around

January and February of 2016 and I found myself unemployed, but somehow relieved. The weight of a burdensome job was lifted. Luckily I saved just enough to cover several months of expenses, with my unemployment pittance covering the rest. Dear reader, being without work feels great at the beginning - the honeymoon - but over time, the reality sinks in, the bills pile up, and desperation sets in. It can be a total mind-f**k if you let it.

Being without work can also be a great time for soul-searching and opportunity. I took the approach of using the time to learn new skills and gain new experiences. I practiced some much needed automation programming, I networked at meet-ups, and I kept an upbeat attitude. I used this time to make things happen and get sh**t done, per my new year's resolution mantra. And that I did.

As it would happen, March was a total bust. In my vigor to make things happen, I came down with a slight case of pneumonia which side-lined me for the entire month. No going out, no computer work, no blogging (sorry!), and no working out. It was a 30-day moratorium on life. Then along came April (the month, not a girl!)

Q3 - The re-awakening

Easter comes in at the end of March, and usually symbolizes rebirth and renewal. By April, this was my rebirth. I came out of my malady with a renewed confidence and strength. I resumed my daily activities of working out, job hunting, soul-searching, and getting back on track. Should have blogged, but got caught up with other things of more importance(again, sorry!).

April began with a tremendous job opportunity (current place of employment). Where I'm currently at is a start-up, like all my other places of employment, and presented itself as a small company with a project for a prestigious client. To say I was blessed to be hired and tasked with this project is an understatement. I work for an awesome boss, surrounded by amazing people, and work on a project I absolutely own. I'm at a place that really cares for your overall personal and professional growth. They invest time and energy into making sure you 'bloom where you are planted'. Do I need a title? Nah! Is the pay adequate? Better than adequate, as I'm making more than at my former employment, with much much better perks.

Fun fact: I had interviewed at the parent company some years back and turned it down for economic reasons (the position was contract). How fortunes have changed in my favor.

Q4 - Spiritual rebirth, renewed vigor

So here I am, dear reader, having a tremendous career rebirth. Some time ago I considered quitting QA Testing altogether and was contemplating web design. But I am at a job I truly embrace. I enjoy going to work. I welcome the opportunities it presents. And I have something to look forward to now in 2017, for you see, I am now part of a committee that is exploring ways to incorporate WEB APPLICATION SECURITY TESTING into its core competencies (shivers with excitement!)

A year ago, I was on the outs. 365 days and some odd hours later, I have optimism like never before. And its only the beginning - day 1.

2017 - GROWTH! and the changes I want

2017 is looking to be a promising year. I endeavor to keep them coming. For you see, the mantra for this year is growth. Spiritual, Financial, Physical, and Professional. In the months to come, I plan to build on my skills and level-up. That means hitting the Security track hard (not just talking the talk, but finally taking action).

2017 -- GROWTH!!!