Security 12-minute Test Plans

Overview

Good software testing is about two things: depth and coverage. A shallow test won't really get into what the user will use the system for, and poor coverage means functionality goes untested.

The best way to get depth and coverage in testing is to have a plan. This is especially true about security testing. Without a plan, you end up wandering aimlessly.

In this activity, we will be creating 12-minute test plans. We will practice the art of sketching a quick testing plan for security in very limited span of time You will need to:

Activity

This activity is for groups of 4-6.

  1. Create a GoogleDoc called 12-minute Test Plans and share it with the instructor, and everyone at your group.
  2. Make sure everyone at your group is logged in and has the GoogleDoc open. You will all be editing at the same time in this exercise.
  3. Create some empty space on the GoogleDoc so that everyone has a space to edit. (Let's not crash GoogleDoc's conflict resolution algorithm.)
  4. Notify your instructor that you're ready. This activity is synchronized across the whole class
  5. Your instructor will give you a the name of a popular software system that you will be writing a test plan for.
  6. For the next 12 minutes, you will be making a test plan. Here's how it breaks down:
    • (5 minutes) Individually, write some descriptions of some security tests of the given system. This is freewriting.
      • This part is about getting your ideas down, not getting them right.
      • Volume and creativity are most important here
    • (7 minutes) As a team, combine your test plans.
      • The format is entirely up to you, but try to make it as useful as you can for future testers who may not know much about security.
      • Try to group & combine similar tests ("similar" can mean by methodology, assets, functionality, or a myriad of other things - it's up to you)
  7. Discuss as a group:
    • How did we do? If the system passed these tests right now, how much more confident would we be in the security of the system?
    • How does this format work for a test plan? Is it readable? What else could be added or changed?
  8. Designate someone to briefly discuss your plan with the class.
  9. Get ready to do this again on a new system. We will continue to repeat this as time allows.

Submission & Grading

Submit the final document to the appropriate dropbox. All team members must submit and put their names on the document. You may need to make a Threat Model for the exam, so getting to know this process will be very helpful. We also recommend you ask your instructor for feedback on your model.