Security and Access Control Testing
[Security and Access Control Testing focus on two key areas of security:
· Application-level security, including access to the Data or Business Functions
· System-level Security, including logging into or remote access to the system.
Application-level security ensures that, based upon the desired security, actors are restricted to specific functions or use cases, or are limited in the data that is available to them. For example, everyone may be permitted to enter data and create new accounts, but only managers can delete them. If there is security at the data level, testing ensures that” user type one” can see all customer information, including financial data, however,” user two” only sees the demographic data for the same client.
System-level security ensures that only those users granted access to the system are capable of accessing the applications and only through the appropriate gateways.]
| Test Objective: | · Application-level Security: [ Verify that an actor can access only those functions or data for which their user type is provided permissions.] · System-level Security: Verify that only those actors with access to the system and applications are permitted to access them. ] |
| Technique: | · Application-level Security: [ Identify and list each user type and the functions or data each type has permissions for.] · [Create tests for each user type and verify each permission by creating transactions specific to each user type.] · Modify user type and re-run tests for same users. In each case, verify those additional functions or data are correctly available or denied. · System-level Access: [See Special Considerations below] |
| Completion Criteria: | [For each known actor type the appropriate function or data are available, and all transactions function as expected and run in prior Application Function tests.] |
| Special Considerations: | [Access to the system must be reviewed or discussed with the appropriate network or systems administrator. This testing may not be required as it may be a function of network or systems administration.] |
Дата добавления: 2015-12-17; просмотров: 18; Мы поможем в написании вашей работы! |
Мы поможем в написании ваших работ!