Goals

Provide application assurance that the solution or changes to the solution will be adequately safeguarded and will not present a security threat to the IT or business environments.

All built-in application, infrastructure, and information controls related to the confidentiality, integrity, availability of IT assets and services have been verified to work correctly by application testing correct use of controls (test cases and use cases) and attempted violation of the controls.

Process

High Level Control Objective

Control over release to production of new or changed systems by focusing on security testing of applications and infrastructure solutions to assure they work without major security problems after installing.

All application bugs that that may lead to subversion of security controls as detectable by applicable testing tools and methods, including web vulnerability and host environment configuration verification, have been remediated or acceptably mitigated.

Corporate compliance requires application teams to demonstrate adherence to policies, procedures and application best practices.

All remaining risk from known bugs and deficiencies has been accepted by the business owner, and reviewed by Information Security prior to going into to production.

Activities

Test changes independently in accordance with the defined test plan prior to migration to the operational environment.  Ensure the test plan considers security.