Security testing and validation
Security testing checks that data is protected in the right way for the capability’s intended functionality.
It is an important part of Secure by Design assurance, providing evidence that your capability remains within its defined risk appetite and that required security controls have been implemented.
Information on a variety of assurance disciplines is available from the NCSC, specifically on how to gain and maintain assurance.
JSP 440 Leaflet 5C mandates that security risks must be shown to be properly managed and within the defined risk appetite.
This must be demonstrated before MOD data is used, before capabilities go ‘live’, and throughout the lifecycle of the capability.
However, capabilities are encouraged to integrate security testing throughout development.
When testing, you should focus on verification and validation.
Verification makes sure security controls have been implemented and that they mitigate threats as intended.
Examples of verification testing include:
It is an important part of Secure by Design assurance, providing evidence that your capability remains within its defined risk appetite and that required security controls have been implemented.
Information on a variety of assurance disciplines is available from the NCSC, specifically on how to gain and maintain assurance.
JSP 440 Leaflet 5C mandates that security risks must be shown to be properly managed and within the defined risk appetite.
This must be demonstrated before MOD data is used, before capabilities go ‘live’, and throughout the lifecycle of the capability.
However, capabilities are encouraged to integrate security testing throughout development.
When testing, you should focus on verification and validation.
Verification makes sure security controls have been implemented and that they mitigate threats as intended.
Examples of verification testing include:
- factory acceptance testing
- user acceptance testing
- design reviews
Validation tests that a capability will withstand a real-world attacker, that there are no vulnerabilities in the capability that could have been mitigated at the design stage and gives evidence to the project team to enable them to rectify weaknesses in the design.
Examples of validation testing include:
Examples of validation testing include:
- conducting an IT Health Check (ITHC)
- penetration testing
- vulnerability assessments
Benefits
Benefits of security testing and validation:
- verifies your controls are implemented correctly
- forms a key part of assurance artefacts
- gives stakeholders confidence that technical vulnerabilities have been fixed
Outcomes
Outcomes of security testing and validation:
- test, verification and validation strategy
- test reports
Responsibility
Who is responsible for security testing and validation:
- delivery team lead
- delivery team
When to carry out security testing and validation
This should be carried out at the beginning of manufacture, but also integrated through-life.