Hi I have been asked to give a bit of a security speech to a team of UserAcceptanceTesters at a meeting next month.
Their background is primarily testing W32 and AS400 applications, but we are now going to be developing all new applications in a web based format, with the potential to roll them out over the web. (hence the above request from the testing manager) I am responsible for Firewall/IDS/Server security so I am reasonably confident that area is OK. However, as each new applicaion is going to really do something completely different from another previous application, I need a generic set of items which these guys should be testing for. Things I have on my list so far; Explain what Information Security is trying to achieve and why...i.e. CIA, PAIN, etc. What physical and technology controls are in place, i.e. Firewalls, IDS, Tripwire etc.... We have lots of rules in place for application development, but I still get stuck when I have to say what sort of security related things they should be testing for, but I think something along the lines of No Privlelege escalation RoleBased Access Control Mechanisms Password complexity rules Passwords cant be used again Does anyone have any experience of this type of request? And if so have you any additional pointers that you'd like to share? If not, can anyone help me out with stuff I am missing? With thanks in advance James McGee CISSP Information Security Consultant Infosec LTD Tel: +44 (0)7092 014 046 Fax: +44 (0)7092 014 046 email [EMAIL PROTECTED] .uk www.infosec.me.uk