Getting the message to Testers

[James McGee <James.McGee () InfoSec me uk>]

Hi

I have been asked to give a bit of a security speech to a team of
UserAcceptanceTesters at a meeting next month.

Their background is primarily testing W32 and AS400 applications, but
we are now going to be developing all new applications in a web based
format, with the potential to roll them out over the web.  (hence the
above request from the testing manager)

I am responsible for Firewall/IDS/Server security so I am reasonably
confident that area is OK.  However, as each new applicaion is going
to really do something completely different from another previous
application, I need a generic set of items which these guys should be
testing for.

Things I have on my list so far;
Explain what Information Security is trying to achieve and why...i.e.
CIA, PAIN, etc.
What physical and technology controls are in place, i.e. Firewalls,
IDS, Tripwire etc....

We have lots of rules in place for application development, but I
still get stuck when I have to say what sort of security related
things they should be testing for, but I think something along the
lines of

    No Privlelege escalation
    RoleBased Access Control Mechanisms
    Password complexity rules
    Passwords cant be used again

Does anyone have any experience of this type of request?  And if so
have you any additional pointers that you'd like to share?  If not,
can anyone help me out with stuff I am missing?

With thanks in advance


James McGee
CISSP
Information Security Consultant
Infosec LTD
Tel: +44 (0)7092 014 046
Fax: +44 (0)7092 014 046
email james () infosec me .uk
www.infosec.me.uk