QA goal/metrics
In this stage of verification, the role of QA is to assess software security-related issues, code-level vulnerabilities, misconfigurations, or logical errors that lead to critical security risks, and so on. OWASP SAMM-defined key security activities in the verification phases include design review, implementation review, and security testing. As we will discuss software security verification details in later chapters, here we highlight some of the key practices in this phase.
Design review
In practice, the security design review can be considered as low-level threat modeling. The following are suggested during design review:
- Security compliance checklist
- Security requirement checklist (OWASP ASVS)
- Top 10 security design issues
- Security issues in the previous release
- Customer or marketing feedback on security issues
When we are doing a design review for the top security issues, we may also refer to industry practices such as OWASP Top 10 and CWE/SANS Top 25 Most Dangerous Software...
