How did you select this vendor?
Test Army is a strategic partner of our outsourced software development team. Evidentally, they had performed careful vetting and interviewed many other companies. Test Army team members have seemingly every certification in the industry including: OSCP, OSCE, ITIL Foundation CDP, CISPA, ISO 27001, CISM, Prince 2 Practioner CPD, GXPN, GSLC, CISSP, CEH They follow these industry standards: • ISO/IEC 29119 Systems and Software Engineering — Software Testing • IEEE 1012 – Standards for verification and validation plans • 9000 ISO – Standards for quality management • ISTQB – International certification for software testing • IEEE 1044.1-1995 – Guide to classification of software anomalies
Describe the project in detail.
Test Army conducted the following types of security tests on our portal application: Static Analysis Static code analysis is a method of finding potential quality issues in code before the program is run. It is done by analyzing a set of code against a set (or multiple sets) of coding rules. This type of analysis addresses weaknesses in source code that might lead to vulnerabilities. Dynamic Analysis Dynamic analysis is the testing and evaluation of a program in real-time while it is running to find errors including:
• Dependencies that are not possible to detect in static analysis such as dynamic dependencies using reflection, dependency injection, and polymorphism. • Memory leaks • Pointer arithmetic errors such as null pointers • Time dependencies
Dynamic Analysis deals with real input data such as real input from Web requests and user interactions which static analysis does not address. By debugging a program in all the scenarios for which it is designed, dynamic analysis eliminates the need to artificially create situations likely to produce errors. Component Analysis Modern software is assembled using third-party and open source components, glued together in complex and unique ways, and integrated with original code to provide the desired functionality.
Third-party (including commercially licensed, proprietary, and "source available" software) along with open source components provide the necessary building blocks that allow organizations to deliver value, improve quality, reduce risk and time-to-market. The benefits of open source are many. However, by using open source components, organizations ultimately take responsibility for code they did not write. Strategic alliances between organizations and open source projects can lead to healthy open source usage and overall risk reduction.
Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components. Component Analysis is a function within an overall Cyber Supply Chain Risk Management (C-SCRM) framework. A software-only subset of Component Analysis with limited scope is commonly referred to as Software Composition Analysis (SCA). Any component that has the potential to adversely impact cyber supply-chain risk is a candidate for Component Analysis.
Manual Penetration Test Manual penetration testing is performed by a certified expert engineer. Generally, testing engineers perform the following methods:
− • Data Collection − Data collection plays a key role for testing. One can either collect data manually or can use tool services (such as webpage source code analysis technique, etc.) freely available online. These tools help to collect information like table names, DB versions, database, software, hardware, or even about different third-party plugins, etc. • Vulnerability Assessment − Once the data is collected, it helps the testers to identify the security weakness and take preventive steps accordingly. • Actual Exploit − This is a typical method that an expert tester uses to launch an attack on a target system and likewise, reduces the risk of attack. • Report Preparation − Once the penetration is done, the tester prepares a final report that describes everything about the system. Finally, the report is analyzed to take corrective steps to protect the target system.
What was the team composition?
There was a single person who plan the role of Project Manager, Business Analyst, Test Designer, Test Engineer, and Documentation Specialist.