· Test cases for different roles will be written to test the tool’s security levels (both application and system levels). The test cases would cover the permissions provided for each role on the application
· The security testing includes following 2 methods-
1) Running white box security testing tool – FXCop, App Assurance, SQLCop
2) Running black box security testing- identifying vulnerabilities like
Authentication,
Authorization,
Forceful Browsing,
Bypassing Client Side Validation,
Hidden Field Tampering,
File Upload
SQL Injection
Cross-site Scripting
XPath/XML Data Injection
Error/Exception Handling
Auditing & Logging
· Add test cases to address scenarios found in the ACE security bugs in the 1.2 release. Look for similar scenarios in the new 1.3 code base only (not entire code base)