Penetration Testing as part of Certification
- A test environment must be created and tested by a dynamic analysis tool and security testers
- The results must be somehow available to the operators who want to deploy to their environments and satisfy their own security teams that the system has been dynamically tested.
- Chevron lists this as a requirement
- Petronas lists this as a requirement
- ConocoPhillips lists this as a requirement.
Definition of Done
- A test environment has been subjected to security tests after being built
- Security findings from the test have been triaged:
- added to the backlog for future remediation
- accepted and documented (i.e., not fixed)
- Security test failure can block the release