From 260fcf820f55f2843dc0d7bef979db75c930486f Mon Sep 17 00:00:00 2001 From: John Ellingsworth <4731674+johnellingsworth@users.noreply.github.com> Date: Sun, 24 Mar 2024 15:22:22 +0100 Subject: [PATCH] Fixing ampersand in 2 additional activities Issue https://github.com/owaspsamm/samm-suite/issues/49 --- model/activities/V-AA-3-B.yml | 2 +- model/activities/V-RT-3-A.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/model/activities/V-AA-3-B.yml b/model/activities/V-AA-3-B.yml index 28149ebd2721..6ae850888f2a 100644 --- a/model/activities/V-AA-3-B.yml +++ b/model/activities/V-AA-3-B.yml @@ -20,7 +20,7 @@ benefit: Continuous improvement of enterprise architecture based on architecture #A one sentence description of the activity shortDescription: Feed the architecture review results back into the enterprise architecture, - organization design principles & patterns, security solutions and reference architectures. + organization design principles and patterns, security solutions and reference architectures. #A multi-paragraph description of the activity longDescription: | diff --git a/model/activities/V-RT-3-A.yml b/model/activities/V-RT-3-A.yml index 19068886d861..553242917fa5 100644 --- a/model/activities/V-RT-3-A.yml +++ b/model/activities/V-RT-3-A.yml @@ -25,7 +25,7 @@ shortDescription: Perform regression testing (with security unit tests). longDescription: | Write and automate regression tests for all identified (and fixed) bugs to ensure that these become a test harness preventing similar issues being introduced during later releases. Security unit tests should verify dynamically (i.e., at run time) that the components function as expected and should validate that code changes are properly implemented. - A good practice for developers is to build security test cases as a generic security test suite that is part of the existing unit testing framework. A generic security test suite might include security test cases to validate both positive and negative requirements for security controls such as Identity, Authentication & Access Control, Input Validation & Encoding, User and Session Management, Error and Exception Handling, Encryption, and Auditing and Logging. Verify the correct execution of the security tests as early as possible. If feasible for example, consider the passing of security tests as part of merge requirements before allowing new code to enter the main code base. Alternatively, consider their passing a requirement for validating a build. + A good practice for developers is to build security test cases as a generic security test suite that is part of the existing unit testing framework. A generic security test suite might include security test cases to validate both positive and negative requirements for security controls such as Identity, Authentication and Access Control, Input Validation and Encoding, User and Session Management, Error and Exception Handling, Encryption, and Auditing and Logging. Verify the correct execution of the security tests as early as possible. If feasible for example, consider the passing of security tests as part of merge requirements before allowing new code to enter the main code base. Alternatively, consider their passing a requirement for validating a build. For security functional tests, use unit level tests for the functionality of security controls at the software component level, such as functions, methods, or classes. For example, a test case could check input and output validation (e.g., variable sanitation) and boundary checks for variables by asserting the expected functionality of the component.