Commercial software products rely on formal test strategies to describe who will perform testing, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly.
Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans.
This talk will describe how product teams leverage test strategies and plans to make sure software delivered meets requirements, and how security can do the same.
