© Crown Copyright (2000) Module 2.3 Functional Testing

You Are Here M2.1 Security Requirements M2.2 Development Representations M2.3 Functional Testing M2.4 Development Environment M2.5 Operational Environment M2.6 Vulnerability Analysis M2.7 Penetration Testing M2.8 Assurance Maintenance/Composition MODULE 2 - ASSURANCE

Introduction What is Functional Testing ? –Why do we do it ? Developer testing –coverage and depth Evaluator testing –corroboration of developer testing –additional testing

What is Functional Testing ? Testing the Security Functions Confidence in design and refinement Proving the developers tests To collect ideas for Penetration Testing

Developers Test Evidence Test Plans and Specifications Test Programs Expected and Actual results

Test Coverage and Depth Covering the security functions Demonstrate that the TOE operates in accordance with the design Levels of testing and demonstration of coverage –direct –indirect

Different types of testing Repeating developers tests –sampling of tests Additional tests to ensure security functionality fully covered using different –interfaces –inputs –configuration parameters

ITSEC Requirements

CC Requirements

Typical Functional Test Form

Evaluation Reporting Record and justify sampling strategy Justify strategy for additional testing Record results of tests and conclusions Provide test configuration details

Summary Confidence that the security functions behave as specified –coverage and depth –corroboration of developer tests –additional tests Understanding before Penetration testing

Further Reading ITSEC evaluation UK SP 05 Part III, Chapter 7 CC evaluation CC Part 3, Sections and 13 CEM Part 2, Chapters 5-8 (ATE sections)

Exercise - 1 Only an administrator with the appropriate authorisation shall be able to: create new user accounts delete, disable or enable existing user accounts. Identify test cases to provide adequate coverage of the above security function

Exercise - 2 Identify test cases to cover all statements all branches AB C TRUEFALSE y z TRUE