"Information Security: Everyone’s job every day" (… and that includes testers!) Security is too important to ignore, so we will look at all of the ways that we as testers need to collaborate with our Security professionals and our developers to ensure that security is addressed well in our project’s testing and verifications. We will first lay a foundation of security concepts and terminology. Then we will walk through the 5 Layers of Security Testing and explore what is involved in doing a good job of each. 1. Test Security Features. We will start by looking at some of the security mechanisms our developers design into their code (e.g. encryption) and the ways we can collaborate with them to design good White-Box tests. Then we will turn our attention to the various types of Security Requirements so we can ensure that our system testing of those requirements is adequate. 2. Perform Negative Testing. Not just for quality purposes, negative testing is also an important part of our security testing. In this context, we will look at both white-box and black-box Fuzz Testing. 3. Test Misuse and Abuse Cases. To our consideration of Use Cases, we should add Abuse Cases and Misuse Cases – How might people abuse or misuse the system and how should it respond? 4. Test for Common Bugs that open Vulnerabilities. The mistakes the developers make that have the side-effect of opening security vulnerabilities are widely published and well known. (Think buffer overflow.) We will look at some to the best sources of this information and discuss how testers can collaborate with their developers to find those mistakes early. 5. Ensure Readiness for Release. We will look at the final verifications and testing that can confirm that the system is secure enough to release, including Penetration Testing.