+DEV-07 Testing Changes
---+DEV-07.01B
---+DEV-07.02B
---+DEV-07.03B
---+DEV-07.04B
---+DEV-07.05B
---+DEV-07.01AC
---+DEV-07 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
DEV-07 Testing Changes
-
| Bezeichnung |
Standard |
|
DEV-07.01B
|
Changes to the cloud service are subject to appropriate testing according to documented test procedures during software development and deployment.
Tests should be used that contribute to the quality assurance of the software development as well as to the security of the cloud service.
The errors and vulnerabilities identified in tests can be assessed, for example, according to the Common Vulnerability Scoring System (CVSS).
Test procedures for software assets can be static (SAST), dynamic (DAST) or interactive (IAST).
|
|
DEV-07.02B
|
The type and scope of the tests correspond to the risk assessment. The tests are carried out by appropriately qualified personnel of the cloud service provider or by automated test procedures that comply with established rules of technology. Cloud service customers are involved into the tests in accordance with the contractual requirements.
|
|
DEV-07.03B
|
Before using cloud service customer data for tests, the cloud service provider first obtains approval from that cloud service customer and anonymises the cloud service customer data. The cloud service provider ensures the confidentiality of the data during the whole process.
|
|
DEV-07.04B
|
The security features of the cloud service are subject to tests that fully cover the security features' specification (cf. DEV-05), including all specified error conditions. The documentation of these tests covers at least the following aspects:
1. A description of the test;
2. The initial conditions;
3. The expected outcome; and
4. Procedures for running the test.
|
|
DEV-07.05B
|
The severity of the errors and vulnerabilities identified in the tests, which are relevant for the deployment decision, is determined according to defined criteria and actions for timely remediation or mitigation are initiated.
|
|
DEV-07.01AC
|
Pre-launch penetration tests are carried out during the test phase of the cloud service in accordance with the penetration test framework (cf. OPS-22 additional criterion). The severity of identified vulnerabilities is assessed according to defined criteria and actions for timely remediation or mitigation are initiated.
Tests should be used that contribute to the quality assurance of the software development as well as to the security of the cloud service.
The errors and vulnerabilities identified in tests can be assessed, for example, according to the Common Vulnerability Scoring System (CVSS).
|
|
DEV-07 Supplementary Information - Complementary Customer Criteria
|
Where changes are to be tested by the cloud service customers in accordance with the contractual agreements prior to deployment in the production environment, the cloud service customers ensure with suitable controls that the tests are performed appropriately to identify errors. In particular, this includes timely execution of the tests by qualified personnel in accordance with the conditions specified by the cloud service provider.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|