Testing Rules Determination#
This activity takes the results from previous activities and builds a unique set of Testing Rules for each product. These Testing Rules stay valid as long as none of the previous activities - Architecture Review, and Process Assessment - has changes. If any of those activities are performed during the current RABET-V Iteration, the Testing Rules Determination must be performed again.
The Testing Rules are structured as a first-hit, crosstab decision table. Artifacts from earlier activities, such as Submission Review, Process Assessment and Architecture Review serve as inputs to the table. The output of the Testing Rules Determination activity is a set of test methods to be used during Product Verification. A test method is determined for each security control family.
These test methods are Full, Basic, and Streamlined. The names reflect the rigour that each test method applies to confirm the effectiveness of the control family, with Full applying the most rigour and Streamlined the least.
The chosen test method for a given security control family is based on the Change Type(s) identified for the product’s iteration and the SAMM and SSAM scores for the product. Change Types that indicate changes to security service components will require higher SAMM and SSAM scores to receive Basic or Streamlined testing. Minor changes may receive less testing even with relatively lower SAMM and SSAM scores.
Inputs#
Change Type
Security Service Architectural Maturity Scores
Software Development Maturity Scores
Outputs#
Product Testing Rules Matrix
Workflow#
Pull test scores#
Software Assurance Maturity Model (SAMM) and Security Service Architectural Maturity (SSAM) serve as inputs.
The scores for each Security Control Family in SSAM form the column headers of the table. The rows of the table list the change types. Each change type is associated with a score in SAMM. [provide more details here?] The first change type matching any of those identified during Submission Review [update] uniquely selects the applicable SAMM score (i.e. when more than one change type applies, the most impactful one takes precedence over the others). The SAMM score is then summed to the SSAM score for each security control family, deriving scores between 0.0 and 6.0.
Determine test methods#
Each numeric score is converted to a test method based on a predefined set of thresholds associated with the Change Type. These thresholds determine how high a score must be to receive a certain level of testing. For example, a product with an Operating system patch change type and a combined Process + Architecture Score of 2.5 or greater will receive Streamlined testing. However, a change of Security patch of security service component(s) with the same score would receive Full testing. The testing matrix is given below:
Type |
Change Description |
Process Assessment Score Type |
> 5 |
5 - 4.5 |
4.49 - 4.0 |
3.99 - 3.5 |
3.49 - 3.0 |
2.99 - 2.5 |
2.49 - 2.0 |
< 2.0 |
|---|---|---|---|---|---|---|---|---|---|---|
1 |
Other major or multiple change(s) to security service component(s) |
Total |
Full |
Full |
Full |
Full |
Full |
Full |
Full |
Full |
2 |
Source code change to security service component(s) |
InternalDev |
Basic |
Full |
Full |
Full |
Full |
Full |
Full |
Full |
3 |
Major configuration change to security service component(s) |
EnvMgmt |
Basic |
Basic |
Basic |
Full |
Full |
Full |
Full |
Full |
4 |
Security patch of security service component(s) |
SupplyChain |
Basic |
Basic |
Basic |
Basic |
Full |
Full |
Full |
Full |
5 |
Dependency updates for security service component(s) |
SupplyChain |
Basic |
Basic |
Basic |
Basic |
Basic |
Full |
Full |
Full |
6 |
Minor configuration change to security service component(s) |
EnvMgmt |
Basic |
Basic |
Basic |
Basic |
Basic |
Basic |
Basic |
Full |
7 |
Source code change interfacing with security service component(s) |
InternalDev |
Streamlined |
Basic |
Basic |
Basic |
Basic |
Basic |
Basic |
Full |
8 |
Source code change unrelated to security service component(s) |
InternalDev |
Streamlined |
Streamlined |
Streamlined |
Basic |
Basic |
Basic |
Basic |
Full |
9 |
3rd party software patch to a non-security service component(s) |
SupplyChain |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Basic |
Basic |
Full |
10 |
Operating system patch |
EnvMgmt |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Basic |
Full |
11 |
Other software or configuration change |
Total |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Streamlined |
Basic |
Full |