Do you have software testing processes (dynamic or static) that are established and followed?
Explanation
Software testing discipline is under review: the institution wants to know that you have established, repeatable dynamic or static testing processes and that you actually follow them.
Static testing involves examining code without executing it, looking for vulnerabilities, bugs, and security flaws through code reviews, static analysis tools, and architectural reviews. Examples include tools like SonarQube, Checkmarx, or manual code reviews.
Dynamic testing involves executing the code and testing it during runtime to identify issues that might not be apparent in static analysis. This includes penetration testing, vulnerability scanning, and functional testing.
This question is asked in security assessments because proper software testing is fundamental to developing secure applications. Without rigorous testing processes, vulnerabilities may go undetected until they're exploited in production environments. Established testing processes demonstrate a commitment to security throughout the development lifecycle.
To best answer this question, you should:
- Clearly state whether you have established testing processes
- Describe both static and dynamic testing methodologies you employ
- Mention specific tools used in your testing processes
- Explain how testing is integrated into your development lifecycle
- Note how frequently testing occurs and how findings are addressed
- Reference any standards or frameworks that guide your testing approach (e.g., OWASP)
Example Responses
Example Response 1
Yes, our organization has established comprehensive software testing processes that include both static and dynamic testing methodologies For static testing, we use SonarQube and Checkmarx to analyze our codebase during development, with automated scans triggered on every pull request Our development teams also conduct regular peer code reviews before code is merged For dynamic testing, we employ Burp Suite for web application security testing, OWASP ZAP for automated scanning, and conduct quarterly penetration tests using both internal resources and third-party security firms All identified issues are tracked in our vulnerability management system with remediation timelines based on severity Testing is fully integrated into our CI/CD pipeline, with security gates that prevent deployment if critical vulnerabilities are detected We follow OWASP ASVS as our testing standard and maintain documentation of all testing procedures that development teams must follow.
Example Response 2
Yes, we have established software testing processes that are integrated into our development lifecycle Our static testing includes automated code analysis using ESLint and StyleCop with custom security rules, as well as manual code reviews that follow a security-focused checklist These are performed on all code changes before they can be merged into our main branch For dynamic testing, we run automated functional tests with security assertions and conduct monthly security scans using Nessus and Acunetix Our QA team is trained in security testing techniques and incorporates security test cases into their regular testing activities We also conduct annual penetration testing with a third-party security vendor All testing processes are documented in our security policies, and compliance is monitored through regular audits Testing results and remediation efforts are reviewed in our monthly security steering committee meetings.
Example Response 3
No, we currently do not have formally established software testing processes While our developers do perform ad-hoc testing of their code and occasionally conduct peer reviews, we don't have standardized procedures or tools for either static or dynamic testing We recognize this as a gap in our security posture and are in the process of evaluating testing tools and developing formal testing procedures We plan to implement static code analysis tools in the next quarter and establish a relationship with a third-party penetration testing firm by the end of the year In the interim, we are mitigating risk by leveraging secure coding training for our development team and implementing additional monitoring in our production environment to detect potential security issues.
Context
- Tab
- Infrastructure
- Category
- Application/Service Security
Related questions
- Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?
- Are you using a web application firewall (WAF)?
- Are only currently supported operating system(s), software, and libraries leveraged by the system(s)/application(s) that will have access to institution's data?
- Does your application require access to location or GPS data?
- Does your application provide separation of duties between security administration, system administration, and standard user functions?
- Do you subject your code to static code analysis and/or static application security testing prior to release?

