Should the test manager lead and manage security testing and should these activities be documented in the master test plan.

lee marshall's picture
lee marshall asked on April 25, 2018 - 11:16am | Replies (1).

I am in a debate with project managers over the control management and approach to documentation covering Security testing (Pen Testing)

They belive that this should be done by subject matter experts

with no test plan

with no specific detail in the Master Test Plan

With no input from the test manager

I believe it should be in the plans managed by the Test Manager and the test manager calls upon the SME resource to support and provide guidance.

What are the thoughts of the populus?

1 Answer

Craig Kam's picture
Craig Kam replied on January 25, 2019 - 5:24pm.

Sorry to be a little late on this one.  From my perspective, a test manager should be leading test activities.  How your company defines these activities is the question.  In most of the shops I worked, an SME would write the security test plan.  In my opinion, any professional analyst could write this plan.  This plan was part of the functional area as security was treated as both a functional and integrated area.


So, to answer your question, YES YES, a test plan must be written.  Otherwise, how would the team know what has been tested?  As far as who is in charge, well, it was the main test manager who was responsible for reporting to the director/team on the results of the overall test effort.  I think it is always a good idea to get input from different disciplines when desiging and executing a test strategy.  Whether that's security or performance or functional, it really doesn't matter.  It is a TEAM after all.

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.