Being able to articulate the security testing plan, execution, and results in a way that non-security team members can understand is critical to the project. This will help stakeholders understand what security testing is performed and how. Too many technical and security domain-specific terms may result in the security testing being too difficult to understand.
For example, the business objective of security is to protect the application against injection attacks. However, in the domain of security testing, 'injection attacks' may be specifically described as XML External Entity (XXE) attacks, Cross-Site Scripting (XSS) attacks, command injection, and SQL injection. Use of this terminology may cause communication gaps and misunderstanding between security and non-security stakeholders.
The following table lists the security business objectives for general stakeholders and the corresponding security testing techniques for dealing with them:
| Security business objective and scenario | Security testing techniques |
| Web scanning—Executing automated web application-level security testing to identify vulnerabilities in the web application | OWASP Top 10 security testing includes 10 common security issues such as injection, broken authentication, sensitive data exposure, XXE, broken access control, security misconfiguration, XSS, insecure deserialization, known vulnerabilities, and insufficient logging and monitoring. |
| Verifying that the TLS/SSL (Transport Layer Security/Secure Sockets Layer) configuration of the web server is secure |
The testing of the SSL configuration does not only include the uses of secure protocols and a secure cipher suite, but also the following:
|
| Verifying that sensitive information is transmitted in a secure manner |
|