The security charters from my Just Enough Security talk at TestBash. I’m interested in ideas to expand and improve on these.

The Charters in the presentation are below. I might add some comments or updates to this page.

Account charter

• What test accounts do we have?
• Is the account list up to date?
• Where should it be recorded?
• Could we close some?
• What account logging exists?
• Is there any signs of tampering?
• How to recognise tampering?
• Can we base alerts on this?
• Who watches those alerts?

Password charter

• Replace shared passwords with unique passwords that are 15+ characters:
• Cycle old passwords.
• Ensure passwords are unique, long and strong.
• How are they being stored?
• Who has access?
• Do you use a salt in the test environments?
• Are passwords stored encrypted?
• Test / Dev can be used as a path to production.
• Can you use a password manager?
• How can passwords be shared safely?
• Are the worst passwords allowed? Are they being used?

Environment charter

• Who updates the machines used for the test environment?
• What’s the update plan?
• Who patches?
• Does Ops expect to be told when and what to update?
• Are you responsible for any updates on your personal machine?
• Are you up to date?

Config charter

• Look at your config files for known problems.
• Which config files are there?
• What do they control?
• Who currently manages them?
• Are they all kept up to date?
• Does test have its own versions that are out of date?

Recovery charter

• When stuff goes wrong, how will we recover?
• Do you or someone else test recovering from the backups?
• If your test data creation is not automated, do you have backups?
• Can it be moved to automation to lessen dependency in the environments?
• Do you have backups of your account information with third parties?
• Would you know if you lost access to a third party account?
• Do you have a plan?

Impact Containment Charter

• What can limit the damage of a compromise?
• Are High value targets separated from low value targets?
• Are you using the lowest privilege you can?
• If you do not need it, do not keep it.

Automation is your friend

• Do you have automated security tests running?
• Is the suite up to date?
• Do you know what is not covered?

Security tools

Blockers Charter

• What blockers for security do we have?
• Are they being tracked?
• Does the security bugs/blocks have Advocates in the team?