Software Security Testing

• A firewall configuration settings, to ensure they have been installed and maintained correctly;
• System settings, to ensure they have been configured correctly to protect sensitive data;
• Data access mechanisms, to ensure that all stored personal data is protected from unauthorized access;
• Data transmission across open, public networks, to ensure that encryption mechanisms do not fail;
• Anti-virus verification, to ensure that software is used, and regularly updated;
• Software vulnerability testing to ensure that code was developed to ensure:
• Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.);
  
• Validation of proper error handling;
  
• Validation of secure cryptographic storage;
• Validation of secure communications; and
• Validation of proper role-based access control (RBAC).
• Data access, to ensure that sensitive data is only available on a business "need to know" basis;
• Data access, to ensure that access to sensitive corporate and customer data is controlled;
• Physical access, to ensure that physical access restrictions, processes and mechanisms prevent unauthorized access to sensitive areas;
  
• Access to network resources, to ensure that all audit/control and logging procedures work; and
  
• Database backup and restore processes, to ensure that data protection and disaster recovery processes will function correctly if needed.

• System and network administrators;
• Database administrators;
• Production support staff;
• External agencies e.g. payment card industry (PCI) requires security certification to process credit card-holder data; and
• Security testing vendors e.g. Trustwave is a company which helps corporations achieve PCI compliance with specialized software and  security vulnerability/penetration testing.