It is better to address the entire organization’s availability, confidentiality, integrity and authenticity (collectively: security) concerns than to test individual applications for security concerns. To that end, Microsoft offers a Security Assessment Tool, useful for even non-Microsoft environments.
- ITIL and ITSM World IT Infrastructure Library (ITIL) is a series of documents that are used to aid the implementation of a framework for IT Service Management (ITSM).
- Security Risk Analysis
- ISO 17799
- CERT OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. Business Continuity Planning
- Information Systems Security Assessment Framework (ISSAF) seeks to evaluate the organization’s information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems (Business Continuity Planning)
- NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
- The National Security Agency (NSA) InfoSec Assessment Methodology (IAM) was designed specifically for Federal Information Security Management Act (FISMA) compliance.
- Sherwood Applied Business Security Architecture (SABSA) SABSA: the What, Why, How, Who, Where and When and of Contextual, Conceptual, Logical, Physical, Component and Operational
- Zachman International Zachman Architecture Framework: the What, How, When, Who, Where, and Why of Identification, Definition, Representation, Specification, Configuration and Instantiation
- Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
- w3af Web Application Attack and Audit Framework
- Common Vulnerability Reporting Framework (CVRF)
- Microsoft Security Development Lifecycle Procedures for incorporating security into software development. Tools to support steps in the lifecycle as well.
- 2011 IT Security Best Practices Assessment
[...] Web Application Testing Remember that application availability, confidentiality, integrity and authenticity (collectively: security) is best addressed in the organization; see Framework. [...]