Software testing is the most important measure of quality assurance in software development. Security testing plays currently a minor role, but we are sure that this will change within the next five years. Studies show that in industry, testing processes are often perceived as too costly and laborious. Testing processes are often difficult to control and improvements of the processes with respect to quality, cost efficiency and stringency are often requested.

Fraunhofer has developed an assessment scheme called Security Testing Improvements Profile (STIP), that is dedicated to assess security testing processes. It can be used stand alone or in addition to established test process assessment approaches. STIP is based on the general ideas of TMMi and TPI. Thus, we have defined a set of key areas that we considered relevant for security testing. The key areas describe major aspects or activities in a security testing process.

The key areas are grouped in four main groups and defined to be self-contained and distinct so that each of the areas represents a relevant aspect of a security testing process. For each of the key areas we have defined a performance scale with up to four levels that are hierarchically organized and build on each other. The levels can be used to evaluate concrete security testing processes with respect to their performance in the belonging key area. Each level with a higher number represents an improvement for the underlying security testing process. Each higher level is better than its prior level in terms of time (faster), money (cheaper) and/or quality (better).