Beschreibung
Task:The main purpose of this SOW is Security Testing
- Penetration Testing is not part of this SOW
- A Security Test Framework has to be created (eventually based on the ATP created by the client
- The Security Test Framwork will be integrated in the Continuous integration test framework based on Jenkins
- State of the art security tests have to be created, based on generic and customer requirements
- The Security Test Framework shall create automated security test reports, which must be analyzed and interpreted by the contractor.
- The Security Test Framework shall cover 85% of the possible features on the target with automated testing.
- Based on the automated security test reports and its interpretation, hints and howto´s and JIRA tickets for the project team have to be written- Additionally all not automated security tests have to be executed manually and manual security test reports have to be created manually.
- Based on the above figures 10% of the possible features on the target shall be manually tested.
- Manual security test reports have to result in the same style like the automated security test reports in hints, howto´s and JIRA tickets for the project team.
- Any test not be able to be executed either automatically or manually needs approval by the client.
Further requirements are needed:
a) Development Interface Agreement
- review meetings
- The Contractor shall provide a Monthly Progress Report to update status
- The Contractor shall provide a Weekly Status Report
- The Contractor shall perform risk management for all technical and programmatic risks
- The Contractor shall track its own internal action items, action items
- The Contractor shall provide a plan for management of Change Requests (CRs) and Problem Reports (PRs) for the duration of the project
b) Software Development Process Requirements
- The Contractor shall select a software development lifecycle model appropriate for the development activities
- The Contractor shall define the software requirements that satisfy the specifications referenced
- The Contractor shall design software that satisfies all requirements in the approved SRS
- The Contractor shall perform coding in accordance with this Statement of Work (SOW) and the Software Configuration Management Plan (SCMP).
- The Contractor shall maintain information that allows traceability between the software requirements and the work products developed during the project life cycle
- The Contractor shall establish a software configuration management process (including supporting tools) to ensure technical and administrative integrity of all software
- The Contractor shall document the configuration management approach in a Software Configuration Management Plan (SCMP)
- With each software release the Contractor shall provide Release Notes containing at least the following information
c) Verification Requirements
- Contractor shall perform static code check (SCC) on all source code that is developed internally
- Contractor shall perform code review on all new and modified code that is developed internally
- The Contractor shall perform peer reviews of all work products as part of the development process
- The Contractor shall document and submit to the client for approval Test Plans that shall provide the comprehensive test and verification approach used by the Contractor for conducting tests throughout the program (e.g., for unit level testing, integration level testing, verification testing).
- For all levels of testing the Contractor shall create Test Reports documenting the scope and results of the tests
- Acceptance Testing:
The acceptance test procedure, test cases, and test software will be developed in collaboration between contractor and the Security team of the project
d) Quality Management Requirements
- The Contractor shall prepare and submit to Continental for approval a Quality Assurance Plan describing the quality assurance process applicable to the efforts required by this SOW and the Security team of the project
- The Contractor shall maintain a certified QM-System (e.g. ISO9001:2000, ISO/TS 16949)
The main task is not development of the Security Test Framework and the manual security test cases, but the continuous execution, interpretation and feedback into the project about the stability of the security implementation.
- The Security Test Framework has to be maintained
- Manualy security tests have to be executed
- Security Test Reports (manual & automated) have to be created
Development Environment:
- SW CM Tool (Git/Gerrit)
- Operating System (inux)
- Client OS (Microsoft® Windows® 7/10 and Ubuntu 16.04 LTS)
-DOORS
- TEMPPO
- SharePoint
- JIRA / Gerrit / Collaborator
- Jenkins
- Klocwork
- Rhapsody
- VectorCAST
- ATP
- ValgrindTest Management Tool TEMPPO
ATP and TEMPPO are very imprtant!
ATP (Automated Test Platform) is an internal client´s tool designed for automated testing. It is maintained by the Process and Tools group of BU IC. The ATP tool is used by the client´s Unit Testing, SW Integration, and SW Verification testing.
TEMPPO (Test Execution, Management, Planning, and reporting Organizer) is a comprehensive test management framework designed to provide support for all test verification stages in the software development process.
Requirements (Must have):
- Expert in security testing in the automotive area
- knowledge of the main tools described above
Environment/Miscellaneous:
Extension until mid of 2019
Beginn: April 2018
Dauer: Juni 2018++
Branche: Automotive