Test Cases

Overview

When creating a new project, you can select one or more methodologies or checklists to apply to the project - referred to as Test Suites. Each test suite has a collection of test cases which gets assigned to the project.
A test suite helps:
    Clients understand exactly what was tested on the project;
    Developers/Engineers link test cases to vulnerabilities;
    Pentesters structure their testing in a methodical, consistent & standardized way;
    Organizations create repeatable, standardized & comparable assessments - independent of who was actually performing the assessment.
Test cases can provide valuable insight into a penetration test or audit. It shows:
    What was tested
    When it was tested
    Who tested it
    What was the status
    Supporting evidence
    Whether test case failed
To view the test cases assigned to the project, click on Test Cases from the project menu, or click on Status Dashboard Box (in example below it shows 'Testing').

Updating a Test Case

It is the function of a pentesters (or assessor) on the project to update the test cases, as they work through the assessment. Therefore only users with Edit permissions on the project can update a test case.
Test cases by default are set to Not Tested.
Authorized users can update the status of a test case to any of the following:
    Not Tested
    Testing In Progress
    Tested
    Not Applicable
You can update a test case by clicking on the status of the test case and selecting an option from the drop-down menu.
You can also update multiple test cases in bulk using the page menu. Select Edit Multiple Test Cases, then select the desired test cases, then using the page menu again - select the desired status e.g. Set As Tested, Set as Not Tested, Set as Testing In Progress or Set as Not Applicable.

Adding a Note / Uploading Supporting Evidence

Each test case can have supporting notes & files which contains the evidence & observations from the pentester or assessor. For example, if the test case required to perform a scan using a tool - the results of the scan can be uploaded.
To add a note or upload a file - select Add Note or Upload Files / Evidence from the actions menu.
All notes & evidence are included in the on-demand reports.

Filtering Test Cases

You can filter test cases using the page menu. The following options are currently available:
    Filter on Assigned to Me
    Filter on Not Tested
    Filter on Tested
    Filter on Testing in Progress
    Filter on Not Applicable
    Filter on Locked
    Filter on Unlocked
    Filter on Failed Test Cases
    Filter on Not Failed Test Cases

Assigning Test Cases to a User

Administrators and Project Coordinators can assign test cases to any project team members with Edit permissions on the project, i.e. pentesters or consultants. This helps to delegate tasks to team members to maximise efficiency during testing, as well as accountability for certain tasks.
You can assign a test case to a user by clicking on editable None value in the Assigned To column, and then selecting the user from the list of presented options.
You can also assign multiple test cases in bulk using the page menu. Select Edit Multiple Test Cases, then select the desired test cases, then using the page menu again - select the user to assign the selected test cases.

Assigning Assets to Test Cases

Administrators and Project Coordinators can assign assets to test cases. This helps to delegate tasks to individual assets to increase testing coverage and traceability.
You can assign one or more assets to the test case by clicking on editable All value in the Assigned Asset(s) column, and then selecting the assets from the list of presented options. You can multi-select in the field.

Failed & Remediated Test Cases

Failed test cases can help to identify tests which need to be re-performed as part of remediation testing.
Remediated test cases help to identify which failed test cases have had all vulnerabilities fixed/closed.
You can fail a test case by linking a vulnerability to a test case.
When creating or updating a vulnerability on a project, select the failed test case(s) to link them.
Add a vulnerability directly from the test cases page, to quickly link the test case to the new vulnerability.
When a vulnerability is linked to a test case, the test case will be automatically marked as failed.
You can click on the failed test case to see the linked vulnerabilities.
If all vulnerabilities linked to a failed test case have been Closed, the test case will be considered Remediated.

Locking & Unlocking Test Cases

As an Admin or Project Coordinator, you have the ability to Lock and Unlock test cases on a project at any given time.
Locking test cases is useful if you need to allocate a new round of testing to your project, to ensure previous rounds of testing cannot be altered or tampered with.
When a test case is locked, it cannot be updated. You cannot add any new notes or evidence either. This provides greater assurance from an auditing perspective.
Locked test cases will not show up on or affect the project status and percentage completion.
Locked test cases will not show up in the reports as reporting is focused on the current round of testing. This helps to avoid lengthy reports on projects where multiple rounds of testing are performed.
To lock a Test Case individually - use the Actions menu on a unlocked test case and select Lock
To unlock a Test Case individually - use the Actions menu on a locked test case and select Unlock
To perform bulk updates - use the Page menu to select the test cases and your option.

Adding Test Suites On Your Project

As an Administrator, you can add additional test suites to a project after the project has been created. This can help if you need to perform a new round of testing on a project.
To add new test suites on a project, click on Add More Test Suites button from the page menu.
Select the test suites you would like to load on the project and click Add Test Suites to Project The test suites will be loaded on to your project.
By default, the test cases loaded on to the project will be set to Unlocked/Active status.
If it is a new round of testing, you can automatically lock the previous test cases by selecting Yes to option Assign Test Suites to New Round of Testing? This will ensure the previous test cases can’t be tampered with or changed accidentally. It will also reset the project status to Waiting to Start and progress will be set to 0% (based on the new test suites added).

Deleting Test Cases On Your Project

As an Administrator, you can delete test cases on a project. This can help if you need to remove test cases which do not need to be actioned on the project.
To delete test cases on a project, click on Edit Multiple Test Cases button from the page menu.
Select the test cases you would like to delete, then click on Delete Selected Test Cases from the page menu.

Creating Abuse Cases

Abuse cases are project or assessment specific test cases. They are unique test cases which apply to the assets on the project, or objective of the assessment. For example, consider a web application pentest for a reverse auction website. Typically the pentest may cover the standard OWASP ASVS test cases, however the customer also requires that business logic tests are performed against the bidding functionality to determine whether it can be cheated or not. Abuse cases can be created to specifically test this functionality and provide higher level of assurance beyond standard test cases.
To create abuse cases on the project, you must be either an Administrator or Project Coordinator.
Click on Add Abuse Cases from the page menu.
Enter in the details for the abuse case, and optional tags.
If you click Add & Add More, it will save the abuse case to the project and allow you to enter a new abuse case (if loading multiple on a project).
If you click on Add & Finish, it will save the abuse case and redirect you back to the test cases on the project.
You can access all abuse cases for each project via the Test Suite Builder module. You can make changes to the abuse cases from here. If you need to delete an abuse case, you can perform this directly from the project (see Deleting Test Cases On Your Project above).
Last modified 7mo ago