The security-testing baseline defines the minimum expectation of the testing scope and criteria. OWASP ASVS and the OWASP MSTG are good references for organizations that are just beginning to build security-testing baselines. In addition to software application security, it also includes the following areas, which are often neglected:
- Platform secure configuration, such as OS, database, virtualization, web services (nginX, Apache)
- The secure communication protocol, such as SFTP, SSH v2, or TLS v1.2
- Known vulnerabilities for third-party software components
- Sensitive information, or the PII data handling, storage, and removal
- Documentation or on-line help instructions related to access management, changes of password, ...