Integrating Functional Security Testing into Daily Test Practices: Concepts, SDL Roles, and Test‑Case Design

The article introduces functional security testing from a test‑development engineer’s perspective, highlighting its importance alongside traditional functional testing and summarising the similarities and differences between the two.

It defines security testing as the process of verifying that a software product meets defined security requirements and can resist illegal intrusion, and explains why security testing is essential for improving product quality, reducing post‑release remediation costs, and ensuring protective mechanisms work in real environments.

The goals of security testing are presented, distinguishing application‑level and system‑level testing, and a comparison table shows shared objectives (early defect feedback, similar processes, predictive testing) and differing aspects (focus on security vulnerabilities versus functional bugs, different judgment criteria, and different prediction scopes).

A basic security testing process is outlined, followed by an overview of the Security Development Lifecycle (SDL) – a Microsoft‑proposed framework that integrates security considerations into every software development phase, from requirements and design through development, testing, release, and operations.

The article then details the SDL phases, describing the security responsibilities of product, design, development, testing, release, and operations teams, and provides a visual flow of the SDL.

Common verification points for security testing are enumerated, including business‑logic flaws, authentication and authorization checks, privilege escalation, file upload/download controls, sensitive‑information leakage, SQL injection types, and protection of critical data.

Three practical case studies illustrate how to design functional security test cases: (1) an online quotation approval workflow, focusing on permission checks; (2) a prepaid withdrawal scenario, emphasizing constraints on invoices, withdrawal cycles, balances, and approval processes; (3) an electronic contract process, covering sensitive data handling, file‑type validation, and verification codes.

Each case includes example test‑case tables and screenshots (described in text) that demonstrate how to translate security requirements into concrete test steps.

Finally, the article concludes that security testing is as vital as functional testing, and integrating it systematically throughout the development lifecycle helps prevent data leaks and other security incidents.