As for any other functionality, requirements-based testing is necessary for cybersecurity mechanisms. However, additional types of testing are required to ensure that no critical unknown vulnerabilities remain in the system. To this end, methods such as fuzzing, vulnerability scanning, and especially penetration testing are used.
A common difficulty in defining and planning these tests is that there is no apparent limit to their scope: Finding something that shouldn’t be there can take any amount of effort. The challenge is to find a balance between reducing residual risk on the one hand and limiting time, effort, and cost on the other.
We support you by systematically identifying the type and scope of tests to balance this balance and planning and controlling the related test activities.