What
"Testing whether the system meets its specified security objectives."
BS 7925-1.British Computer Society Specialist Interest Group in Software Testing (BCS SIGIST)

The latest fashionable technique is penetration testing., where the tester tries to simulate attempts to break system security as a real intruder would.

In most cases security is a non-functional requirement. The exception of course is where the purpose of the software is security itself.

Why?
We all hope that unfriendly people or organisations will not be able to abuse our software or the data that is held or generated by it. Depending on the type of people or organisation our customers are, and the uses to which they are going to put the software should dictate the amount of security testing we do.

Three events, I believe have put security testing into the spotlight:- September 11th, moving business online and large virus attacks. Notwithstanding the the events mentioned every system has will have some level of security requirement, and will therefore need testing.

Thus a military communications system will require stringent security testing. At a more personal level, any system that will hold delicate personal information, should for privacy reasons be secure.

Even fairly inoccous software can be exploited to either do something it should not or be used to break into another system. A good example is the humble Excel product. Many viruses take advantage of buffer overruns to spread themselves or use it as a gateway to the operating system and ultimately take over the users machine.

Who?
The definition above only mentions the system. However I believe awareness of security should begin even earlier in component testing. It is at this stage many of the chinks in armour defects will be found. For example buffer overruns. Websites may find the potential for hot sql injection intrusions. The growing use of web services, with the reliance on opening individual components or sub-systems up for all to use, will make this level of testing even more crucial. Thus we can start our list of with developers or whoever is conducting unit testing.

Especially in high risk systems, analysts need to be ensuring, security, is built into the system design and processes. Additionaly testability needs to be high in this particular area.

Ideally the software though is tested by an independent test team of system testers. In the case of penetration testing, an outside consultancy is brought in to try simulate an attack. However constraints on resources mean that, independence in many cases suffers.

Where?
Testing that software is secure can take place anywhere, including the developers own site. At the other extreme is for the penetration tester or "intruder" to be sitting on a different continent using the telecoms network and internet to try and break into an online transaction site.

When?
Throughout the whole software development lifecycle for the developing organisation and accepting customer. In addition regular security testing should be undertaken to make sure the software is still secure.

How
Perhaps more than any other form, security testing is associated with risk. Thus if security is of such importance, i.e. to the police or military, then awareness and practice has to be pervasive amongst the stakeholders. If the organisation has a mature development culture and are at level 3 or above in the CMMI they should have a strategy for risk mitigation. (For more on risk management)