Methodologies

Methodologies (or Checklists, as they are also referred to) in Canopy are useful for many situations, including:

  • Helping testers follow a detailed test plan (e.g. a web application testing methodology)

  • Tracking what testers have done as part of the engagement (e.g. attestation checklist)

Methodologies contain a list of methodology items. These items are used to capture the information that is useful for the testers and other teams members to follow, including information such as:

  • The title of the methodology items

  • A unique reference for ease of identification and tracing (in Canopy, in reports, etc.)

  • Detailed fields for capturing descriptions, testing guides and so on

Creating a methodology template

Canopy allows you to build your own methodologies for driving testing.

Adding a methodology template

Adding a methodology template can be done through the Templates → Methodology section, accessed via the main navigation menu.

Only users with sufficient privileges are able to create and modify methodology templates.

This will bring up the list of existing methodologies defined in the system. Click on the +METHODOLOGY TEMPLATE button, which displays the following screen:

A title and description can be set to help distinguish between different methodology templates.

Adding methodology items

Once the methodology template has been created, it’s easy to start adding items. Click on the +METHODOLOGY ITEM button. This presents you with an edit window where you can add information such as the reference, title, descriptions, test guides, set ratings and so on.

Linking methodologies to the findings KB

You can also link a methodology template item to a KB finding (or multiple). For example:

This will then suggest appropriate findings to a user if they’re using the methodology during testing, so they know which findings should be used when a given methodology item has failed (or passed, if using positive/negative testing).

Using methodologies

Adding a methodology to a phase

Any user with write permissions on a project/phase can add methodologies to a phase. You can do this by clicking on the "Methodologies" tab in the phase view:

And then clicking on the “+Methodology” button and selecting one or more methodologies from the available list:

Once selected, the user can then start working on the methodology.

Working through methodologies and tracking progress

One of the most typical use cases for methodologies is for following a testing methodology. For example, testers can mark methodology items as passed, failed, out-of-scope, etc.

When the user indicates the status of a methodolgy item, the overall progress is summarised for that methodology:

And also on the project level for all methodologies:

Creating/Linking findings and assets from a methodology

When using a methodology, you can create findings and assets from the methodology view itself - without needing to go back to the finding/asset views. For teams using methodologies, this is a time saver.

You can:

  • Add a new finding

  • Add a finding from the Finding KB

  • Link to an existing finding

If a template finding has been linked to a methodology, when clicking the "Add finding from KB" button, you will be presented with the linked (starred) findings first.

Assets can also be linked to the individual methodology items. This is useful if you need to perform fine-grained linking for methodology items (checks) again.

Methodologies and reports

It’s possible to output the methodology items and results in reports. This can be useful for showing test case coverage with open frameworks like the OWASP v4 Test Methodology or compliance with the OWASP Application Security Verification Standard. This can be done on a per finding basis, per asset basis, or for the entire methodology (e.g. summary section/appendix of a report).

Of course, it’s also possible to add your own methodologies for test coverage, compliance or simple test attestation checklists.