Methodologies¶

Methodologies are optional for use within Canopy. However, Methodologies are there if your team needs them.

Why might you want to use Methodologies? In most environments, Methodologies are used for three main use cases (but you might have others!):

To help ensure a minimum baseline of test coverage is achieved by all testers.
To help guide junior testers.
To provide test coverage feedback to clients, either using custom build methodologies or using industry frameworks, such as the https://owasp.org/asvs.

You can add one or more methodologies to a phase. This allows you to mix different methodologies as required.

Access Control¶

Any user who has at least write access to a phase can add/remove methodologies.

Adding a Methodology¶

Access the phase that you want to use a methodology on. Click on the Methodologies tab in the phase view:

Methodologies tab showing a list of methodologies applied to a phase

Click on the + Methodology button. This will present you with a list of Methodologies to choose from:

Dialog for adding methodologies with a list of available methodology templates

You can select one or more, and add these to the phase. The list of methodologies associated with a phase will be updated.

Progressing through a Methodology¶

The main goal of the methodology is to indicate whether or not a given methodology item (or test case) has been checked. Additional information can also provide on how to perform the required checks have been processed.

Once you have completed a methodology item, you can set its status. The following statuses are supported:

Main methodology view showing item status options including Pass, Fail, and Not Applicable

It is also possible to link a methodology item to a finding (either an existing finding or you can create a new finding from the Methodology view). You can do this via the following section:

Interface for linking methodology items to findings, showing options to link existing or create new findings

Similar functionality is available for linking methodology items to assets. This can be useful if you need to track completeness across multiple assets, especially if feedback is required.

Additional capabilities¶

Methodology items can be linked to Finding KB entries within the Methodology Template. For further information, see: Methodology templates.

Note

Once this linking is set up, findings added will automatically trigger the methodology item to the Fail state. This happens during both manual Finding KB addition to a phase, and during tool importing.