Unit Tests for Security Features

Activities

• Identify all security-related features. These commonly contribute to the following security goals:
  • confidentiality
  • integrity
  • availability
  • authentication
  • authorization
  • accountability
• Test functionality of these security-related features with unit tests.
  • Beware, unit tests should not only cover positive cases, but also negative cases (e.g., accessing admin resources as a normal user).

Benefits

• Arising vulnerabilities due to faulty code changes in security features can be found immediately.

Assessment

• Provide your unit tests for your security features and explain some of them.

Examples

OWASP Testing Guide provides some good examples, which can be covered by unit tests:

• 4.4.7 Testing for Weak Password Policy
  1. test for known passwords like $company2021, admin, $projectName, 123456, aaa
  2. test for breached passwords
• 4.5.3 Testing for Privilege Escalation
  1. Acquire a session for a normal user.
  2. Access admin functionality that the user should not be able to access. Use different values for all request parameters.
     • For each parameter define valid and invalid values.
     • Create tests for all combinations
  3. Fail the test if you have access
• 4.5.4 Testing for Insecure Direct Object References
  1. Acquire a session for a normal user.
  2. Get a reference to a document or resource accessible only by the user.
  3. Acquire a second session for another user.
  4. Use the reference to access the document or resource.
  5. Fail the test if you have access