Unit Tests for Security Features

Activities

  • Identify all security-related features. These commonly contribute to the following security goals:
    • confidentiality
    • integrity
    • availability
    • authentication
    • authorization
    • accountability
  • Test functionality of these security-related features with unit tests.
    • Beware, unit tests should not only cover positive cases, but also negative cases (e.g., accessing admin resources as a normal user).

Benefits

  • Arising vulnerabilities due to faulty code changes in security features can be found immediately.

Assessment

  • Provide your unit tests for your security features and explain some of them.

Examples

OWASP Testing Guide provides some good examples, which can be covered by unit tests:

  • 4.4.7 Testing for Weak Password Policy
    1. test for known passwords like $company2021, admin, $projectName, 123456, aaa
    2. test for breached passwords
  • 4.5.3 Testing for Privilege Escalation
    1. Acquire a session for a normal user.
    2. Access admin functionality that the user should not be able to access. Use different values for all request parameters.
      • For each parameter define valid and invalid values.
      • Create tests for all combinations
    3. Fail the test if you have access
  • 4.5.4 Testing for Insecure Direct Object References
    1. Acquire a session for a normal user.
    2. Get a reference to a document or resource accessible only by the user.
    3. Acquire a second session for another user.
    4. Use the reference to access the document or resource.
    5. Fail the test if you have access