On 12/21/06, Stephen de Vries <[EMAIL PROTECTED]> wrote:
You can achieve very similar goals by using unit tests. Although the tests are not integrated into the code as tightly as something like Spark (or enforcing rules in the compiler), they are considered part of the source. IMO unit and integration testing are vastly underutilised for performing security tests which is a shame because all the infrastructure, tools and skills are there - developers (and security testers) just need to start implementing security tests in addition to the functional tests.
I agree that it's important to test the security of your software and I like test-driven development, but unit tests are not a replacement for static analysis assisted code reviews. Likewise, static analysis and code reviews aren't a substitute for security testing. Security tests attempt to find bad input and verify that the program handles it correctly, but you can't guarantee that you've found every possible type of bad input. Unit tests have the additional problem that input which may be safe for the current unit may become dangerous when interpreted differently in a different unit of the program (e.g., ' OR 1-1--' is just text to your web application, but your database may interpret it as code.) Code reviews find different bugs than tests do, and they typically find them faster, so good testing practices are not an excuse to ignore static analysis and code reviews. Tests also find different bugs than code reviews do. If your static analysis tool doesn't have a rule to detect a particular class of security bug, it obviously won't find it, but your testers might have the experience to test for it. James Walden
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
