On 12/21/06, Stephen de Vries <[EMAIL PROTECTED]> wrote:
You can achieve very similar goals by using unit tests. Although the
tests are not integrated into the code as tightly as something like
Spark (or enforcing rules in the compiler), they are considered part
of the source. IMO unit and integration testing are vastly
underutilised for performing security tests which is a shame because
all the infrastructure, tools and skills are there - developers (and
security testers) just need to start implementing security tests in
addition to the functional tests.
I agree that it's important to test the security of your software and I like
test-driven development, but unit tests are not a replacement for static
analysis assisted code reviews. Likewise, static analysis and code reviews
aren't a substitute for security testing.
Security tests attempt to find bad input and verify that the program handles
it correctly, but you can't guarantee that you've found every possible type
of bad input. Unit tests have the additional problem that input which may
be safe for the current unit may become dangerous when interpreted
differently in a different unit of the program (e.g., ' OR 1-1--' is just
text to your web application, but your database may interpret it as code.)
Code reviews find different bugs than tests do, and they typically find them
faster, so good testing practices are not an excuse to ignore static
analysis and code reviews. Tests also find different bugs than code reviews
do. If your static analysis tool doesn't have a rule to detect a particular
class of security bug, it obviously won't find it, but your testers might
have the experience to test for it.
James Walden
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
