3. Why Are We Writing Tests?
Use cases for expected behavior, normal input, functional requirements
E.g. password must contain required validations
Abuse cases for unexpected behavior, invalid input, malicious input
E.g. user Alice tries to access user Bob’s account
4. Unit Test with JUnit
public void testAddTwoItems()
{ Cart instance = new Cart(); boolean isInStock = true;
//First add an item Item item = new Item();
item.setItemId("item01"); instance.addItem(item, isInStock);
//Test adding a second item Item item2 = new Item();
item2.setItemId("item02");
instance.addItem(item2, isInStock);
//Check whether item01 is in the cart
boolean result = instance.containsItemId("item01"); assertTrue("First item is
in cart", result);
//Check whether item02 is in the cart result =
instance.containsItemId("item02");
assertTrue("Second item is in cart", result);
//Check that there are 2 items in the cart
assertEquals("2 items in cart", instance.getNumberOfItems(), 2);}
Here we have a basic test that could be
used in the internal evaluation of an e-
commerce store.
The purpose of this test is to first check
inventory for an Item requested by a
customer, then add item requested by
customer to their cart and so forth
5. Abuse Case with JUnit
public void testAddNullItem() {
Cart instance = new Cart();
boolean isInStock = true;
try {
instance.addItem(null, isInStock);
fail("Adding a null item did not throw an exception");
}
catch (RuntimeException expected) { assertTrue("null Item caught",true);
assertEquals("Null not in cart", instance.getNumberOfItems(), 0);
}
}
6. Security Testing with Unit Tests
Valid Input Invalid Input
public void testValidPhoneNumbers() {
//Test valid input
String number = "232321"; acc.setPhone(number);
validator.validate(acc, errors); assertFalse(number+"
caused a validation error.",
errors.hasFieldErrors("phone"));
number = "+23 232321"; acc.setPhone(number);
validator.validate(acc, errors); assertFalse(number+"
caused a validation error.", errors.hasFieldErrors("phone"));
//etc...
}
public void testIllegalCharactersInPhoneNumber() { String number
= "+(23)';[]232 - 321"; acc.setPhone(number);
validator.validate(acc, errors);
assertTrue(number+" did not cause a validation error.",
errors.hasFieldErrors("phone"));
}
public void testAlphabeticInPhoneNumber() { String number =
"12a12121"; acc.setPhone(number); validator.validate(acc,
errors);
assertTrue(number+" did not cause a validation error.",
errors.hasFieldErrors("phone"));
}
7. Benefits and Disadvantages
Benefits
Tests are run very frequently (issues are
identified quickly)
Many security vulnerabilities can be tested
(authentication, authorization)
Can use tools to script vulnerabilities
Clearly demonstrate/ document
vulnerabilities
Disadvantages
May not be run as often (depending on CI
env)
Some vulnerabilities hard to test (XSS)
Developers have limited involvement
Limited security vulnerabilities can be
tested with low test Coverage
8. Automated Tooling
SAST
Analyze application source
code, byte code and binaries
Ideally should integrate with CI
DAST
Test for security vulnerabilities
in an application’s running
state
Very good at detecting
injection and XSS
9. Penetration Testing
Manually testing uncovers flaws in
Business Logic
Design
Compound Flaw Risks
Testing Schedule
Internal
Always and often stemming from vulnerability scanning and analysis
Third Party
External applications/network perimeter - at least once per year
Before major releases of new systems or significant architecture changes to critical systems
10. Penetration Testing
Penetration testing (pen-testing) attempts to exploit the vulnerabilities to
determine whether unauthorized access or other malicious activity is
possible.
A comprehensive pen-test will include human expertise on top of
professional penetration testing software, tools, and scripts.