SlideShare a Scribd company logo

Security and unit testing

Download as PPTX, PDF
Jeremiah Tillman
Jeremiah Tillman

Security and unit testing

Technology
1 of 10
Security & Unit Testing JEREMIAH TILLMAN
What Goes Into Security Testing?  Writing Specs/Tests for Security  Misuse/abuse cases, integration tests  Automated Tooling  Static Application Security Testing (SAST)  Dynamic Application Security Testing (DAST)  Manual  Code Review  Penetration testing
Why Are We Writing Tests?  Use cases for expected behavior, normal input, functional requirements  E.g. password must contain required validations  Abuse cases for unexpected behavior, invalid input, malicious input  E.g. user Alice tries to access user Bob’s account
Unit Test with JUnit public void testAddTwoItems() { Cart instance = new Cart(); boolean isInStock = true; //First add an item Item item = new Item(); item.setItemId("item01"); instance.addItem(item, isInStock); //Test adding a second item Item item2 = new Item(); item2.setItemId("item02"); instance.addItem(item2, isInStock); //Check whether item01 is in the cart boolean result = instance.containsItemId("item01"); assertTrue("First item is in cart", result); //Check whether item02 is in the cart result = instance.containsItemId("item02"); assertTrue("Second item is in cart", result); //Check that there are 2 items in the cart assertEquals("2 items in cart", instance.getNumberOfItems(), 2);}  Here we have a basic test that could be used in the internal evaluation of an e- commerce store.  The purpose of this test is to first check inventory for an Item requested by a customer, then add item requested by customer to their cart and so forth
Abuse Case with JUnit public void testAddNullItem() { Cart instance = new Cart(); boolean isInStock = true; try { instance.addItem(null, isInStock); fail("Adding a null item did not throw an exception"); } catch (RuntimeException expected) { assertTrue("null Item caught",true); assertEquals("Null not in cart", instance.getNumberOfItems(), 0); } }
Security Testing with Unit Tests Valid Input Invalid Input public void testValidPhoneNumbers() { //Test valid input String number = "232321"; acc.setPhone(number); validator.validate(acc, errors); assertFalse(number+" caused a validation error.", errors.hasFieldErrors("phone")); number = "+23 232321"; acc.setPhone(number); validator.validate(acc, errors); assertFalse(number+" caused a validation error.", errors.hasFieldErrors("phone")); //etc... } public void testIllegalCharactersInPhoneNumber() { String number = "+(23)';[]232 - 321"; acc.setPhone(number); validator.validate(acc, errors); assertTrue(number+" did not cause a validation error.", errors.hasFieldErrors("phone")); } public void testAlphabeticInPhoneNumber() { String number = "12a12121"; acc.setPhone(number); validator.validate(acc, errors); assertTrue(number+" did not cause a validation error.", errors.hasFieldErrors("phone")); }
Benefits and Disadvantages Benefits  Tests are run very frequently (issues are identified quickly)  Many security vulnerabilities can be tested (authentication, authorization)  Can use tools to script vulnerabilities  Clearly demonstrate/ document vulnerabilities Disadvantages  May not be run as often (depending on CI env)  Some vulnerabilities hard to test (XSS)  Developers have limited involvement  Limited security vulnerabilities can be tested with low test Coverage
Automated Tooling SAST  Analyze application source code, byte code and binaries  Ideally should integrate with CI DAST  Test for security vulnerabilities in an application’s running state  Very good at detecting injection and XSS
Penetration Testing  Manually testing uncovers flaws in  Business Logic  Design  Compound Flaw Risks  Testing Schedule  Internal  Always and often stemming from vulnerability scanning and analysis  Third Party  External applications/network perimeter - at least once per year  Before major releases of new systems or significant architecture changes to critical systems
Penetration Testing  Penetration testing (pen-testing) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.  A comprehensive pen-test will include human expertise on top of professional penetration testing software, tools, and scripts.

Recommended

Java Programs
Java ProgramsJava Programs
Java Programs
AnjaliSoorej
 
Java calculator
Java calculatorJava calculator
Java calculator
Sarah McNellis
 
TEST AUTOMATION: AKA QUALITY CONTROL
TEST AUTOMATION: AKA QUALITY CONTROLTEST AUTOMATION: AKA QUALITY CONTROL
TEST AUTOMATION: AKA QUALITY CONTROL
Nyarai Tinashe Gomiwa
 
Hidden Docs in Angular
Hidden Docs in AngularHidden Docs in Angular
Hidden Docs in Angular
Yadong Xie
 
Acceptance Testing With Selenium
Acceptance Testing With SeleniumAcceptance Testing With Selenium
Acceptance Testing With Selenium
elliando dias
 
Beautiful java script
Beautiful java scriptBeautiful java script
Beautiful java script
Ürgo Ringo
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Unit-testing and E2E testing in JS
Unit-testing and E2E testing in JSUnit-testing and E2E testing in JS
Unit-testing and E2E testing in JS
Michael Haberman
 

Recommended

Java Programs
Java ProgramsJava Programs
Java Programs
AnjaliSoorej
 
Java calculator
Java calculatorJava calculator
Java calculator
Sarah McNellis
 
TEST AUTOMATION: AKA QUALITY CONTROL
TEST AUTOMATION: AKA QUALITY CONTROLTEST AUTOMATION: AKA QUALITY CONTROL
TEST AUTOMATION: AKA QUALITY CONTROL
Nyarai Tinashe Gomiwa
 
Hidden Docs in Angular
Hidden Docs in AngularHidden Docs in Angular
Hidden Docs in Angular
Yadong Xie
 
Acceptance Testing With Selenium
Acceptance Testing With SeleniumAcceptance Testing With Selenium
Acceptance Testing With Selenium
elliando dias
 
Beautiful java script
Beautiful java scriptBeautiful java script
Beautiful java script
Ürgo Ringo
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Unit-testing and E2E testing in JS
Unit-testing and E2E testing in JSUnit-testing and E2E testing in JS
Unit-testing and E2E testing in JS
Michael Haberman
 
How to write clean tests
How to write clean testsHow to write clean tests
How to write clean tests
Danylenko Max
 
The secret unit testing tools no one ever told you about
The secret unit testing tools no one ever told you aboutThe secret unit testing tools no one ever told you about
The secret unit testing tools no one ever told you about
Dror Helper
 
Writing Good Tests
Writing Good TestsWriting Good Tests
Writing Good Tests
Matteo Baglini
 
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
nkazuki
 
Property Based Testing
Property Based TestingProperty Based Testing
Property Based Testing
Shishir Dwivedi
 
Adopting TDD - by Don McGreal
Adopting TDD - by Don McGrealAdopting TDD - by Don McGreal
Adopting TDD - by Don McGreal
Synerzip
 
Unit Testing
Unit TestingUnit Testing
Unit Testing
Stanislav Tiurikov
 
Secret unit testing tools no one ever told you about
Secret unit testing tools no one ever told you aboutSecret unit testing tools no one ever told you about
Secret unit testing tools no one ever told you about
Dror Helper
 
Java Unit Testing
Java Unit TestingJava Unit Testing
Java Unit Testing
Nayanda Haberty
 
Getting Started With Testing
Getting Started With TestingGetting Started With Testing
Getting Started With Testing
Giovanni Scerra ☃
 
Unit testing with JUnit
Unit testing with JUnitUnit testing with JUnit
Unit testing with JUnit
Thomas Zimmermann
 
Clean Test Code
Clean Test CodeClean Test Code
Clean Test Code
David Völkel
 
- the modification will be done in Main class- first, asks the use.pdf
- the modification will be done in Main class- first, asks the use.pdf- the modification will be done in Main class- first, asks the use.pdf
- the modification will be done in Main class- first, asks the use.pdf
hanumanparsadhsr
 
Challenges in mobile test automation - 2011
Challenges in mobile test automation - 2011Challenges in mobile test automation - 2011
Challenges in mobile test automation - 2011
Daniel Knott
 
[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development
[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development
[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development
Rakuten Group, Inc.
 
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
solit
 
Unit testing with Easymock
Unit testing with EasymockUnit testing with Easymock
Unit testing with Easymock
Ürgo Ringo
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
Milfont Consulting
 
Agile Android
Agile AndroidAgile Android
Agile Android
Godfrey Nolan
 
Google guava
Google guavaGoogle guava
Google guava
Thomas Ferris Nicolaisen
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
 

More Related Content

Similar to Security and unit testing

Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
nkazuki
 
- the modification will be done in Main class- first, asks the use.pdf
- the modification will be done in Main class- first, asks the use.pdf- the modification will be done in Main class- first, asks the use.pdf
- the modification will be done in Main class- first, asks the use.pdf
hanumanparsadhsr
 
Unit testing with Easymock
Unit testing with EasymockUnit testing with Easymock
Unit testing with Easymock
Ürgo Ringo
 

Similar to Security and unit testing (20)

How to write clean tests
How to write clean testsHow to write clean tests
How to write clean tests
 
The secret unit testing tools no one ever told you about
The secret unit testing tools no one ever told you aboutThe secret unit testing tools no one ever told you about
The secret unit testing tools no one ever told you about
 
Writing Good Tests
Writing Good TestsWriting Good Tests
Writing Good Tests
 
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
Mutation Analysis for JavaScript Web Applicaiton Testing SEKE2013
 
Property Based Testing
Property Based TestingProperty Based Testing
Property Based Testing
 
Adopting TDD - by Don McGreal
Adopting TDD - by Don McGrealAdopting TDD - by Don McGreal
Adopting TDD - by Don McGreal
 
Unit Testing
Unit TestingUnit Testing
Unit Testing
 
Secret unit testing tools no one ever told you about
Secret unit testing tools no one ever told you aboutSecret unit testing tools no one ever told you about
Secret unit testing tools no one ever told you about
 
Java Unit Testing
Java Unit TestingJava Unit Testing
Java Unit Testing
 
Getting Started With Testing
Getting Started With TestingGetting Started With Testing
Getting Started With Testing
 
Unit testing with JUnit
Unit testing with JUnitUnit testing with JUnit
Unit testing with JUnit
 
Clean Test Code
Clean Test CodeClean Test Code
Clean Test Code
 
- the modification will be done in Main class- first, asks the use.pdf
- the modification will be done in Main class- first, asks the use.pdf- the modification will be done in Main class- first, asks the use.pdf
- the modification will be done in Main class- first, asks the use.pdf
 
Challenges in mobile test automation - 2011
Challenges in mobile test automation - 2011Challenges in mobile test automation - 2011
Challenges in mobile test automation - 2011
 
[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development
[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development
[Rakuten TechConf2014] [G-4] Beyond Agile Testing to Lean Development
 
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
Solit 2013, Автоматизация тестирования сложных систем: mixed mode automated t...
 
Unit testing with Easymock
Unit testing with EasymockUnit testing with Easymock
Unit testing with Easymock
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
 
Agile Android
Agile AndroidAgile Android
Agile Android
 
Google guava
Google guavaGoogle guava
Google guava
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Security and unit testing

  • 1. Security & Unit Testing JEREMIAH TILLMAN
  • 2. What Goes Into Security Testing?  Writing Specs/Tests for Security  Misuse/abuse cases, integration tests  Automated Tooling  Static Application Security Testing (SAST)  Dynamic Application Security Testing (DAST)  Manual  Code Review  Penetration testing
  • 3. Why Are We Writing Tests?  Use cases for expected behavior, normal input, functional requirements  E.g. password must contain required validations  Abuse cases for unexpected behavior, invalid input, malicious input  E.g. user Alice tries to access user Bob’s account
  • 4. Unit Test with JUnit public void testAddTwoItems() { Cart instance = new Cart(); boolean isInStock = true; //First add an item Item item = new Item(); item.setItemId("item01"); instance.addItem(item, isInStock); //Test adding a second item Item item2 = new Item(); item2.setItemId("item02"); instance.addItem(item2, isInStock); //Check whether item01 is in the cart boolean result = instance.containsItemId("item01"); assertTrue("First item is in cart", result); //Check whether item02 is in the cart result = instance.containsItemId("item02"); assertTrue("Second item is in cart", result); //Check that there are 2 items in the cart assertEquals("2 items in cart", instance.getNumberOfItems(), 2);}  Here we have a basic test that could be used in the internal evaluation of an e- commerce store.  The purpose of this test is to first check inventory for an Item requested by a customer, then add item requested by customer to their cart and so forth
  • 5. Abuse Case with JUnit public void testAddNullItem() { Cart instance = new Cart(); boolean isInStock = true; try { instance.addItem(null, isInStock); fail("Adding a null item did not throw an exception"); } catch (RuntimeException expected) { assertTrue("null Item caught",true); assertEquals("Null not in cart", instance.getNumberOfItems(), 0); } }
  • 6. Security Testing with Unit Tests Valid Input Invalid Input public void testValidPhoneNumbers() { //Test valid input String number = "232321"; acc.setPhone(number); validator.validate(acc, errors); assertFalse(number+" caused a validation error.", errors.hasFieldErrors("phone")); number = "+23 232321"; acc.setPhone(number); validator.validate(acc, errors); assertFalse(number+" caused a validation error.", errors.hasFieldErrors("phone")); //etc... } public void testIllegalCharactersInPhoneNumber() { String number = "+(23)';[]232 - 321"; acc.setPhone(number); validator.validate(acc, errors); assertTrue(number+" did not cause a validation error.", errors.hasFieldErrors("phone")); } public void testAlphabeticInPhoneNumber() { String number = "12a12121"; acc.setPhone(number); validator.validate(acc, errors); assertTrue(number+" did not cause a validation error.", errors.hasFieldErrors("phone")); }
  • 7. Benefits and Disadvantages Benefits  Tests are run very frequently (issues are identified quickly)  Many security vulnerabilities can be tested (authentication, authorization)  Can use tools to script vulnerabilities  Clearly demonstrate/ document vulnerabilities Disadvantages  May not be run as often (depending on CI env)  Some vulnerabilities hard to test (XSS)  Developers have limited involvement  Limited security vulnerabilities can be tested with low test Coverage
  • 8. Automated Tooling SAST  Analyze application source code, byte code and binaries  Ideally should integrate with CI DAST  Test for security vulnerabilities in an application’s running state  Very good at detecting injection and XSS
  • 9. Penetration Testing  Manually testing uncovers flaws in  Business Logic  Design  Compound Flaw Risks  Testing Schedule  Internal  Always and often stemming from vulnerability scanning and analysis  Third Party  External applications/network perimeter - at least once per year  Before major releases of new systems or significant architecture changes to critical systems
  • 10. Penetration Testing  Penetration testing (pen-testing) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.  A comprehensive pen-test will include human expertise on top of professional penetration testing software, tools, and scripts.