Page 2 of 2

Re: how do you test a new site you had built for security

Posted: Fri Sep 26, 2008 8:49 am
by marcth
onion2k wrote:
marcth wrote:In my opinion, the best way to test the code for security vulnerabilities is via unit tests :)
Right.. you mean like writing a test to make sure known exploits like an SQL injection don't work? Yeah, that would be quite sensible I guess. It wouldn't make your site secure per se, but it would check the security measures you have thought of are working.

More importantly, if someone comes around, modifies your code and introduces a security vulnerability, your existing unit test will expose it immediately.

Re: how do you test a new site you had built for security

Posted: Mon Sep 29, 2008 2:51 am
by Mordred
The point of existence of security flaws is that the programmer didn't think that the particular vulnerability exists in his code, so what is basically proposed with the idea of unit testing for security is that the programmers should know of (and know how to test for) every possible vulnerability out there. Would be nice, wouldn't it!

Apart from that, vulnerabilities may arise from strange border cases between different modules, so these would lie outside of the scope of unit testing.

No. Security measures should be general, and apply to the whole software. There are automated ways of testing for certain types, and these may help in educating the programmer, but not in actually "fixing" the code. What I mean is that - yes - a scanner will detect a vulnerable place, but if you patch it, you haven't fixed the vulnerability, you've just fixed one instance of it. Instead one should educate himself about the vulnerability and take general measures against it, so it would never happen again.