Compilers

[james.walden at gmail.com (James Walden)]

On 12/21/06, Stephen de Vries <stephen at corsaire.com> wrote:

> You can achieve very similar goals by using unit tests.  Although the
> tests are not integrated into the code as tightly as something like
> Spark (or enforcing rules in the compiler), they are considered part
> of the source.   IMO unit and integration testing are vastly
> underutilised for performing security tests which is a shame because
> all the infrastructure, tools and skills are there - developers (and
> security testers) just need to start implementing security tests in
> addition to the functional tests.


I agree that it's important to test the security of your software and I like
test-driven development, but unit tests are not a replacement for static
analysis assisted code reviews.  Likewise, static analysis and code reviews
aren't a substitute for security testing.

Security tests attempt to find bad input and verify that the program handles
it correctly, but you can't guarantee that you've found every possible type
of bad input.  Unit tests have the additional problem that input which may
be safe for the current unit may become dangerous when interpreted
differently in a different unit of the program (e.g., ' OR 1-1--' is just
text to your web application, but your database may interpret it as code.)

Code reviews find different bugs than tests do, and they typically find them
faster, so good testing practices are not an excuse to ignore static
analysis and code reviews.  Tests also find different bugs than code reviews
do.  If your static analysis tool doesn't have a rule to detect a particular
class of security bug, it obviously won't find it, but your testers might
have the experience to test for it.

 James Walden
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20061222/92e2ceac/attachment.html