Secure Coding mailing list archives

Re: Security Test Cases for Testing

From: ljknews <ljknews () mac com>
Date: Thu, 18 Dec 2003 00:43:11 +0000

At 1:11 PM +0530 12/17/03, Giri, Sandeep wrote:

Hi Group,

To avoid security flaws in various applications, I started teaching people
about how to write secure code.
But I soon lost hope when I saw the same flaws again and again during code
audits.
So, now with a hope to get some of Security Flaws (like SQL injection,
buffer overflows and XSS problems etc.) foiled while testing,
I am planning to write Test Cases for QA team.


In my experience it is best to have the QA team well enough trained that
they can write the test cases.  The QA team should start at the same time
the development team starts.

Has anyone already written test cases for same?


Well yes, but that is just a passing anecdote.  Tests for your software
must be written with your software in mind, preferably with "white box"
testing where your QA team inspects your source and looks for flaws to
exploit.

Note this means your QA team must be _more_ skilled than your developers.

Current thread:

Security Test Cases for Testing Giri, Sandeep (Dec 17)
- Re: Security Test Cases for Testing ljknews (Dec 17)
  - Re: Security Test Cases for Testing Gene Spafford (Dec 17)
    - Re: Security Test Cases for Testing ljknews (Dec 18)
    - Re: Security Test Cases for Testing Gene Spafford (Dec 19)
    - Re: Is Open Source Software "more" secure? Jared W. Robinson (Dec 20)
    - Re: Security Test Cases for Testing Kenneth R. van Wyk (Dec 19)
    - Re: Security Test Cases for Testing Dana Epp (Dec 19)
    - Re: Security Test Cases for Testing Gene Spafford (Dec 20)
- Re: Security Test Cases for Testing Crispin Cowan (Dec 17)
  - Re: Security Test Cases for Testing Jeff Williams @ Aspect (Dec 17)