You Are Not Done Yet: Security

You are not done testing unless...you have thought hard about security testing and made explicit decisions about which testing to do and to not do. Back in the day, when even corporate computers were unlikely to be connected to a network, security testing didn't seem that big of a deal. After all, even if a computer did get infected by a virus it couldn't do much damage! Nowadays, viruses and worms take down corporations' mail systems, even my mother is inundated by spam, and hordes of unknowing consumers host trojan applications doing who knows what under the service of who knows whom. Security testing is now officially a Big Deal. Here are but a few of the plethora of test cases to consider; for more details consult the many big thick security tomes for sale at your favorite bookseller.

• Pore through your source code, APIs, and user interface looking for potential
  • Buffer overrun attacks
  • Denial of service attacks
  • SQL injection attacks
  • Virus attacks
  • User privacy violations (e.g., including user identifying data in saved files)
• On Microsoft Windows OSs, use Application Verifier to ensure no NULL DACLS are created or used - and to check for many other potential security issues
• Verify security for links and macros is sufficient and works correctly
• Verify relative filenames (e.g., "..\..\file") are handled correctly
• Verify temporary files are created in appropriate locations and have appropriate permissions
• Verify your application functions correctly under different user rights and roles
• Verify your application functions correctly under partial trust scenarios
• Verify every input is bounds-checked
• Verify known attack vectors are disabled

Posted by The Braidy Tester at 07:30 AM  Permalink