Software Security Testing
Modern development models such as DevOps early and often automated testing to support continuous development, integration, and deployment. This has recently shifted to DevSecOps, which additionally promotes the incorporation of security into every lifecycle phase. At the intersection of these concerns is a technique known as Security Unit (& Integration) Testing. This is a specialized form of automated testing where developers write unit test cases to verify that security tactic implementations are correct, meet security requirements, and behave as expected. Using this technique, security flaws can be identified and addressed quickly and early in the development lifecycle.
Unfortunately, there is little evidence or prior research into the adoption of security unit (& integration) testing in practice. Further, while the technique is promoted as good practice by respected authorities, there are very few actionable guidelines that developers could reference to help them design test cases. For example, the OWASP Testing Guide v4 (pgs. 28-29) devotes over a page of their introduction to enumerating the benefits and use cases of developer-written security unit & integration tests, but within the guide, the recommended test cases are written in the context of late-phase (“black box”) testing and are difficult to translate into a unit test design.
In this project we aim to do the following:
- Observe and measure the adoption of security unit testing in practice
- Evaluate existing security unit testing resources, standards, and guidelines
- Learn and understand developer’s perceptions, beliefs, (de)motivators, and challenges related to the use of unit testing
- Developer a conceptual framework for supporting developers wishing to write security unit tests
- Curate a centralized knowledge base of resources developers can use to help them design and write security unit test cases.
By achieving these goals, we can establish a support system for developers to increase the adoption of security unit testing.
- Gonzalez, Danielle, Michael Rath, and Mehdi Mirakhorli. “Did You Remember To Test Your Tokens?.” In Proceedings of the 17th International Conference on Mining Software Repositories, pp. 232-242. 2020, https://arxiv.org/abs/2006.14553, https://dl.acm.org/doi/abs/10.1145/3379597.3387471.