1 post • joined 29 May 2008
"Using test-driven development is excellent for security. By defining a suite of security test cases before development starts, the team is much more likely to include the right controls and use them properly."
Great concept in theory, but really hard to implement in practice: how to develop "negative" tests needed in security? Can you really test that your code is not exploitable?
Of course, you can implement obvious tests, like "if you enter a wrong username/password the access is denied" or even some elementary tests against XSS and SQL Injection, but how to test crypto-strength, session management, denial of service, race conditions, just to name a few?
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Rejoice, Windows fans: Stable 64-bit Chromium drops for Win 7 and 8
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...