1 post • joined 29 May 2008
"Using test-driven development is excellent for security. By defining a suite of security test cases before development starts, the team is much more likely to include the right controls and use them properly."
Great concept in theory, but really hard to implement in practice: how to develop "negative" tests needed in security? Can you really test that your code is not exploitable?
Of course, you can implement obvious tests, like "if you enter a wrong username/password the access is denied" or even some elementary tests against XSS and SQL Injection, but how to test crypto-strength, session management, denial of service, race conditions, just to name a few?
- Analysis iPhone 6: The final straw for Android makers eaten alive by the data parasite?
- First Crack Bloke buys iPHONE 6 and DROPS IT to SMASH on PURPOSE
- First Fondle Register journo battles Sydney iPHONE queue, FONDLES BIG 'UN
- Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
- TOR users become FBI's No.1 hacking target after legal power grab