Application testing is an import part of developing new software. As well as testing the functionality of the software it's important to include tests to teset for security vulnerabilities, especially when it's a web based application.
This video shows how I used application security testing against my IoT Pixel Server project to catch potential vulnerabilities before they could be exploited. This is a follow on from the STRIDE threat analysis that I performed against this same project.
The example project used is my Raspberry Pi Pixel Server.This IoT project started life as a non-secure application designed for use on a secure network, but as I wanted to make it suitable for connecting to the Internet I decided I needed to implement the CIA triad and the AAA security framework. This also meant that I should perform cybersecurity threat analysis to ensure that the application is secure before connecting it to the Internet and then added testing to test for security vulnerabilities.
The tests included in this example are white box application tests, including unit tests and functional tests. These are all implemented using Python Pytest, specifically pytest-3. This was chosen because the software is developed in Python and Pytest has better integrateion with Python Flask compared with the alternative unittest, although either could be used.
The unit tests are used to test the low level operation of the Python classes used in the application. This takes a defense in depth approach where each of the classes has code to protect against invalid data. This is included to protect against potential cross-site scripting attacks. The functional tests use the Python Flask web application and test client which are available in pytest-3. Through these I have looked at the the agile development user stories and put these into step by step process (using a diagram or written list) which is then turned into an appropriate functional test.
I've also created different tests to show different ways of creating the tests. Some of the tests have the values coded into the test which is usually how people start creating tests. I've then extracted some of the values into variables to show how you can have multiple tests use the same data and then expanded that to use JSON formatted files containing the test data. I've also created some that generate random data allowing testing different passwords which are generated by the code.
The tests used are part of the testing of the Raspberry Pi Pixel Server software. These are available in the github page listed below. There will be more tests being added in the future to increase the amount of code coverage. If you would like to see the ones that were in use at the time of this video then look at the auth branch, but in future I'll be adding more tests directly into the main branch.
Security Application Testing is an important part of testing for security, but there are other security testing tools, which will be covered in future videos.
Please subscribe to Penguin Fortress on YouTube for future videos.
For more details about how security see the following guides: