Automated Security Tests

Automated tests for security vulnerabilities can contribute to the enforcing of components and prevent possible regressions.

In order to write automated tests for vulnerabilities, you have a number of options:

• add all kind of edge cases: strings using different encodings, URLs in different forms, etc.
• imagine test cases for potential attacks such as injection and document them through automated tests
• use data generators to feed test data
• use property based testing, which may end up at some point failing due to a weird combination that finds issues in your code

How many of these tests should you add? That depends on the risks for the component you’re working on. We can never achieve 100% security, and the question is how much should we invest in getting close to where we want to be? Overall, it’s better to add too many tests, if it’s easy, than too few. If they prove to be slow, you can always run them automatically only during the nightly builds – and there are usually ways to speed them up if needed.