This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Secure TDD Project"
Lauren Tabak (talk | contribs) |
|||
(39 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
=Main= | =Main= | ||
− | <div style="width:100%;height: | + | <!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --> |
+ | <div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]] </div> | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
Line 19: | Line 20: | ||
− | TDD is about writing a test which will fail, then writing the minimum amount of code required to make it run | + | TDD is about writing a test which will fail, then writing the minimum amount of code required to make it run and then refactoring the code to make it clean. <br> This is done in cycles, fail -> pass -> refactor, adding a new test for each known requirement for the code.<br> |
− | |||
A TDD test expresses the task of the application functionality that needs to be implemented next and the criterion for success. <br> | A TDD test expresses the task of the application functionality that needs to be implemented next and the criterion for success. <br> | ||
− | |||
TDD is not about testing. TDD uses tests to drive the design of the code.<br> | TDD is not about testing. TDD uses tests to drive the design of the code.<br> | ||
− | |||
This can be done with unit tests, functional tests and acceptance tests. Usually, all three are used.<br> | This can be done with unit tests, functional tests and acceptance tests. Usually, all three are used.<br> | ||
− | |||
The tests tell you what to do, what to do next and when you are done. They tell you what the API is going to be, what the design is. <br> | The tests tell you what to do, what to do next and when you are done. They tell you what the API is going to be, what the design is. <br> | ||
− | |||
The tests permit you to refactor safely, ensuring that the desired behavior continues to work while you adjust your design. The tests also guide you to testable code, promoting smaller methods, shorter parameter lists, and overall much simpler design than other methodologies lead you to.<br> | The tests permit you to refactor safely, ensuring that the desired behavior continues to work while you adjust your design. The tests also guide you to testable code, promoting smaller methods, shorter parameter lists, and overall much simpler design than other methodologies lead you to.<br> | ||
Line 36: | Line 32: | ||
Unit Testing is about testing individual units of behavior. An individual unit of behavior is the smallest possible unit of behavior that can be individually tested in isolation.<br> | Unit Testing is about testing individual units of behavior. An individual unit of behavior is the smallest possible unit of behavior that can be individually tested in isolation.<br> | ||
− | |||
You can write unit tests before you write your code, after you write your code or while you write your code.<br> | You can write unit tests before you write your code, after you write your code or while you write your code.<br> | ||
Line 42: | Line 37: | ||
Unlike a unit test, a TDD test is used to drive the design of an application. A TDD test is used to express what application code should do before the application code is actually written.<br> | Unlike a unit test, a TDD test is used to drive the design of an application. A TDD test is used to express what application code should do before the application code is actually written.<br> | ||
− | + | TDD is less about testing, and more about designing the code. Unit tests are then used to set the expectations for the end code. When the end code is written, and passes tests (specifications), you have a code that was designed using tests.<br> | |
− | TDD is less about testing, and more about designing the code. Unit tests are then used to set the expectations for the end code. | ||
− | |||
Like unit tests, TDD tests can be used for regression testing. You can use TDD tests to immediately determine whether a change in code has broken existing application functionality. However, unlike a unit test, a TDD test does not necessarily test one unit of code in isolation. <br> | Like unit tests, TDD tests can be used for regression testing. You can use TDD tests to immediately determine whether a change in code has broken existing application functionality. However, unlike a unit test, a TDD test does not necessarily test one unit of code in isolation. <br> | ||
− | |||
You can do unit testing without doing test driven development. However you can't do test driven development without using unit tests.<br> | You can do unit testing without doing test driven development. However you can't do test driven development without using unit tests.<br> | ||
− | |||
When you do traditional unit testing, you write test after you wrote your code.<br> | When you do traditional unit testing, you write test after you wrote your code.<br> | ||
− | |||
Test driven development approach is to write unit test before writing code.<br> | Test driven development approach is to write unit test before writing code.<br> | ||
Line 56: | Line 46: | ||
'''How do we solve the problem by implementing STDD?''' | '''How do we solve the problem by implementing STDD?''' | ||
− | TDD will help | + | |
+ | TDD will help with the following: | ||
- Tests can be written to verify the threat.<br> | - Tests can be written to verify the threat.<br> | ||
- A solution can be implemented to block the threat, and quickly be confirmed to be working.<br> | - A solution can be implemented to block the threat, and quickly be confirmed to be working.<br> | ||
− | - Provided all other tests still pass, you can quickly verify that | + | - Provided all other tests still pass, you can quickly verify that all other security measures and all other functionality still behave correctly. |
− | + | ||
− | |||
Basically TDD assists in allowing a quick turnaround time from when a threat is discovered to when a solution becomes available.<br> | Basically TDD assists in allowing a quick turnaround time from when a threat is discovered to when a solution becomes available.<br> | ||
TDD is not going to protect you from unknown threats. By its very nature, you have to know what you want to test in order to write the test in the first place.<br> | TDD is not going to protect you from unknown threats. By its very nature, you have to know what you want to test in order to write the test in the first place.<br> | ||
− | + | However, Secure Test Driven Development (STDD) will help us Defend against existing threats and help developers secure their product by reducing and eliminating vulnerabilities in software | |
− | However, STDD will help us Defend against existing threats and help developers secure their product by reducing and eliminating vulnerabilities in software before deployment while using the TDD life cycle.<br> | + | before deployment while using the TDD life cycle.<br> |
− | |||
TDD favors highly localized (unit testing). As a result you could easily test that:<br> | TDD favors highly localized (unit testing). As a result you could easily test that:<br> | ||
− | GetSafeSQLParam() would correctly guard against SQL injection | + | GetSafeSQLParam() would correctly guard against SQL injection or that SecureZeroMemory() would correctly erase a password from RAM.<br> |
However, it becomes more difficult to verify that all developers have used the correct method in every place that it's required.<br> | However, it becomes more difficult to verify that all developers have used the correct method in every place that it's required.<br> | ||
+ | Our STDD tool solves this problem, discovering security threats and vulnerabilities in software while writing the code.<br> | ||
+ | |||
+ | ==Description== | ||
− | + | STDD is a tool that will ensure secure coding using an Add-On for Microsoft Visual Studio, by creating auto generated STDD tests, assisting us to find vulnerabilities, exploits and security bugs inside the code while using the TDD life cycle. | |
+ | The tests we will be focusing on are prevention against SQL injection and XSS attacks. | ||
− | + | The benefits of such a tool will save time, money and keep code safe from security vulnerabilities. | |
− | |||
− | |||
− | |||
+ | ==Installation Guide== | ||
+ | <u>Requirements:</u> | ||
+ | <BR> | ||
+ | 1. Microsoft Visual-Studio 2013 SDK <BR> (http://www.microsoft.com/en-us/download/details.aspx?id=40758) <BR> | ||
+ | 2. Microsoft Visual-Studio 2013 and above <BR> | ||
− | + | <u>Setup:</u> | |
+ | <BR> | ||
+ | 1. Download the project from our Github at https://github.com/SecureTDD/VisualStudio<BR> | ||
+ | 2. Select destination folder<BR> | ||
+ | 3. Select the product you want to install (Microsoft Visual-Studio 2013 and above) <BR> | ||
+ | 4. Launch Visual-Studio, click on Tools > Secure TDD Wizard <BR> | ||
− | + | <u>Secure TDD Installer : </u> | |
− | |||
+ | http://securetdd.byethost10.com/SecureTDDInstaller.zip | ||
Line 101: | Line 101: | ||
The OWASP Secure TDD Project provides: | The OWASP Secure TDD Project provides: | ||
− | * | + | * Secure testing --> Secure coding |
− | * | + | * Efficient coding which saves alot of time and money |
− | == | + | == Quick Download == |
− | + | * Download source code from Github:<br> | |
+ | https://github.com/SecureTDD/VisualStudio | ||
+ | == Presentation == | ||
+ | OWASP IL October 2013[https://www.owasp.org/images/5/5c/OWASP_IL_2013_10_Nir_Valtman_STDD.pdf] | ||
Line 118: | Line 121: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Line 159: | Line 141: | ||
=FAQs= | =FAQs= | ||
− | ; | + | ; What is Secure STDD? |
− | : | + | : Secure Test Driven Development (STDD) will help us Defend against existing threats and help developers secure their product by reducing and eliminating vulnerabilities in software before deployment while using the TDD life cycle. |
+ | |||
+ | ; How to benefit from STDD? | ||
+ | : The benefits of such a tool will save time, money and keep code safe from security vulnerabilities. This tool does not require a thorough understanding of the possible Security threats thus making it easier for the Programmer to generate such Security tests. <br> STDD tests also guide you to testable code, promoting smaller methods, shorter parameter lists, and overall much simpler design than other methodologies lead you to. | ||
− | |||
− | |||
= Acknowledgements = | = Acknowledgements = | ||
Line 169: | Line 152: | ||
The OWASP Secure TDD Project is developed by a worldwide team of volunteers. The primary contributors to date have been: | The OWASP Secure TDD Project is developed by a worldwide team of volunteers. The primary contributors to date have been: | ||
− | * Lauren Tabak | + | * Lauren Tabak |
* Niran Yadai | * Niran Yadai | ||
* Tal Darsan | * Tal Darsan | ||
* Ofir Melinger | * Ofir Melinger | ||
* Kobi Barzilay | * Kobi Barzilay | ||
+ | |||
= Road Map and Getting Involved = | = Road Map and Getting Involved = | ||
As of March 2014, the priorities are: | As of March 2014, the priorities are: | ||
− | * | + | |
− | * | + | * Visual Studio Add-On |
− | * | + | * Configuration test support |
+ | * SQLi and XSS Security tests | ||
Involvement in the development and promotion of the OWASP Secure TDD Project is actively encouraged! | Involvement in the development and promotion of the OWASP Secure TDD Project is actively encouraged! | ||
You do not have to be a security expert in order to contribute. | You do not have to be a security expert in order to contribute. | ||
Some of the ways you can help: | Some of the ways you can help: | ||
− | * | + | |
− | + | * Additional Security tests | |
+ | |||
Latest revision as of 21:07, 12 February 2016
OWASP Secure TDD ProjectThe OWASP Secure TDD Project allows organizations to integrate security into the Test Driven Development (TDD) lifecycle. IntroductionAbout TDD
So how does a TDD test differ from a unit test? Unlike a unit test, a TDD test is used to drive the design of an application. A TDD test is used to express what application code should do before the application code is actually written.
- Tests can be written to verify the threat. Basically TDD assists in allowing a quick turnaround time from when a threat is discovered to when a solution becomes available. TDD is not going to protect you from unknown threats. By its very nature, you have to know what you want to test in order to write the test in the first place. GetSafeSQLParam() would correctly guard against SQL injection or that SecureZeroMemory() would correctly erase a password from RAM. DescriptionSTDD is a tool that will ensure secure coding using an Add-On for Microsoft Visual Studio, by creating auto generated STDD tests, assisting us to find vulnerabilities, exploits and security bugs inside the code while using the TDD life cycle. The tests we will be focusing on are prevention against SQL injection and XSS attacks. The benefits of such a tool will save time, money and keep code safe from security vulnerabilities.
Installation GuideRequirements:
Setup:
Secure TDD Installer : http://securetdd.byethost10.com/SecureTDDInstaller.zip
LicensingThe OWASP Secure TDD Project is free to use. It is licensed under the Apache 2.0 License.
|
What is the OWASP Secure TDD Project?The OWASP Secure TDD Project provides:
Quick Download
https://github.com/SecureTDD/VisualStudio
PresentationOWASP IL October 2013[1]
Project LeaderNir Valtman
Classifications |
- What is Secure STDD?
- Secure Test Driven Development (STDD) will help us Defend against existing threats and help developers secure their product by reducing and eliminating vulnerabilities in software before deployment while using the TDD life cycle.
- How to benefit from STDD?
- The benefits of such a tool will save time, money and keep code safe from security vulnerabilities. This tool does not require a thorough understanding of the possible Security threats thus making it easier for the Programmer to generate such Security tests.
STDD tests also guide you to testable code, promoting smaller methods, shorter parameter lists, and overall much simpler design than other methodologies lead you to.
Volunteers
The OWASP Secure TDD Project is developed by a worldwide team of volunteers. The primary contributors to date have been:
- Lauren Tabak
- Niran Yadai
- Tal Darsan
- Ofir Melinger
- Kobi Barzilay
As of March 2014, the priorities are:
- Visual Studio Add-On
- Configuration test support
- SQLi and XSS Security tests
Involvement in the development and promotion of the OWASP Secure TDD Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
- Additional Security tests
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|