304 Core Software Security
Basically, the tests must check the precise behavior as specified. That
is, turn the specification into a test case: When a user attempts to load a
protected page, is there an authentication challenge? When correct login
information is input, is the challenge satisfied? When invalid credentials
are offered, is authentication denied?
Corner cases are the most difficult. These might be tests of default
behavior or behavior that is not explicitly specified. In our authentication
case, if a page does not choose protection, is the default for the Web server
followed? If the default is configurable, try both binary defaults: No page
is protected versus all pages are protected.
Other corner cases for this example might be to test invalid user and
garbage IDs against the authentication, or to try to replay session tokens.
Session tokens typically have a time-out. What happens if the clock on
the browser is different than the clock at the server? Is the token still valid,
or does it expire en route? Each of these behaviors might happen to a typi-
cal user, but won’t be usual.
Finally, and most especially for security features, many features will be
attacked. In other words, whatever can be abused is likely to be abused.
An attacker will pound on a login page, attempting brute-force discovery
of legal passwords. Not only should a test plan include testing of any lock-
out feature, the test plan should also be able to uncover any weaknesses in
the ability to handle multiple, rapid logins without failing or crashing the
application or the authentication service.
In our experience, most experienced quality people will understand “as
designed” testing, as well as corner cases. Abuse cases, however, may be a
new concept that will need support, training, perhaps mentorship.
9.4.2 Dynamic Testing
Dynamic testing refers to executing the source code and seeing how
it performs with specific inputs. All validation activities come in this
category where execution of the program is essential.
17
Dynamic tests are tests run against the executing program. In the security
view, dynamic testing is generally performed from the perspective of the
attacker. In the purest sense of the term, any test which is run against
the executing program is “dynamic.” This includes vulnerability scans,