Monday, March 19, 2007

Web Security Regression Testing

How are folks approaching regression testing for web app security bugs, especially in cases where you may have remediated a small problem via mod_security or mod_rewrite?

In many cases where you have a code-related issue it is relatively straightforward to write new test cases in your software testing frameworks to test for recurrence and/or correct behavior.

In deployed web applications though you might choose to fix a simple hole via a webserver hack, config change, etc.

Most of the scanners out there could be trained to look for the hole in question and detect whether it recurs. Or, I could use something perl-mechanize to write up some test cases against the potentially vulnerable app.

Anyone have any recommendations for doing this?

I'm open to product ideas and/or toolkits. Ideally all fixes would be done to the originally vulnerable code-base, but in cases where that isn't the right approach, or isn't the initial approach, you still want continuous monitoring for issues.

1 comment:

dre said...

I suggest continuous-prevention development, where a unit test is written to test for the defect, assert any new behavior that is caused by the defect's fix, etc.

Actually I recommend continuous-prevention development over regression testing for all situations - but it just seems to be extremely useful/powerful for security-related bugs.