Add guidance on how to write security test cases (or threat verification tests)

[itscooper]

Guidance, to be added to section 5 (reporting), on how a tester can write programmatic test cases as a form of output, that developers can re-run to determine if an issue has been fixed.

[victoriadrake]

Is instruction on regression testing in scope for the WSTG? Or have I got the wrong idea?

[ThunderSon]

@victoriadrake we believe (me and @kingthorin ) that it could be a nice to have, nothing core to the project or its latest release. The project focuses more on guidance a tester through the stages in a manual approach more so than an automated one.

[patrickceg]

The project focuses more on guidance a tester through the stages in a manual approach more so than an automated one.

@ThunderSon Does that mean there's another OWASP project that focuses on adversarial unit tests that we should make sure to link to?

On this issue in general, the framework of Defect Dojo seems to work as a bit of a guide to write security tests: https://defectdojo.readthedocs.io/en/latest/models.html#engagements / https://owasp.org/www-project-defectdojo/

Personally, I handle security type tests in the same way as any other test (maybe I saw too much DevSecOps idealism marketing), so I'm not sure what this guide has to say about what makes a "security test case" different from any other test. Everything I can think of (business importance, which team is responsible for it, who to call if the feature underlying said test fails in production and forces people in at 02:00 on a Sunday) apply to both "security" and "non-security" tests.

[ThunderSon]

What I read from DD (defect dojo) doesn't actually fit what is being discussed in here. The project can contain these points, but at this stage, we see a bigger value in actually updating the tests written, adding the missing tests, and mapping to the ASVS. Tests discussed in this issue are part of the automated pipeline that could be run. If you feel like tackling this point, or anyone, we don't mind it. If this is something that is of interest to you or any other future reader, please take it. 😄

[kingthorin]

@itscooper any chance you want to contribute some content to address this?

[Hsiang-Chih]

"how a tester can write programmatic test cases as a form of output, that developers can re-run to determine if an issue has been fixed."? I can help if it's the "BDD Security testing". It will require the integration of BDD framework. However, is the topic "How to do Behavior-Based Driven Security Testing" what OWASP testing guide would like to add?

i.e. By applying the BDD security, and testing cases/report will be - Testing Scenario - There is no port 80 open listening Testing Steps

1. Use Nmap to scan the target website
2. Check if there is port 80 open

Results There is no port 80 open

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.