Thursday 7 March 2013

The Power of UnitTests when refactoring code (for example Security Pages)

Following a use-case usability requirement, I just changed the new TeamMentor ’password forgot’ page ...

... from:  image  ...to:  image

The objective with the new version is to only ask the user for its password (a good example of how the 'more secure version' has severe usability problems (what happens if the user can't remember his username?)).

After I implemented the changes in the back-end, before I even try it on the GUI, I went to my the back-end unit tests project, and got a number of new errors:

image

All from this UnitTest:

image

This is what i was expecting (since the internal behavior changed from requiring a valid username+email to reset the password, to just requiring an email)

And after a couple minor changes:

image

The PasswordResetToken test is working:

image

Which confirms that the password reset workflow is still working (including security checks like now allowing the password reset token to be used more than once)

Btw, can you see how powerful these unit tests can be for Security Testing to enforce security policies?

If only there was something like an  OWASP ESTAPI I could use, and measure my code against? :)