Nobody thinks you have to be a performance expert to write performance tests- why assume that you have to be a security expert to write security tests? During this presentation I'll show you how to use fuzzers, attack tools, and other simple techniques to help protect your users, improve the strength of your existing tests, and gain confidence in the security of your code. There will be demos!
Fundamentally, testing is about gaining confidence in the properties of your system- confidence that a refactor preserves behavior, that a new feature doesn't hurt performance, that your code is correct and operates as expected.
Unfortunately, such tests seldom include the adversarial assumption- that one of your users (or admins, or ...) is out to get you. The goal of security testing is to cover this gap by building the tools to ensure that your code will not fail, even when an unusually clever or determined attacker tries to take you down.
The talk is therefore divided into two major parts. The first ('mocking with malice') focuses on how to improve your existing test sequence and add the adversarial assumption. The second ('how to build a bad user') aims to help developers better understand their attack surface, the capabilities of their adversaries, and the tools available to help defeat them.
By the end of the talk, developers should have a strong understanding of how to build security testing into their test regimen and how it can help them gain confidence in their code and better protect their users.
7th–15th March 2012