Original Post: Intro to AppSecTDD. Considerations: All my examples will be… | by Mauricio Giraldo | Aug, 2024
The article explores how to integrate security into Test-Driven Development (TDD), creating a methodology dubbed Application Security Test-Driven Development (AppSecTDD). It begins by acknowledging that while modern frameworks and web application firewalls (WAF) handle many security issues, developers must still test for vulnerabilities when those systems fail.
It describes the basics of TDD: writing tests before writing the actual code, ensuring each test aligns with a product requirement. An example using pseudo-code demonstrates testing login functionality, followed by code to pass these tests. The article highlights the limitations of traditional TDD from a security perspective, such as inability to catch SQL Injection or Cross-Site Scripting (XSS) vulnerabilities.
The author presents enhanced tests that focus on security, demonstrating how to test against SQL Injection and XSS attacks. By writing more comprehensive tests, developers ensure they write secure code from the start, rather than relying on tools like Static Application Security Testing (SAST) after the fact.
The article concludes by advocating for a security mindset in development, emphasizing that proactive security testing can complement existing security tools, and promises future articles expanding on AppSecTDD and the concept of “Shifting Left” in security testing.
Go here to read the Original Post