Security Test Design

Purpose

Design security tests that validate security controls, identify vulnerabilities, and ensure compliance with security requirements.

When to Use

• Security validation

• Compliance audits

• Pre-release security review

• After security architecture changes

Prerequisites

• Security requirements defined

• Threat model available

• Security architecture documented

Process

Step 1: Identify Security Requirements

Requirement sources:

• Security NFRs
• Compliance requirements (GDPR)
• OWASP guidelines
• Threat model mitigations

Step 2: Define Test Categories

Categories:

• Authentication testing
• Authorization testing
• Input validation
• Cryptography verification
• Session management
• API security

Step 3: Design Test Cases

For each category:

• Positive tests (controls work)
• Negative tests (attacks blocked)
• Boundary tests
• Compliance checks

Step 4: Select Tools

Tool categories:

• Static analysis (SAST)
• Dynamic analysis (DAST)
• Dependency scanning
• Manual testing

Step 5: Create Test Plan

Plan includes:

• Test scenarios
• Tools and methods
• Execution frequency
• Remediation process

Inputs

Input Type Required Description

security_requirements Markdown Yes Security NFRs

threat_model Markdown Yes Threat analysis

compliance_reqs Markdown Yes GDPR, etc.

Outputs

Output Type Description

security_test_plan.md Markdown Test plan

security_tests/ Code Test scripts

compliance_checklist.md Markdown Compliance checks

StudyAbroad-Specific Considerations

• OAuth2 security testing

• GDPR compliance validation

• PII protection verification

• Document access control

Integration Points

• Security Agent: Test collaboration

• Developer Agent: Remediation

• DevOps Agent: CI/CD security

Examples

Security Test Plan - StudyAbroad-v1

SECURITY REQUIREMENTS:

TEST CATEGORIES:

1. AUTHENTICATION TESTING

TC-SEC-AUTH-001: OAuth2 Token Validation

• Verify valid tokens accepted
• Verify expired tokens rejected
• Verify tampered tokens rejected
• Verify token refresh works

TC-SEC-AUTH-002: Session Security

• Verify httpOnly cookie flag
• Verify secure cookie flag
• Verify session timeout
• Verify concurrent session limits

TC-SEC-AUTH-003: OAuth Flow Security

• Verify state parameter validation
• Verify PKCE implementation
• Verify redirect URI validation

2. AUTHORIZATION TESTING

TC-SEC-AUTHZ-001: Horizontal Access Control

• User A cannot access User B's applications
• User A cannot access User B's documents
• Verify 403 for unauthorized access

TC-SEC-AUTHZ-002: Vertical Access Control

• Student cannot access admin endpoints
• Advisor limited to assigned students
• Verify role escalation blocked

TC-SEC-AUTHZ-003: API Authorization

• All endpoints require authentication (except public)
• Verify middleware protection
• Test direct URL access

3. INPUT VALIDATION

TC-SEC-INPUT-001: SQL Injection

• Test all input fields
• Test URL parameters
• Test JSON body fields
• Verify parameterized queries

TC-SEC-INPUT-002: XSS Prevention

• Test text inputs
• Test file names
• Test error messages
• Verify output encoding

TC-SEC-INPUT-003: File Upload Security

• Test file type bypass attempts
• Test malicious file names
• Test oversized files
• Verify virus scanning

4. CRYPTOGRAPHY

TC-SEC-CRYPTO-001: TLS Configuration

• Verify TLS 1.3 minimum
• Verify strong cipher suites
• Verify certificate validity
• Test with SSL Labs

TC-SEC-CRYPTO-002: Data Encryption

• Verify PII encrypted at rest
• Verify password hashing (bcrypt)
• Verify no secrets in code/logs

5. GDPR COMPLIANCE

TC-SEC-GDPR-001: Consent

• Verify consent collection
• Verify consent recorded
• Verify opt-out works

TC-SEC-GDPR-002: Data Rights

• Verify data export works
• Verify data deletion works
• Verify within time limits

AUTOMATED SECURITY TESTS:

// tests/security/auth.security.test.ts
describe('Authentication Security', () => {
  describe('Token Validation', () => {
    it('should reject expired tokens', async () => {
      const expiredToken = generateExpiredToken()
      const response = await request(app)
        .get('/api/v1/users/me')
        .set('Authorization', `Bearer ${expiredToken}`)
      
      expect(response.status).toBe(401)
      expect(response.body.error.code).toBe('AUTH_TOKEN_EXPIRED')
    })
    
    it('should reject tampered tokens', async () => {
      const tamperedToken = validToken.slice(0, -5) + 'xxxxx'
      const response = await request(app)
        .get('/api/v1/users/me')
        .set('Authorization', `Bearer ${tamperedToken}`)
      
      expect(response.status).toBe(401)
    })
  })
  
  describe('SQL Injection', () => {
    const sqlPayloads = [
      "'; DROP TABLE users; --",
      "1' OR '1'='1",
      "1; SELECT * FROM users"
    ]
    
    sqlPayloads.forEach(payload => {
      it(`should safely handle: ${payload}`, async () => {
        const response = await request(app)
          .get(`/api/v1/universities`)
          .query({ search: payload })
        
        // Should not error, should return safe results
        expect(response.status).toBe(200)
        // Verify no data leak
        expect(response.body.data).not.toContainEqual(
          expect.objectContaining({ password: expect.anything() })
        )
      })
    })
  })
})

CI/CD INTEGRATION:

security:
  - name: Dependency Audit
    run: npm audit --production
    frequency: every-build
    
  - name: SAST Scan
    run: npm run security:sast
    frequency: every-build
    
  - name: DAST Scan
    run: npm run security:dast
    frequency: nightly
    
  - name: Secret Scan
    uses: trufflesecurity/trufflehog@main
    frequency: every-build

TOOLS:

Tool
Purpose
Frequency

npm audit
Dependency vulnerabilities
Every build

ESLint security
Code patterns
Every build

OWASP ZAP
Dynamic scanning
Nightly

Snyk
Dependency + code
Weekly

truffleHog
Secret detection
Every commit

COMPLIANCE CHECKLIST:

GDPR:
☐ Consent mechanism implemented
☐ Data export within 30 days
☐ Data deletion within 72 hours
☐ Breach notification process
☐ Privacy policy accessible
☐ Cookie consent implemented

OWASP Top 10:
☐ A01: Broken Access Control - Tested
☐ A02: Cryptographic Failures - Tested
☐ A03: Injection - Tested
☐ A04: Insecure Design - Reviewed
☐ A05: Security Misconfiguration - Tested
☐ A06: Vulnerable Components - Scanned
☐ A07: Auth Failures - Tested
☐ A08: Integrity Failures - Tested
☐ A09: Logging Failures - Verified
☐ A10: SSRF - Tested

## Validation
- All security requirements tested
- OWASP coverage complete
- Tools integrated in CI/CD
- Compliance checklist verified
- Regular execution scheduled

###DIFFBREAK###
# Complete SDLC Skills Content Library - Part 3
# Project: StudyAbroad-v1
# Developer Agent (14) + Security Agent (13)

# ============================================================================
# DEVELOPER AGENT SKILLS (14 Skills: DEV-001 to DEV-014)
# ============================================================================