In security testing, test cases are written to identify various vulnerabilities in the application, which are exposed due to improper design or coding issue. Test cases are important to improve quality of the application. Test cases help to find which feature will be tested. Test cases are effective if those are less in number but have maximum coverage in terms of security.
Following points helps to make test cases effective.
1. Test cases should be consists of simple steps and easy to understand.
New tester can execute simple test steps with ease. Test step needs to be transparent so that purpose of test case is clear.
2. Test cases should be short.
Test cases should have necessary steps only. Single test case with too many test steps in that may lose concentration. Test Case should be written on attacker’s point of view. Reusing test cases help to save time to write repetitive tests. Using generic test cases will ensure the common vulnerabilities will be caught quickly.
3. Tests only one thing.
Always make sure that test case tests only one thing at a time. If multiple test steps are available in one test case, then it becomes very difficult to track errors and results as well. So single test case should have one expected result, if so it is easy to find the failed test case.
4. Organize test cases consistently and update regularly.
Consistency of test cases need to be maintained since it will be easy to locate, add new test cases and update existing one.
5. Write independent test cases.
Test cases should be independent. It should not have dependency on other test cases. So that one should be able to execute test case individually.
6. Test cases should be categorized on basis of vulnerability type.
Test steps of one vulnerability type should be categorized under one test case. For example test steps to find whether cookies are secure or not, session fixation, improper session time out, logout redirection and duplicate concurrent user session etc. should be under one test case which is of ‘Session Management’ category.
It is a vital task to write effective test cases with all the required details on it. As long as test cases are made from the attacker’s perspective, know the loophole of the application and follow the best practices higher level of software security assurance can be provided.
Authored by Swayambada Jena