# Security Testing Framework This directory contains systematic security tests covering OWASP Top 10 vulnerabilities for StellaOps modules. ## Structure ``` security/ ├── StellaOps.Security.Tests/ │ ├── Infrastructure/ # Base classes and test utilities │ ├── A01_BrokenAccessControl/ # Authorization bypass tests │ ├── A02_CryptographicFailures/ # Crypto weakness tests │ ├── A03_Injection/ # SQL, Command, ORM injection tests │ ├── A05_SecurityMisconfiguration/ # Config validation tests │ ├── A07_AuthenticationFailures/ # Auth bypass tests │ ├── A08_IntegrityFailures/ # Data integrity tests │ └── A10_SSRF/ # Server-side request forgery tests └── README.md ``` ## OWASP Top 10 Coverage | Rank | Category | Priority | Status | |------|----------|----------|--------| | A01 | Broken Access Control | CRITICAL | ✓ | | A02 | Cryptographic Failures | CRITICAL | ✓ | | A03 | Injection | CRITICAL | ✓ | | A05 | Security Misconfiguration | HIGH | ✓ | | A07 | Authentication Failures | CRITICAL | ✓ | | A08 | Integrity Failures | HIGH | ✓ | | A10 | SSRF | HIGH | ✓ | ## Running Tests ```bash # Run all security tests dotnet test tests/security/StellaOps.Security.Tests --filter "Category=Security" # Run specific OWASP category dotnet test --filter "FullyQualifiedName~A01_BrokenAccessControl" # Run with detailed output dotnet test tests/security/StellaOps.Security.Tests -v normal ``` ## Adding New Tests 1. Create test class in appropriate category directory 2. Inherit from `SecurityTestBase` 3. Use `MaliciousPayloads` for injection payloads 4. Use `SecurityAssertions` for security-specific assertions ## CI Integration Security tests run as part of the CI pipeline: - All PRs: Run critical security tests (A01, A02, A03, A07) - Nightly: Full OWASP Top 10 coverage - Pre-release: Full suite with extended fuzzing ## References - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) - StellaOps Security Policy: `docs/13_SECURITY_POLICY.md`