stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
00d2c99af94dfd42dd599b66285e3926b38a4d4f
git.stella-ops.org/tests/security
History
master 2170a58734
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Lighthouse CI / Lighthouse Audit (push) Has been cancelled
Details
Lighthouse CI / Axe Accessibility Audit (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Policy Simulation / policy-simulate (push) Has been cancelled
Details
Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories 
- Implemented tests for Cryptographic Failures (A02) to ensure proper handling of sensitive data, secure algorithms, and key management.
- Added tests for Security Misconfiguration (A05) to validate production configurations, security headers, CORS settings, and feature management.
- Developed tests for Authentication Failures (A07) to enforce strong password policies, rate limiting, session management, and MFA support.
- Created tests for Software and Data Integrity Failures (A08) to verify artifact signatures, SBOM integrity, attestation chains, and feed updates.
2025-12-16 16:40:44 +02:00
..
StellaOps.Security.Tests
Add comprehensive security tests for OWASP A02, A05, A07, and A08 categories
2025-12-16 16:40:44 +02:00
README.md
Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF)
2025-12-16 13:11:57 +02:00

README.md

Security Testing Framework

This directory contains systematic security tests covering OWASP Top 10 vulnerabilities for StellaOps modules.

Structure

security/
├── StellaOps.Security.Tests/
│   ├── Infrastructure/           # Base classes and test utilities
│   ├── A01_BrokenAccessControl/  # Authorization bypass tests
│   ├── A02_CryptographicFailures/ # Crypto weakness tests
│   ├── A03_Injection/            # SQL, Command, ORM injection tests
│   ├── A05_SecurityMisconfiguration/ # Config validation tests
│   ├── A07_AuthenticationFailures/   # Auth bypass tests
│   ├── A08_IntegrityFailures/    # Data integrity tests
│   └── A10_SSRF/                 # Server-side request forgery tests
└── README.md

OWASP Top 10 Coverage

Rank Category Priority Status
A01 Broken Access Control CRITICAL
A02 Cryptographic Failures CRITICAL
A03 Injection CRITICAL
A05 Security Misconfiguration HIGH
A07 Authentication Failures CRITICAL
A08 Integrity Failures HIGH
A10 SSRF HIGH

Running Tests

# Run all security tests
dotnet test tests/security/StellaOps.Security.Tests --filter "Category=Security"

# Run specific OWASP category
dotnet test --filter "FullyQualifiedName~A01_BrokenAccessControl"

# Run with detailed output
dotnet test tests/security/StellaOps.Security.Tests -v normal

Adding New Tests

  1. Create test class in appropriate category directory
  2. Inherit from SecurityTestBase
  3. Use MaliciousPayloads for injection payloads
  4. Use SecurityAssertions for security-specific assertions

CI Integration

Security tests run as part of the CI pipeline:

  • All PRs: Run critical security tests (A01, A02, A03, A07)
  • Nightly: Full OWASP Top 10 coverage
  • Pre-release: Full suite with extended fuzzing

References