Security Testing Framework
This directory contains systematic security tests covering OWASP Top 10 vulnerabilities for StellaOps modules.
Structure
security/
├── StellaOps.Security.Tests/
│ ├── Infrastructure/ # Base classes and test utilities
│ ├── A01_BrokenAccessControl/ # Authorization bypass tests
│ ├── A02_CryptographicFailures/ # Crypto weakness tests
│ ├── A03_Injection/ # SQL, Command, ORM injection tests
│ ├── A05_SecurityMisconfiguration/ # Config validation tests
│ ├── A07_AuthenticationFailures/ # Auth bypass tests
│ ├── A08_IntegrityFailures/ # Data integrity tests
│ └── A10_SSRF/ # Server-side request forgery tests
└── README.md
OWASP Top 10 Coverage
| Rank | Category | Priority | Status |
|---|---|---|---|
| A01 | Broken Access Control | CRITICAL | ✓ |
| A02 | Cryptographic Failures | CRITICAL | ✓ |
| A03 | Injection | CRITICAL | ✓ |
| A05 | Security Misconfiguration | HIGH | ✓ |
| A07 | Authentication Failures | CRITICAL | ✓ |
| A08 | Integrity Failures | HIGH | ✓ |
| A10 | SSRF | HIGH | ✓ |
Running Tests
# Run all security tests
dotnet test tests/security/StellaOps.Security.Tests --filter "Category=Security"
# Run specific OWASP category
dotnet test --filter "FullyQualifiedName~A01_BrokenAccessControl"
# Run with detailed output
dotnet test tests/security/StellaOps.Security.Tests -v normal
Adding New Tests
- Create test class in appropriate category directory
- Inherit from
SecurityTestBase - Use
MaliciousPayloadsfor injection payloads - Use
SecurityAssertionsfor security-specific assertions
CI Integration
Security tests run as part of the CI pipeline:
- All PRs: Run critical security tests (A01, A02, A03, A07)
- Nightly: Full OWASP Top 10 coverage
- Pre-release: Full suite with extended fuzzing
References
- OWASP Top 10
- OWASP Testing Guide
- StellaOps Security Policy:
docs/13_SECURITY_POLICY.md