Re: On security tests

I second this, so if you have time Jeremy, I'd just go do it. The sooner
we get a complete WD of the test-suite the better, and the security
component is rather crucial.
> Here are my thoughts about security tests.
> a) have section of test document with them in
> b) have a test class test:SecurityTest
> c) do not provide instructions for running security tests
> d) have the following para in the section of the test document.
> [[
> The following security tests are provided for implementers to
> adapt and use for their implementation.
> Security issues are usually system specific, and as is shown
> in test TODO, it may be possible for a malicious party to access
> XSLT version and vendor information concerning a specific GRDDL
> agent instance.
> These tests were developed during the development of the Jena
> GRDDL Reader which uses the Saxon8.8 XSLT processor. They hence
> illustrate how a malicious party may try to abuse features
> of such an implementation.
> We do not provide instructions as to how to test your system
> against these tests, since they are likely to be not directly
> applicable.
> Developers of GRDDL aware agents are encouraged to understand
> these tests, and consider how their own systems may have
> potential security weaknesses.
> ]]
> e) include the six Jena tests (which I can donate to W3C)
> Jeremy


Harry Halpin,  University of Edinburgh 6B522426

Received on Friday, 23 March 2007 19:15:10 UTC