Test-suite for a password protected website
David Dick
david_dick at iprimus.com.au
Mon Dec 29 01:27:49 CST 2003
Joshua Goodall wrote:
>On Tue, Dec 30, 2003 at 09:51:26AM +1100, leif.eriksen at hpa.com.au wrote:
>
>
>>Another option that is 'somewhat' secure is to set the username and
>>password in environmental variables, if you are using an OS that
>>supports that concept, and you are testing in a way that supports
>>reading your envirnment.
>>
>>
>
>You should only do this if you are 100% certain that "ps wwex" or
>equivalent on your particular platform and all possible target
>platforms does NOT provide a handy dump of the environment table
>for all and sundry.
>
>Otherwise you've just proposed a classic, almost a traditional
>security blunder.
>
>
>
True, but in the context that i originally asked the question, i still
think it's a really good idea. The problem is how to have a test-suite
and package it up for customers without hard-coding a secret, or a path
to the secret in the test-suite. From the perspective of simply giving
the solution to the user, and letting them decide policy, it's really
good. If the user wants to run the test-suite automatically every 5
mins, they can do so with a minimum of fuss (and they have to accept
that a local user with sufficient privileges can compromise the
secret). If they just want to run the test-suite once after
installation, or after the code changes, they can do that with a minimum
of fuss and much less risk. If they are completely unaware of the
test-suite, no harm will come to them. So for me, a very acceptable
compromise, thank you Mr Eriksen. only problem is that i feel like an
idiot for not thinking of it myself. :)
More information about the Melbourne-pm
mailing list