Test-suite for a password protected website

David Dick david_dick at iprimus.com.au
Mon Dec 29 01:27:49 CST 2003

Joshua Goodall wrote:

>On Tue, Dec 30, 2003 at 09:51:26AM +1100, leif.eriksen at hpa.com.au wrote:
>>Another option that is 'somewhat' secure is to set the username and 
>>password in environmental variables, if you are using an OS that 
>>supports that concept, and you are testing in a way that supports 
>>reading your envirnment.
>You should only do this if you are 100% certain that "ps wwex" or
>equivalent on your particular platform and all possible target
>platforms does NOT provide a handy dump of the environment table
>for all and sundry.
>Otherwise you've just proposed a classic, almost a traditional
>security blunder.
True, but in the context that i originally asked the question, i still 
think it's a really good idea.  The problem is how to have a test-suite 
and package it up for customers without hard-coding a secret, or a path 
to the secret in the test-suite.  From the perspective of simply giving 
the solution to the user, and letting them decide policy, it's really 
good.  If the user wants to run the test-suite automatically every 5 
mins, they can do so with a minimum of fuss (and they have to accept 
that a local user with sufficient privileges can compromise the 
secret).  If they just want to run the test-suite once after 
installation, or after the code changes, they can do that with a minimum 
of fuss and much less risk.  If they are completely unaware of the 
test-suite, no harm will come to them.  So for me, a very acceptable 
compromise, thank you Mr Eriksen.  only problem is that i feel like an 
idiot for not thinking of it myself. :)

More information about the Melbourne-pm mailing list