Security Product Testing

This was another fun job. I was doing actual testing and working with people who were recognized experts in the field. I knew nothing about UNIX login security when I started, but by the end, I had written a fairly extensive test suite.

The product was a security add-on for Solaris which could do all the login controls for the truly paranoid -- restricted access times, automatic security timeouts, etc. I found it alarmingly easy to get into the paranoid mode of thinking.

The tests that I wrote used the TET harness (TETWorks) to drive a bunch of Bourne shell scripts which in turn invoked Expect. Once I got the quoting problems under my belt it was fun. If you've ever done in-line awk scripts inside a shell script, you know what I mean. We needed Expect because it's one of the few, at the time it may have been the only, way to get a password to rlogin, telnet, and ftp from a script.

If I had it to do over again, I'd probably use Perl instead of sh as the second layer. I would definitely repeat the lab setup that we used though. We put the two QEs in a 3-person office and filled the third desk with the a bunch of machines. We needed to be near the machines because our testing introduced a security hole (a setuid program), so all the lab machines were off the main network, just in case somebody got through the firewall. As I said, when you are working on security products, you become a bit more, um, cautious.

Anne Powell 2/7/98