QP03 Automated Tests Practices

What this means

SiteShadow flagged signals that automated tests may be missing, thin, or disabled.

Why it matters

Tests reduce regressions and enforce expected security behavior.

• Security bugs regress when fixes aren't covered by tests.
• Authz and validation drift happens as features evolve without guardrails.
• Higher operational risk when changes can't be validated quickly.

Safer examples

1) Add tests for "abuse cases"

Unauthorized access attempts, invalid inputs, replay attempts, rate-limit triggering.

2) Add integration tests for security boundaries

Test "User A cannot access User B's data" and admin-only routes.

3) Run tests automatically in CI

Make tests part of the merge gate (see QP02).

How SiteShadow detects it (high level)

• Detects presence/absence of test suites, test configuration, and test execution in CI.
• Flags patterns that suggest tests aren't being run or aren't covering critical paths.

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library