CWE-382 Claims of Insufficient Testing
What this means
SiteShadow flagged a pattern where security-relevant behavior appears to rely on assumptions rather than being backed by tests/verification. This isn't "a bug" by itself, but it correlates strongly with security regressions and false confidence.
Why it matters
Unvalidated claims can hide security gaps and regressions.
- Silent regressions: a small refactor breaks auth/validation and no test catches it.
- Security theater: "we sanitize/verify" claims don't hold under edge cases.
- Operational risk: incidents happen because controls weren't continuously validated.
Safer examples
1) Add tests for abuse cases (not just happy paths)
Include negative tests: unauthorized access attempts, malformed inputs, replay, rate-limit triggers.
2) Add integration tests around authz and sensitive flows
Test that "User A cannot access User B's data" and "Admin-only endpoints reject normal users" (see CWE-286).
3) Use automated security checks in CI
Linting, dependency scanning, and basic SAST/secret scanning help prevent regressions (see CICD01 / A08).
How SiteShadow detects it (high level)
- Flags security controls that are present in code but appear inconsistently applied or lack nearby usage patterns that suggest validation.
- Highlights areas where the impact of missing tests is highest (auth, input validation, crypto, access control).
References
- CWE-382: https://cwe.mitre.org/data/definitions/382.html
---