refactor vulnerabilities so that users can turn them from failing to passing

spec/vulnerabilities/sensitive_data_exposure.rb

@@ -2,19 +2,23 @@
 require "spec_helper"
 
 feature "sensitive data exposure" do
+  let(:normal_user) { UserFixture.normal_user }
+  let(:user_ssn) { "999-99-9999" }
+
   before do
     UserFixture.reset_all_users
-    @normal_user = UserFixture.normal_user
-    @normal_user.work_info.update_attribute(:SSN, "999-99-9999")
+    normal_user.work_info.update_attribute(:SSN, user_ssn)
+
+    pending unless verifying_fixed?
   end
 
   # this won't work with javascript_driver, as it'll apply the javascript
   # function to mask this value and the source will be overwritten.
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
-    login @normal_user
+    login(normal_user)
 
-    visit "/users/#{@normal_user.id}/work_info"
-    pending if verifying_fixed?
-    expect(page.source).to include "999-99-9999"
+    visit "/users/#{normal_user.user_id}/work_info"
+
+    expect(page.source).not_to include(user_ssn)
   end
 end