That sounds fantastic! Equally I can provide you with an initial list of static code analysis results from Fortify, if only as a benchmark for other findings etc.. I am also very intruded by http://rips-scanner.sourceforge.net/ this php opensource security static code analyzer... but one thing at a time I guess :-)
Kind regards Sherif Mansour On Sun, Aug 10, 2014 at 4:53 PM, Chris Steipp <[email protected]> wrote: > Hi Sherif, I agree with everything you put here! I put the groundwork for > this into the Security_for_developers/Architecture. New features should > have Selenium tests for security critical features, and I would really like > to setup exactly the scenario you proposed, having automated regression > testing with Zap. I've just lacked the time to do it yet. > > +1 on static analysis too. I tested checkmarks earlier this year and their > php 5.3 support wasn't good enough to give good results on our codebase. > I'm trying to get coverty setup right now. Both are closed source so I > don't like using them. Facebook's pfff has a lot of potential, but doesn't > do security testing yet, and we don't have ocaml expertise to help them > implement it. > > So yes, I would love help! Let's get in touch next week and see if we can > get you setup to help us implement the dynamic testing part. Feel free to > ping me of list or on irc. > On Aug 10, 2014 7:24 AM, "Sherif Mansour" <[email protected]> wrote: > >> As a security engineer I want to make sure that new/existing site >> features are tested for security bugs, and new changes to a web application >> do not break existing security controls. >> >> *What can be done?* >> There are several ways to approach this of course. One way to ensure >> feature coverage is to run a lot of the QA regression packs such a selenium >> scripts, through a web app security proxy which will then run security >> tests based on the requests it sees flowing through it. >> >> Additionally I recommend the creation of security test scenarios in order >> to test certain application logic. Simple example: If a user signs-out and >> clicks back he should not appear as signed in. >> >> *Are there tech teams working on this?* >> Yes several tech companies are using similar approaches and for >> inspiration I recommend that you take a look at the following work: >> http://www.continuumsecurity.net/bdd-intro.html >> >> *Is it open sourced?* >> Yes, and its on github: https://github.com/continuumsecurity/bdd-security >> The ZAP security proxy is also open sourced (and it: >> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project >> >> *How does that work in practice:* >> >> 1. The continuous integration server (e.g. Jenkins) would run >> selenium scripts, and set the forward proxy to the security web app proxy >> (such as ZAP). >> 2. The CI server would then send api commands to the zap proxy to run >> security scans based on the requests it will receive (and the scope can >> also be set there as well). >> 3. The selenium scripts run and zap would run security tests off of >> that. >> 4. Additionally there would be some selenium tests that are based on >> security scenarios. >> 5. The security findings are reported, reviewed for false positive, >> the priority is set, and bug is raised for developers to work on. >> 6. You can additionally get it to run Nessus as well to look at >> infrastructure vulnerabilities (note Nessus is now closed source...but >> openVAS is the opensource fork). >> >> *That are the interesting challenges that a team might see from this.* >> >> And an interesting conversation today with Chris McMahon and Nikolas >> Everett about this: >> Right now the environment is quite public...does WikiMedia want to show >> security issues in SDLC reported the same way as QA issues? >> >> Nikolas Everett pointed out that Wikimedia could make the security issues >> public and never release code unless these issues are addressed (i.e. fix >> the security issue or accept the risk). >> >> *Please note: *The results from the ZAP proxy (or whatever is decided >> on), would not show in the environment as is, because you would need to >> tell that system where to push the results to. >> >> *Is there anything else that can be done?* >> Yes, you could use a security based static code analyser during the SDLC, >> which I have had experience with, and the results were very promising. >> However it does require an on-boarding process to tune the analyzer to your >> code base. By that I mean take a look at the intial findings and create >> filter-sets to avoid false positives and issues you do not care about. In >> many cases my team had to go back to the guys who wrote the rule packs to >> improve them. >> >> *I would like to volunteer as a security resource for Wikimedia* >> >> Kind regards >> Sherif Mansour >> User:Kerberosmansour >> >>
_______________________________________________ QA mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/qa
