to self-assess your application without any extra resource • Provide a way to automatically check for new security regression* introduced in your code • Provide a way to reproduce a security regression
• As described by Wikipedia (Software Regression): A software regression is a software bug which makes a feature stop functioning as intended after a certain event (for example, a system upgrade, system patching or a change to daylight saving time) • For us, we are looking for possible vulnerabilities that appear after a new release (or commit)
expensive • need an expert to execute it and to interpret the results • Existing tools are difficult to integrate with existing test-suite • Not enough literature about it
the security regression tests we will need: • Web application • Existent integration test-suite* using Selenium (or any other web driver with proxy support) • Jenkins and java
Integration tests? • It is the phase in software testing in which individual software modules are combined and tested as a group • It tests all components together
its not. Actually ZAP has a HTTP API and originally it supports java and python • But because I know that @ SUSE we use quite often ruby, I developed a client to the API in ruby, to make easier to integrate with existing ruby test infra-structure. • Repository https://github.com/vpereira/ruby-zap
but the advantages of ZAP are: • Easy to install and run it headless • Powerful security tool with proxy support • Actively being developed • Offer a remote API, making it easier to automate • Extensive security tests • Another option would be the Arachni scanner (any other idea?)
you have a different way to run your tests automatically you can use it. • However if you are doing continuous integration, probably you are using it already • You can integrate it to your rake test tasks
(threadfix.org) • ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. • It supports reports from different tools, it has a HTTP API to help with the automation and etc.