are there any tools/frameworks available for us to achieve this?
Like many situations in life, it's really not about the tool, it's what you do with it. ;)
My experience of being a roaming consultant and visiting dozens of corporate development environments, is that most people that simply buy a tool, do so as an investment in shelfware. Great for the tool vendor (hey, no support costs!) but bad for whoever is looking to get some value out of the investment.
A better approach tends to be a package of education, process reforms, and a deeper understanding of which parts of the process should be owned internally, and which should be outsourced.
This is all just my opinion of course. And I'm sure that whatever tool you buy will look wonderful on your shelf, alongside a photo of your kids. ;)
Martin...
If you are interested in using OWASP ZAP for security tests (either
via the BDD framework or on its own) then have a look at
http://code.google.com/p/zaproxy/wiki/SecRegTests
Theres a video on there which explains how you can use ZAP for
security regression tests and more details about the ZAP API.
And feel free to ask any questions on the ZAP user group:
http://groups.google.com/group/zaproxy-users
I'm certainly not saying that ZAP will solve all of your security
problems, but including it in your development process will allow you
to find vulnerabilities like XSS and SQL injection very early on in
your development process, which is always a good thing.
Simon (ZAP Project Lead)
On Thu, Jan 23, 2014 at 3:44 PM, Martin O'Neal
martin.oneal@corsaire.com wrote:
are there any tools/frameworks available for us to achieve this?
Like many situations in life, it's really not about the tool, it's what you do with it. ;)
My experience of being a roaming consultant and visiting dozens of corporate development environments, is that most people that simply buy a tool, do so as an investment in shelfware. Great for the tool vendor (hey, no support costs!) but bad for whoever is looking to get some value out of the investment.
A better approach tends to be a package of education, process reforms, and a deeper understanding of which parts of the process should be owned internally, and which should be outsourced.
This is all just my opinion of course. And I'm sure that whatever tool you buy will look wonderful on your shelf, alongside a photo of your kids. ;)
Martin...
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
OWASP ZAP Project leader