Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] Security test case automation

MO
Martin O'Neal
Thu, Jan 23, 2014 3:44 PM

are there any tools/frameworks available for us to achieve this?

Like many situations in life, it's really not about the tool, it's what you do with it. ;)

My experience of being a roaming consultant and visiting dozens of corporate development environments, is that most people that simply buy a tool, do so as an investment in shelfware. Great for the tool vendor (hey, no support costs!) but bad for whoever is looking to get some value out of the investment.

A better approach tends to be a package of education, process reforms, and a deeper understanding of which parts of the process should be owned internally, and which should be outsourced.

This is all just my opinion of course. And I'm sure that whatever tool you buy will look wonderful on your shelf, alongside a photo of your kids. ;)

Martin...

> are there any tools/frameworks available for us to achieve this? Like many situations in life, it's really not about the tool, it's what you do with it. ;) My experience of being a roaming consultant and visiting dozens of corporate development environments, is that most people that simply buy a tool, do so as an investment in shelfware. Great for the tool vendor (hey, no support costs!) but bad for whoever is looking to get some value out of the investment. A better approach tends to be a package of education, process reforms, and a deeper understanding of which parts of the process should be owned internally, and which should be outsourced. This is all just my opinion of course. And I'm sure that whatever tool you buy will look wonderful on your shelf, alongside a photo of your kids. ;) Martin...
P
psiinon
Fri, Jan 24, 2014 10:00 AM

If you are interested in using OWASP ZAP for security tests (either
via the BDD framework or on its own) then have a look at
http://code.google.com/p/zaproxy/wiki/SecRegTests
Theres a video on there which explains how you can use ZAP for
security regression tests and more details about the ZAP API.
And feel free to ask any questions on the ZAP user group:
http://groups.google.com/group/zaproxy-users

I'm certainly not saying that ZAP will solve all of your security
problems, but including it in your development process will allow you
to find vulnerabilities like XSS and SQL injection very early on in
your development process, which is always a good thing.

Simon (ZAP Project Lead)

On Thu, Jan 23, 2014 at 3:44 PM, Martin O'Neal
martin.oneal@corsaire.com wrote:

are there any tools/frameworks available for us to achieve this?

Like many situations in life, it's really not about the tool, it's what you do with it. ;)

My experience of being a roaming consultant and visiting dozens of corporate development environments, is that most people that simply buy a tool, do so as an investment in shelfware. Great for the tool vendor (hey, no support costs!) but bad for whoever is looking to get some value out of the investment.

A better approach tends to be a package of education, process reforms, and a deeper understanding of which parts of the process should be owned internally, and which should be outsourced.

This is all just my opinion of course. And I'm sure that whatever tool you buy will look wonderful on your shelf, alongside a photo of your kids. ;)

Martin...

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--
OWASP ZAP Project leader

If you are interested in using OWASP ZAP for security tests (either via the BDD framework or on its own) then have a look at http://code.google.com/p/zaproxy/wiki/SecRegTests Theres a video on there which explains how you can use ZAP for security regression tests and more details about the ZAP API. And feel free to ask any questions on the ZAP user group: http://groups.google.com/group/zaproxy-users I'm certainly not saying that ZAP will solve all of your security problems, but including it in your development process will allow you to find vulnerabilities like XSS and SQL injection very early on in your development process, which is always a good thing. Simon (ZAP Project Lead) On Thu, Jan 23, 2014 at 3:44 PM, Martin O'Neal <martin.oneal@corsaire.com> wrote: > >> are there any tools/frameworks available for us to achieve this? > > > Like many situations in life, it's really not about the tool, it's what you do with it. ;) > > My experience of being a roaming consultant and visiting dozens of corporate development environments, is that most people that simply buy a tool, do so as an investment in shelfware. Great for the tool vendor (hey, no support costs!) but bad for whoever is looking to get some value out of the investment. > > A better approach tends to be a package of education, process reforms, and a deeper understanding of which parts of the process should be owned internally, and which should be outsourced. > > This is all just my opinion of course. And I'm sure that whatever tool you buy will look wonderful on your shelf, alongside a photo of your kids. ;) > > Martin... > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- OWASP ZAP Project leader
Empathy v1.0   2024 ©Harmonylists.com