Difference between revisions of "Zaqar/bp/havana/security-testing"
Thomas Biege (talk | contribs) (→Code Scanning) |
m (Malini moved page Marconi/bp/havana/security-testing to Zaqar/bp/havana/security-testing: Project Rename) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 11: | Line 11: | ||
===Setup/Design=== | ===Setup/Design=== | ||
− | Jenkins can be used to scan the source code after every code submit or on a regular basis (''Zuul'' to schedule the job) to find simple vulnerabilities. | + | Jenkins can be used to scan the source code after every code submit or on a regular basis (''Zuul'' to schedule the job) to find simple vulnerabilities. We (SUSE) have very good experiences in using ''Jenkins'' and ''brakeman''. |
+ | Scanning the code is only one step toward a more secure code. The flaws found by the scanner need to be reviewed and fixed, this final steps should involve the developer of the code to help her see potential security problems on her own in the future. | ||
==Deployment Scanning== | ==Deployment Scanning== | ||
Line 17: | Line 18: | ||
===Setup/Design=== | ===Setup/Design=== | ||
− | During a discussion on #openstack-infra it was suggested to use [http://docs.openstack.org/ | + | During a discussion on #openstack-infra it was suggested to use [http://docs.openstack.org/developer/tempest/ Tempest] as framework to hook the security test-suite in and let it run against a deployed OpenStack environment setup by [http://ci.openstack.org/devstack-gate.html DevStack Gate] |
==References== | ==References== | ||
Line 25: | Line 26: | ||
# https://code.google.com/p/rough-auditing-tool-for-security/ | # https://code.google.com/p/rough-auditing-tool-for-security/ | ||
# https://www.owasp.org/index.php/Category:OWASP_Yasca_Project | # https://www.owasp.org/index.php/Category:OWASP_Yasca_Project | ||
+ | # https://github.com/tcstool/NoSQLMap | ||
+ | # http://sqlmap.org/ |
Latest revision as of 18:42, 7 August 2014
Contents
Code Scanning
Simple but always appearing software flaws can be found using static code analyzers or other code scanning tools. We are limited to freely available code scanners, some examples that need to be verified are
- rats (C, C++, Perl, PHP, Python)
- pylint quality checker (Python)
- PyChecker code checker (Python, last release 2011)
- FindBugs (Java)
- Yasca Meta-tool to leverage existing tools for scanning (also supports Python)
- brakeman Rails security code scanner, good integration in Jenkins (Ruby on Rails)
- more tools are listed at Wikipedia
Setup/Design
Jenkins can be used to scan the source code after every code submit or on a regular basis (Zuul to schedule the job) to find simple vulnerabilities. We (SUSE) have very good experiences in using Jenkins and brakeman. Scanning the code is only one step toward a more secure code. The flaws found by the scanner need to be reviewed and fixed, this final steps should involve the developer of the code to help her see potential security problems on her own in the future.
Deployment Scanning
Several security issues could be easily find using security test-suites that run against a deployed version of OpenStack.
Setup/Design
During a discussion on #openstack-infra it was suggested to use Tempest as framework to hook the security test-suite in and let it run against a deployed OpenStack environment setup by DevStack Gate