Zaqar/bp/havana/security-testing
< Zaqar
Contents
Code Scanning
Jenkins can be used to scan the source code after every code submit or on a regular basis (Zuul to schedule the job) to find simple vulnerabilities. We are limited to freely available code scanners, some examples that need to be verified are
- rats (C, C++, Perl, PHP, Python)
- pylint quality checker (Python)
- PyChecker code checker (Python, last release 2011)
- FindBugs (Java)
- Yasca Meta-tool to leverage existing tools for scanning (also supports Python)
- brakeman Rails security code scanner, good integration in Jenkins (Ruby on Rails)
- more tools are listed at Wikipedia
Setup/Design
Deployment Scanning
Several security issues could be easily find using security test-suites that run against a deployed version of OpenStack.
Setup/Design
During a discussion on #openstack-infra it was suggested to use Tempest as framework to hook the security test-suite in and let it run against a deployed OpenStack environment setup by DevStack Gate