Difference between revisions of "Zaqar/bp/havana/security-testing"
< Zaqar
Thomas Biege (talk | contribs) (→Deployment Scanning) |
Thomas Biege (talk | contribs) |
||
Line 1: | Line 1: | ||
==Code Scanning== | ==Code Scanning== | ||
+ | Jenkins can be used to scan the source code after every code submit or on a regular basis to find simple vulnerabilities. | ||
+ | We are limited to freely available code scanners, some examples that need to be verified are | ||
+ | # [https://code.google.com/p/rough-auditing-tool-for-security/ rats] (C, C++, Perl, PHP, Python) | ||
+ | # [http://www.logilab.org/project/pylint/1.0.0 pylint] quality checker (Python) | ||
+ | # [http://www.blog.pythonlibrary.org/2011/01/26/pychecker-python-code-analysis/ PyChecker] code checker (Python, last release 2011) | ||
+ | # [http://en.wikipedia.org/wiki/FindBugs FindBugs] (Java) | ||
+ | # [http://en.wikipedia.org/wiki/Yasca Yasca] Meta-tool to leverage existing tools for scanning (also supports Python) | ||
+ | # [http://brakemanscanner.org/ brakeman] Rails security code scanner, good integration in Jenkins (Ruby on Rails) | ||
+ | # more tools are listed at [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia] | ||
===Setup/Design=== | ===Setup/Design=== | ||
Line 5: | Line 14: | ||
===Setup/Design=== | ===Setup/Design=== | ||
− | =References= | + | ==References== |
− | = Resources = | + | ==Resources== |
# [http://gauntlt.org/ Gauntlt] | # [http://gauntlt.org/ Gauntlt] | ||
# [https://gitorious.org/test-suite/test-suite OWASP test-suite] | # [https://gitorious.org/test-suite/test-suite OWASP test-suite] | ||
# https://code.google.com/p/rough-auditing-tool-for-security/ | # https://code.google.com/p/rough-auditing-tool-for-security/ | ||
# https://www.owasp.org/index.php/Category:OWASP_Yasca_Project | # https://www.owasp.org/index.php/Category:OWASP_Yasca_Project |
Revision as of 09:33, 26 August 2013
Contents
Code Scanning
Jenkins can be used to scan the source code after every code submit or on a regular basis to find simple vulnerabilities. We are limited to freely available code scanners, some examples that need to be verified are
- rats (C, C++, Perl, PHP, Python)
- pylint quality checker (Python)
- PyChecker code checker (Python, last release 2011)
- FindBugs (Java)
- Yasca Meta-tool to leverage existing tools for scanning (also supports Python)
- brakeman Rails security code scanner, good integration in Jenkins (Ruby on Rails)
- more tools are listed at Wikipedia