Difference between revisions of "Zaqar/bp/havana/security-testing"
< Zaqar
Thomas Biege (talk | contribs) (→Code Scanning) |
Thomas Biege (talk | contribs) (→Deployment Scanning) |
||
Line 12: | Line 12: | ||
==Deployment Scanning== | ==Deployment Scanning== | ||
+ | Several security issues could be easily find using security test-suites that run against a deployed version of OpenStack. | ||
+ | |||
===Setup/Design=== | ===Setup/Design=== | ||
+ | During a discussion on #openstack-infra it was suggested to use [http://docs.openstack.org/devealoper/tempest/ Tempest] as framework to hook the security test-suite in and let it run against a deployed OpenStack environment setup by [http://ci.openstack.org/devstack-gate.html DevStack Gate] | ||
==References== | ==References== |
Revision as of 12:09, 26 August 2013
Contents
Code Scanning
Jenkins can be used to scan the source code after every code submit or on a regular basis (Zuul to schedule the job) to find simple vulnerabilities. We are limited to freely available code scanners, some examples that need to be verified are
- rats (C, C++, Perl, PHP, Python)
- pylint quality checker (Python)
- PyChecker code checker (Python, last release 2011)
- FindBugs (Java)
- Yasca Meta-tool to leverage existing tools for scanning (also supports Python)
- brakeman Rails security code scanner, good integration in Jenkins (Ruby on Rails)
- more tools are listed at Wikipedia
Setup/Design
Deployment Scanning
Several security issues could be easily find using security test-suites that run against a deployed version of OpenStack.
Setup/Design
During a discussion on #openstack-infra it was suggested to use Tempest as framework to hook the security test-suite in and let it run against a deployed OpenStack environment setup by DevStack Gate