OWASP – Ideas for unit testing web securityBy Bill • Mar 26th, 2008 • Category: News, Security
Last night I went to the Cincinnati chapter of OWASP. Over the last couple of weeks I found myself crossing paths with various security ideas promoted by OWASP so I decided to go to a meeting. The topics for this meeting were:
- Source Code Reviews and Open Source Static Analysis Tools
- An Introduction to Web Proxies
The first presenter was Allison Shubert and she talked primarily about making the business case for increased usage of Static Analysis tools. It was a nice presentation and she reiterated a lot of truisms but I still think it is a chicken and egg problem. Management will go along with source code reviews and static analysis after you show the success on an existing project. She recommended googling for static analysis tools for your favorite language. After the meeting I checked out the tools for PHP and most of it was somewhere between alpha and beta. The best looking tool of the bunch was PHP-SAT.org. Its prerequisites are pretty ornery so I will need to do some planning if I ever find the time to play with it. It looks like the commercial folks dominate the static analysis sector for the Microsoft languages. I did not find that many open source static analysis options.
The second presenter was Blaine Wilson and he talked primarily about the OWASP tool called WebScarab. He talked mainly about using it to test web applications. I thought he was going talk about a Web Proxy. I saw a slick protocol analyzer with a lot of potential. Testing web application security is cool. You can get the same information with Wireshark or Netmon but this tool is much nicer and it looks like it is pretty good tool for testing web application security.
I was a little too shy to ask Blaine questions about WebScarab since my thoughts had gone immediately to creating test cases and a test framework. Basically I was thinking of ways to automate everything Blaine did by hand and generate a “Unit test like” output. Today I went to OWASP and reviewed the list they are requesting proposals for. Here are two of projects that caught my attention.
P008 – OWASP Security Test Automation
- Project description: Create a tool that generates, records, and plays back security test cases (think JUnit) to enable regression testing for security. This could be based on WebScarab, Selenium, HTTPUnit or something else. But it would create test cases that are custom for a particular application, not a generic scanner.
P009 – OWASP Security Unit Test Framework
- Project description: Create a wizard that will generate security-specific JUnit test cases for all the security controls in your security library. The tool should ask questions about security methods and generate appropriate test cases.
The Security Test Automation project is right up my alley except for the minor problem that I do not know what I am doing. I guess I will play around with WebScarab and see if I can get an old dog to do new tricks. I met Andy Erickson at the meeting. I would describe Andy as the IT evangelist for the Cincinnati area. He has a blog and it is worth reading. Maybe I will ask him for advice.