Confirmed users
133
edits
Security/Automation/Winter Of Security 2016: Difference between revisions
Jump to navigation
Jump to search
Security/Automation/Winter Of Security 2016 (view source)
Revision as of 15:09, 18 May 2016
, 18 May 2016→Project Ideas (non-definitive): Added ZAP suggestions
No edit summary |
(→Project Ideas (non-definitive): Added ZAP suggestions) |
||
| Line 31: | Line 31: | ||
=== A Firefox addon for TLS observations === | === A Firefox addon for TLS observations === | ||
Proposed by: ulfr | Proposed by: ulfr | ||
Monitoring TLS certificates and ciphersuites requires deploying scanners in various locations. Would it be possible to write an addon that lets users subscribe to a scanning queue and participate in the scanning effort? | Monitoring TLS certificates and ciphersuites requires deploying scanners in various locations. Would it be possible to write an addon that lets users subscribe to a scanning queue and participate in the scanning effort? | ||
=== A web interface for Mozilla Investigator === | === A web interface for Mozilla Investigator === | ||
Proposed by: ulfr | Proposed by: ulfr | ||
MIG is primarily a command line tool, but a web interface would be a nice addition for people who just want to visualize results. This project would require changes to the backend API of MIG to handle various permissions levels, as well as a good knowledge of javascript to write the frontend. | MIG is primarily a command line tool, but a web interface would be a nice addition for people who just want to visualize results. This project would require changes to the backend API of MIG to handle various permissions levels, as well as a good knowledge of javascript to write the frontend. | ||
=== A CI platform for security testing === | === A CI platform for security testing === | ||
Proposed by: ulfr | Proposed by: ulfr | ||
Developers write their code in GitHub and use CI tools like CircleCI, Travis-CI or Taskcluster to run test and tasks when code is submitted. The goal of this project is to write a webhook-driven CI tool that runs security tests on github projects. Tests include dependency checking (nps, pip --outdated, ...), zap baseline scanning, git commit integrity, ... | Developers write their code in GitHub and use CI tools like CircleCI, Travis-CI or Taskcluster to run test and tasks when code is submitted. The goal of this project is to write a webhook-driven CI tool that runs security tests on github projects. Tests include dependency checking (nps, pip --outdated, ...), zap baseline scanning, git commit integrity, ... | ||
=== ZAP: Field Enumeration === | |||
Proposed by: psiinon | |||
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped. | |||
The user should be able to define the character sets to test and will probably need to configure the success and failure conditions, as well as valid values for other fields in the form. | |||
=== ZAP: Form Handling === | |||
Proposed by: psiinon | |||
The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required. | |||
The enhancement would allow the user to define default values based on pattern matching against the field names and/or ids. | |||
It would also be very useful if it could show the user all forms and their associated fields for an application, and then allow the user to update the default values. | |||
=== ZAP: Automated authentication detection and configuration === | |||
Proposed by: psiinon | |||
ZAP has extensive support for supporting application authentication, but configuring this is a manual process which can be tricky to get right. | |||
The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality. | |||
=== New Idea Template === | === New Idea Template === | ||