297
edits
Changes
add Security Testing Workflow and Toolchain for Python Websites and Services
Developers write their code in GitHub and use CI tools like CircleCI, Travis-CI or Taskcluster to run test and tasks when code is submitted. The goal of this project is to write a webhook-driven CI tool that runs security tests on github projects. Tests include dependency checking (nps, pip --outdated, ...), zap baseline scanning, git commit integrity, ...
=== Security Testing Workflow and Toolchain for Python Websites and Services ===
Proposed by: adamm
Manual security reviews are time consuming, expensive, and important for the most critical websites and services. By documenting testing goals, trying to best approximate them, and measuring, we can create an efficient, reusable workflow with known properties and a plan to improve it in the future, a Maturity Model approach.
The goal of this project is to use Maturity Model approach to create a reusable workflow and toolkit for manual "grey-box" security review of Python websites and services.
We will create a maturity model that describes the target capabilities of an ideal reusable "grey box" workflow documentation and toolkit, create one that can be dropped in to an existing test environment such as a Docker and used with minimal configuration, document what works and what's missing according to the Maturity Model, and create a roadmap for future work.
We will script integration of existing tools and methods to create a reusable test harness that reports testing coverage and supports remote debugging, automate setup to use an IDE to remote debug an application while testing it with Zap proxy, identify the best ways to test for Python-specific issues, make the IDE as tester-friendly as possible, use Python AST visualization to visualize security decisions in code, and making the toolkit as quick to deploy and use as possible, etc. We'll use the toolkit to evaluate complex real-world services like Mozilla Addons.
=== ZAP: Field Enumeration ===
