297
edits
Changes
edits for python workflow
Manual security reviews are time consuming, expensive, and important for the most critical websites and services. By documenting testing goals, trying to best approximate them, and measuring, we can create an efficient, reusable workflow with known properties and a plan to improve it in the future, a Maturity Model approach.
The goal of this project is to use Maturity Model approach to create a reusable workflow and toolkit for manual "grey-box" security review of Python websites and services.
We will create a maturity model that describes the target capabilities of an ideal reusable "grey box" workflow documentation and toolkit, test available tools, document what works and what's missing according to the Maturity Model, create one a test environment that can be dropped in to an existing test environment such as a Docker and used with minimal configuration, document what works and what's missing according to the Maturity Model, and create a roadmap for future work.
We will script integration of existing tools and methods to create a reusable test harness that reports testing coverage and supports remote debugging, automate setup to use an IDE to remote debug an application while testing it with Zap proxy, identify the best ways to test for Python-specific issues, make the IDE as tester-friendly as possible, use Python AST visualization to visualize security decisions in code, and making the toolkit as quick to deploy and use as possible, etc. We'll use the toolkit to evaluate complex real-world services like Mozilla Addons.
Some preparatory work has already begun for this project, the MWOS goal is to move it to a point where it is a usable, ongoing project.
== FAQ ==
