Greg Margolin:
Should QA engineers get involved in application security testing? Should we consider that there might be vulnerabilities in the systems that we release? In a word, should we care? Or is the whole endeavor better off left to professional white hat hackers?
The answer to the question is easy to come by, if we ask a somewhat similar question: should architects, builders, and civil engineers be concerned with structural safety of their buildings? Or is the whole endeavor better off left to first responders -- firefighters, EMTs, police officers, judges, doctors, nurses, and funeral directors?
Well, the good people at the OWASP ZAP project really hope that everybody, developers, ops, QA, would get involved in building secure web applications. They developed a great tool that is useful to everybody on the team -- from complete novices to advanced penetration testers. The tool is an integrated platform that allows users to conduct passive scanning of a web application (the tool is a web proxy), launch active scanning --- attacks, simulate brute force and fuzzing attacks, and conduct authentication testing. When a vulnerability is discovered it is properly flagged and useful background information is provided. On the OWASP ZAP site there are a lot of very useful video tutorials as well.
In this installment of GQP's Integrated Quality series, I show how a QA team could make a first step in integrating application security testing into their daily activities. As a model, I used my previous video tutorial where I showed how JMeter can be driven by Cucumber using Maven within Eclipse. The objective in that video was to show how performance requirements could be surfaced to the design level instead of being buried within a tool and scripts.
Going forward with this model, I have used the same project in Eclipse and very similar Groovy code to integrate OWASP ZAP within the testing cycle. The demo is basic, I specify the requirement of testing for web security vulnerabilities in Cucumber, run OWASP ZAP, inspect generated reports for risk alerts, and then produce a familiar Cucumber report.
Toward the end of the video I run both JMeter and OWASP ZAP to show the Integrated Quality (TM) approach in all its glory.
posted by: Greg Margolin
Recent Comments