[Owasp-std] Security Tools for Developers - Meeting at AppSecUSA 2011 (9/23/2011)

mark curphey mark at curphey.com
Sat Sep 24 15:12:38 EDT 2011 

Indeed. I made a decent start on the reference architecture document (in markdown) last night in the plane home, so very confident I'll have a straw man to throw darts at in a few days. 

What we spoke about was pulling a developer tools survey I have at work that I think has popularity of various tools in various segmentation and using it to drive the tool choices (and potentially versions) of any reference implementation. Do you think that makes sense ?


On Sep 24, 2011, at 3:22 AM, Alan Parkinson wrote:

> It is exciting to see it all kick off.
> 
> I'm looking for a clarification. The notes and whiteboard show "Hudson" as the CI component but the document refers to a Jenkins plugin. Which is going to be used? Or does the Hudson reference mean version v1.395 will be used to get short term capability with both code bases?
>  
> Thanks,
> 
> Alan
> 
> On 23 September 2011 22:15, mark curphey <mark at curphey.com> wrote:
> Great notes Dan and thanks all for showing up. I am excited that things are finally started to get kicked off. 
> 
> https://docs.google.com/document/d/1PVQwHXdXTgdeM85oCA47if_NXBsddc27jMX5OQWCOJA/edit?hl=en_US
> 
> I added those at the meeting today to be able to edit the Google doc link above. If anyone else wants permission to edit please let me know. 
> 
> I'll send the photo of the whiteboard later tonight. 
> 
> Cheers!
> 
> Mark
> 
> On Sep 23, 2011, at 2:34 PM, Dan Fiedler wrote:
> 
>> Security Tools for Developers - Meeting at AppSecUSA 2011 (9/23/2011)
>> ---------------------------------------------------------------------
>> Participants: Mark Curphey, Simon Bennetts, Tin Zaw, Justin Collins, Dan Fiedler, David Mirza 
>> 
>> Motivation:
>> There are tons of security tools out there but they are intended for security experts.
>> At what points during the development process do developers have to think about security?
>> 
>> Current dev methodology/dev environment:
>> Backlog --> Implementation (w/ IDE?) --> Source Control --> Continous Integration (CI)
>> CI --> Issue Repository
>> CI --> Deployment to staging environment
>> 
>> Basic idea: reference architecture (end-to-end) of the above process (dev environment) with integration of various tools (that targets Agile environment) 
>> 
>> Another problem: too difficult for developers to select from the huge variety of tools 
>> Possible solution: OWASP plug-in for UI that provides integration with various tools 
>> 
>> Tools Examples
>> - Executing selenium tests
>> - Static analysis 
>> - Executing web app sec scanner like ZAP 
>> 
>> -------------------
>> Discussion
>> -------------------
>> There are is a generic plugin for static analysis for Jenkins.  
>> 
>> The plugin interface needs to be generic enough to integrate with tools we know about today and future tools.  
>> 
>> Tools need profiles (purpose of tool, what vulns it finds) and it would be cool if the plugin can help select tools. 
>> 
>> How to report findings from tools?  What about an API to call that the plugin can call to standardize vuln (format)? 
>> 
>> Simon demo'd running Selenium tests (configured to run through ZAP which then spiders and runs security tests) as part of an ANT build against Bodgeit Store app; someone is working on the Maven integration also.  
>> 
>> Mark demo'd using http://www.scrumdo.com/.  Creating a backlog, iteration, adding stores to an initial release, and viewing the scrum board.  
>> 
>> Needs: 
>> - Workflow customization (basic constructs for ordering, invoking tools, etc.)
>> - notification customization 
>>     * Hudson already provides support for notification. 
>> - tuning (ignore results, detecting already-identified results/duplicates); could use regexes (ala Simon's script), use hashes of vuln info 
>> - logging and artifacts; publishing these somewhere off of the CI server or cleaning them up
>>     * this is probably low priority; devs are pretty good at cleaning up after themselves 
>>     
>>     
>> 
>> -------------------
>> Dev Environment 
>> -------------------
>> - Source Control: Get GitHub repository setup
>> - Project Management (backlog, work item tracking): http://www.scrumdo.com/ 
>> - Defect tracking: Bugzilla
>> - IDE: Eclipse 
>> - CI: Hudson 
>> - Deployment: ??? 
>> 
>> -------------
>> Action Items
>> -------------
>> Scrumdo, Github, Bugzilla setup: Mark Curphey (in about a week)
>> Mark will publish link to Google doc 
>> Participants will particpate in creating a backlog and planning iteration 1. Targeting draft version of backlog created by Friday 9/30. 
>> Go over backlog next weekend (October 1st-2nd) 
>> 
>> 
>> _______________________________________________
>> Owasp-std mailing list
>> Owasp-std at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-std
> 
> 
> _______________________________________________
> Owasp-std mailing list
> Owasp-std at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-std
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-std/attachments/20110924/12a9af31/attachment.html

More information about the Owasp-std mailing list