[Esapi-user] Continuous Website/Web Services Testing?

John Melton jtmelton at gmail.com
Sun Jul 14 04:48:47 UTC 2013


Yep, if you're looking for the open source route, there's PMD or Findbugs
for Java. There are a few places you can find custom rules regarding
security that have been written, but the base rules are usually related to
normal bugs, not necessarily security focused.


On Sun, Jul 14, 2013 at 12:44 AM, Christian Frichot <
christian.frichot at owasp.org> wrote:

> Oh, have you investigated whitehat's sentinel ?
> https://www.whitehatsec.com/sentinel_services/sentinel_services.html
>
> Regards,
>
> Christian
>
>
> On Sun, Jul 14, 2013 at 12:39 PM, Jeffrey Walton <noloader at gmail.com>wrote:
>
>> On Sun, Jul 14, 2013 at 12:26 AM, Christian Frichot
>> <christian.frichot at owasp.org> wrote:
>> > Hi Jeffrey,
>> >
>> > Depends on what sort of things you're looking to do
>> Thanks John and Christian. I was hoping for something along the lines
>> of AppScan or Fortify. In my mind, testing an application once a year
>> or two is a big opportunity for improvement. So I'd like to have the
>> test performed, suppressions and custom rules developed, and then
>> continuously test the web app. Why wait to read about your data breach
>> on PasteBin?
>>
>> > potential avenues you can investigate:
>> >  - Sucuri.net - monitors for changes to DNS, SSL, blacklisting - plus,
>> you
>> > can set it up to email you diffs if content changes.
>> >  - asafaweb.com - more ASP.NET focused, but, may do a little of what
>> you're
>> > after?
>> >  - Spin up your own? Maybe investigate running something like
>> > http://jenkins-ci.org/ somewhere, tie it together with something like
>> w3af.
>> >  - Hack up your own? If you know exactly what you're after, you may be
>> able
>> > to 'bash' some cli apps together with cron on a *nix box somewhere.
>> Thanks. I'll look into these.
>>
>> Jeff
>>
>> > On Sun, Jul 14, 2013 at 9:43 AM, Jeffrey Walton <noloader at gmail.com>
>> wrote:
>> >>
>> >> Hi All,
>> >>
>> >> Is anyone aware of a tool that performs nightly tests of web apps like
>> >> a continuous integration tests a build?
>> >>
>> >> The idea is to get a baseline and then look for adverse changes as the
>> >> dev team modifies functionality and adds pages.
>>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130714/09320781/attachment.html>


More information about the Esapi-user mailing list