[Esapi-user] Continuous Website/Web Services Testing?

Jeff Williams jeff.williams at aspectsecurity.com
Sun Jul 14 14:49:50 UTC 2013


Contrast does exactly what you want (for Java apps...other platforms coming soon).  Just drop the Engine on your app server and exercise your app with normal testing or Selenium style. The security coverage and accuracy are really good.  Try for free at contrastsecurity.com<http://contrastsecurity.com>.

--Jeff




On Jul 14, 2013, at 12:49 AM, "John Melton" <jtmelton at gmail.com<mailto:jtmelton at gmail.com>> wrote:

Yep, if you're looking for the open source route, there's PMD or Findbugs for Java. There are a few places you can find custom rules regarding security that have been written, but the base rules are usually related to normal bugs, not necessarily security focused.


On Sun, Jul 14, 2013 at 12:44 AM, Christian Frichot <christian.frichot at owasp.org<mailto:christian.frichot at owasp.org>> wrote:
Oh, have you investigated whitehat's sentinel ?
https://www.whitehatsec.com/sentinel_services/sentinel_services.html

Regards,

Christian


On Sun, Jul 14, 2013 at 12:39 PM, Jeffrey Walton <noloader at gmail.com<mailto:noloader at gmail.com>> wrote:
On Sun, Jul 14, 2013 at 12:26 AM, Christian Frichot
<christian.frichot at owasp.org<mailto:christian.frichot at owasp.org>> wrote:
> Hi Jeffrey,
>
> Depends on what sort of things you're looking to do
Thanks John and Christian. I was hoping for something along the lines
of AppScan or Fortify. In my mind, testing an application once a year
or two is a big opportunity for improvement. So I'd like to have the
test performed, suppressions and custom rules developed, and then
continuously test the web app. Why wait to read about your data breach
on PasteBin?

> potential avenues you can investigate:
>  - Sucuri.net<http://Sucuri.net> - monitors for changes to DNS, SSL, blacklisting - plus, you
> can set it up to email you diffs if content changes.
>  - asafaweb.com<http://asafaweb.com> - more ASP.NET<http://ASP.NET> focused, but, may do a little of what you're
> after?
>  - Spin up your own? Maybe investigate running something like
> http://jenkins-ci.org/ somewhere, tie it together with something like w3af.
>  - Hack up your own? If you know exactly what you're after, you may be able
> to 'bash' some cli apps together with cron on a *nix box somewhere.
Thanks. I'll look into these.

Jeff

> On Sun, Jul 14, 2013 at 9:43 AM, Jeffrey Walton <noloader at gmail.com<mailto:noloader at gmail.com>> wrote:
>>
>> Hi All,
>>
>> Is anyone aware of a tool that performs nightly tests of web apps like
>> a continuous integration tests a build?
>>
>> The idea is to get a baseline and then look for adverse changes as the
>> dev team modifies functionality and adds pages.


_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user


_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130714/6edf98bd/attachment.html>


More information about the Esapi-user mailing list