[Owasp-leaders] Are Security folks too stiff

Mark Roxberry mark.roxberry at owasp.org
Sat Mar 7 17:19:40 EST 2009


I may be late to the party, but I've been part of several agile projects and
what I find a need for is new tools.  I'd like tools to test my code for
security issues per build, like the suite of unit tests that we develop in a
TDD project, I'd like something that I can plug in to fuzz my code, test
security controls, let me script attacks in the IDE etc per build, on a
continuous integration server.  I may be able to do it with my current
framework test by test, but it would be better for a set of tests and logic
from a group of security minded folks.   Maybe a library of security
functions and a wizard to parse source code and create security unit tests?
Has anyone seen anything like this (or does anyone see a need for this)?
Pseudo code (fuzz in terms of trying to break object encapsulation rules):

[TestMethod]
[ExpectedException(BadDataException)]
public void fuzzProperty()
{
SampleClass classInstance = new SampleClass();
fuzzer.fuzzString(class.SampleProperty); //fuzzer is part of the security
objects that we provide

Assert.False(class.SampleProperty.length > 0);

}


On Thu, Mar 5, 2009 at 4:15 PM, Dan Cornell <dan at denimgroup.com> wrote:

>   A peer of mines sent me this link:
> http://www.infoworld.com/article/09/02/26/How_to_achieve_more_Agile_application_securit_1.html?source=NLC-SEC&cgd=2009-03-02
>
> But also asked me a question of why aren't security types embracing agile
> methods and lighter-weight methodologies? Any thoughts on CLASP guidance
> when compared/contrasted against the Agile Manifesto?
>
>
>
> I used to run a blog at http://www.agileandsecure.com/ for a while but got too busy to keep it up.  I looked at some of the seminal Agile documents like the Agile Manifesto and commented on how they related to security.
>
>
>
> The blog is still up and has links to some presentations we gave on the topic.  I have some more material from clients we worked with on these issues that I just haven’t had time to clean up and post.
>
>
>
> Thanks,
>
>
>
> Dan
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090307/199f8972/attachment.html 


More information about the OWASP-Leaders mailing list