[Owasp-leaders] Are Security folks too stiff
mark.roxberry at owasp.org
Sat Mar 7 17:19:40 EST 2009
I may be late to the party, but I've been part of several agile projects and
what I find a need for is new tools. I'd like tools to test my code for
security issues per build, like the suite of unit tests that we develop in a
TDD project, I'd like something that I can plug in to fuzz my code, test
security controls, let me script attacks in the IDE etc per build, on a
continuous integration server. I may be able to do it with my current
framework test by test, but it would be better for a set of tests and logic
from a group of security minded folks. Maybe a library of security
functions and a wizard to parse source code and create security unit tests?
Has anyone seen anything like this (or does anyone see a need for this)?
Pseudo code (fuzz in terms of trying to break object encapsulation rules):
public void fuzzProperty()
SampleClass classInstance = new SampleClass();
fuzzer.fuzzString(class.SampleProperty); //fuzzer is part of the security
objects that we provide
Assert.False(class.SampleProperty.length > 0);
On Thu, Mar 5, 2009 at 4:15 PM, Dan Cornell <dan at denimgroup.com> wrote:
> A peer of mines sent me this link:
> But also asked me a question of why aren't security types embracing agile
> methods and lighter-weight methodologies? Any thoughts on CLASP guidance
> when compared/contrasted against the Agile Manifesto?
> I used to run a blog at http://www.agileandsecure.com/ for a while but got too busy to keep it up. I looked at some of the seminal Agile documents like the Agile Manifesto and commented on how they related to security.
> The blog is still up and has links to some presentations we gave on the topic. I have some more material from clients we worked with on these issues that I just haven’t had time to clean up and post.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders