Security testing as a part of continuous integration?

1
votes

We already have a continuous integration process going where we build, run unit tests, do static code analysis and generate documentation. However, we would like expand this to include automatic security testing. In this case, we are working on a .NET web application, so I'm thinking there must be some XSS and SQLi scanners that is particularly good in a CI setting (invoked via command line for starters), and possible some static code analysis tools that are focused on security.

So, do you include automatic security testing as part of your CI? What do you test, and which tools do you use? What has your experience been like?

2
.netsecuritycontinuous-integrationxsssql-injection
You'll have to elaborate more as to what the final product will look like. Security Testing takes on many facets from code to encryption to even OS or SQL level.Techie Joe
Yes, that's why I tried to be concrete with saying that it's a .NET web app, and that XSS and SQLi scanners spring to mind. Sounds like an excellent first step to me, although I would still love to hear other experiences/opinions as well. So to answer you, I'm mostly interested in the possibility of automatically scanning our web app for XSS and SQLi vulnerabilities as a part of our CI process.user479911

2 Answers

1
votes

We're doing this right now in Mozilla using ZAP, and I'm working with various other companies who are also using it in the same way.

Theres some info on the wiki including a video.

Basically you:

  1. Start ZAP in daemon mode (no UI)
  2. Proxy any functional tests you have through it
  3. Run the spider using the REST API to cover things your tests dont cover
  4. Run the active scanner
  5. Retrieve any alerts, and then fail the build (if relevant)

You can access the REST API either directly or via the Java or Python clients. And if you'd like a client in another language and can help with it then we can work on that.

Theres still lots to do in this are (especially documentation;) but its a high priority for us (especially me). As this is a bit bleeding edge we tend to discuss it in the ZAP developer group, but I'm happy to discuss it here as well.

Note that ZAP doesnt do any static code analysis, but you're right to look into that as well.

Simon (ZAP Project lead)

0
votes

My thoughts at this point is to look at w3af and OWASP Zed