Is there such a thing as automated security testing in Java? If so, how is it implemented? Is it just JUnit tests written to try and exploit known server vulnerabilities, or are their security-centric testing frameworks?

As a segue I'm also interested in this OWASP Security Testing Framework, but can't tell if they're using "framework" in a classic sense (meaning a set of guidelines and procedures to follow), or in a software context (where they are actually providing automated security testing components).

Thanks to any that can shed some light on this for me!

有帮助吗?

解决方案

Don't know is it exactly what you are looking for, but there is a blog post by Stephen Colebourne (author of joda-time and future new standard java8 date-time API) about testing security permissions with junit: Stephen Colebourne's blog: Testing a security permission

其他提示

Fuzz testing never hurts: http://www.ibm.com/developerworks/java/library/j-fuzztest/index.html

Fuzz testing helps you make sure that your application is secure against any opportunity for user input.

Fuzz testing is a little awkward for JUnit tests in a way, because they are "random". You might want to loop and run a number of fuzz tests on each input avenue in a test suite.

Tools like Sonar and FindBugs can also be an automated way to find at least some security issues (FindBugs is at quite effective at finding risks of SQL injection and such).

There are commercial tools such as VeraCode that do security scanning. I don't work for them but my company uses it. It seems quite thorough.

Automated security testing is hard but that doesn't mean its not worth doing.

My suggestion for web apps - use your existing Unit and Integration tests (like Selenium) and then proxy them through a security tool like OWASP ZAP (Zed Attack Proxy). See http://code.google.com/p/zaproxy/wiki/SecRegTests for more details.

Simon (ZAP Project Lead)

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top