16

I've spent a lot of time in TeamCity recently and the nightly code quality metrics coming from the dupe finder, FxCop and NDepend have been great.

What I'd really like to do is find a decent web app security scanner which can run against the automatically deployed sites (I'm running a nightly build and deploy to a test environment). I'd also consider static analysis if there's a decent tool out there. The only real prerequisites is that it must be able to run unattended and should output a report in HTML format so it can be surfaced through TeamCity.

Does anyone have either any experience integrating a scanner with a build server or suggestions for tools which meet the criteria?

AviD
  • 72,138
  • 22
  • 136
  • 218
Troy Hunt
  • 3,930
  • 4
  • 19
  • 21

3 Answers3

8

Maybe you should give a try to Netsparker: http://www.mavitunasecurity.com/netsparker/. It has automated scans, report generation, logging. Provides CLI.

  • Actually, I've already been chatting with Mavituna about Netsparker. Seems the command line runner isn't available in the Community Edition so I need to get my hands on a trial of the full thing. – Troy Hunt Dec 18 '10 at 23:22
3

Troy,

I've seen your work, including the Netsparker integration with TeamCity. I commented and mentioned Burp Suite Professional in headless mode might be more appropriate, but fully automated testing in this way only finds a few of the bugs. It's a classic test automation problem.

However, if you do have known HTTP requests that produce a non-desired (i.e. vulnerable) HTTP response, you can use W3AF's export request feature, available at the bottom right of the Results->KB Browser->[Knowledge Base specific item drop down]->Request->[Buttons at the bottom]. This will open a new window where HTTP requests can be converted to test cases. The test cases are available in HTML, Ajax, Python, and Ruby.

Depending on your build server environment, it may vary how to integrate these scripts. HtmlFixture, available in FitNesse, would be a good candidate for the HTML or Ajax request scripts. Under Python, perhaps Nose would be suitable; Ruby has Cucumber.

The book, "Security on Rails" has entire chapters dedicated to this topic -- and separates tests logically out to unit, functional, integration, and browser.

The O2 Project from OWASP has menu options under "API / Script Development" to execute and write unit tests. These unit tests are written in WatiN, but a lot of the work has already been done for the test developer.

If you want to develop something very powerful on your own, I suggest you look at Geb, which combines the browser driving features of WebDriver (and therefore can work with Internet Explorer, FireFox, Chrome and HTMLUnit) with a jQuery inspired content navigation/inspection API and the expressiveness of Groovy.

atdre
  • 18,885
  • 6
  • 58
  • 107
0

CAT.NET is a static analysis tool that you could integrate into the build server. Latest version is still in beta, but you can find more info about it here.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Steve
  • 15,155
  • 3
  • 37
  • 66
  • 1
    Unfortunately it seems that CAT.NET is as good as dead, unless someone can provide any info to the contrary: http://stackoverflow.com/questions/2891408/whats-the-status-of-cat-net/4149258#4149258 – Troy Hunt Dec 18 '10 at 23:23
  • 1
    awww, @Troy, bummer to hear that. I had plans to use that... – AviD Dec 19 '10 at 06:28
  • Hmm. V1 is still nice. :) I hope they roll it into another product... – Steve Dec 20 '10 at 16:12