[Hawkular-dev] OWASP ZAP for security testing
Heiko Rupp
hrupp at redhat.com
Mon Jul 10 07:47:43 EDT 2017
I was last week in a session about "Security during the build", where
the presenter
talked about enforcing checks for security issues during the build phase
(preferably
nightly CI run)
One of the interesting tools is
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
which is a web client that can run attacks against web applications to
try things like
* sql injection
* cross site forgery
* just parameter fuzzing
and much more.
While this is a bit hard to set up with pure REST-APIs (if they don't
follow HATEOAS),
it seems worth doing anyway to make sure that the obvious things don't
hit.
And before someone mentions that this does not apply to us because we
use Cassandra
and not a SQL data store: it is possible to generate profiles and e.g.
switch off the sql injection attack vector.
More information about the hawkular-dev
mailing list