Java Security Testing
Is there such a thing as automated security testing in Java? If so, how is it implemented? Is it just JUnit tests written to try and exploit known server vulnerabilities, or are their security-centric testing frameworks?
As a segue I'm also interested in this OWASP Security Testing Framework, but can't tell if they're using "framework" in a classic sense (meaning a set of guidelines and procedures to follow), or in a software context (where they are actually providing a开发者_Python百科utomated security testing components).
Thanks to any that can shed some light on this for me!
Don't know is it exactly what you are looking for, but there is a blog post by Stephen Colebourne (author of joda-time and future new standard java8 date-time API) about testing security permissions with junit: Stephen Colebourne's blog: Testing a security permission
Fuzz testing never hurts: http://www.ibm.com/developerworks/java/library/j-fuzztest/index.html
Fuzz testing helps you make sure that your application is secure against any opportunity for user input.
Fuzz testing is a little awkward for JUnit tests in a way, because they are "random". You might want to loop and run a number of fuzz tests on each input avenue in a test suite.
Tools like Sonar and FindBugs can also be an automated way to find at least some security issues (FindBugs is at quite effective at finding risks of SQL injection and such).
There are commercial tools such as VeraCode that do security scanning. I don't work for them but my company uses it. It seems quite thorough.
Automated security testing is hard but that doesn't mean its not worth doing.
My suggestion for web apps - use your existing Unit and Integration tests (like Selenium) and then proxy them through a security tool like OWASP ZAP (Zed Attack Proxy). See http://code.google.com/p/zaproxy/wiki/SecRegTests for more details.
Simon (ZAP Project Lead)
It depends what your Java app actually is. If you are building a web service/API, for example, OWASP have a separate Top 10 just for API's which have things listed in a different priority than the regular top 10. See OWASP Project API Security
According to Nordic API's, you might find that it involves a lot of manual testing since you can't automate much of, good explanation of the API top 10 here: https://nordicapis.com/testing-owasps-top-10-api-security-vulnerabilities/
精彩评论