Mozilla recently deployed an open-source security testing framework:
http://blog.mozilla.org/security/2013/07/30/introducing-minion/
https://github.com/mozilla/minion
It's an automated security testing framework for use in testing web
applications. I managed to get it working on my Vagrant instance.
Here's a brief summary of what I learned:
- It uses a MongoDB backend with Python and Flask as a front-end
- There are plugins that implement certain tests (e.g., nmap, skipfish)
- Plans are combinations of plugins, basically a test plan
- Sites are added into groups, and are then assigned plans
- Finally, you run plans on the frontend and they're run by a celery job queue
From the looks of it, I don't think this would be particularly useful for individual developers, because many of the tests require a full TLS setup and whatnot.
What might be useful is to have a security instance running MediaWiki with a similar setup to the actual en-wiki, and then have Minion running on an instance and have it run the tests that way. Unfortunately, I don't know how we would manage users (since it doesn't have LDAP integration) or when we would run these tests (I'd imagine there wouldn't be a need to run them on every change).
Version: unspecified
Severity: enhancement