A framework for security testing web applications through Behaviour Driven Development techniques
BDD-Security is a framework written in Java and based on JBehave and Selenium 2 (WebDriver) that uses predefined security tests and an integrated security scanner to perform automated security assessments of web applications.
Don't scanning tools already to that?Partly. Scanning tools are good at finding certain types of vulnerabilities, such as injection vulnerabilities (Cross Site Scripting, SQL injection, etc.). But scanners don't understand the semantics of a web application. From a scanner's point of view E-bay.com and Citibank.com are the same thing: a series of HTTP requests with fields that can be scanned.
This means that purely automated scanning is a shallow form of security testing. In many cases the precise tests performed, and how they were performed is hidden from the user. The result of the scan is a report that only contains vulnerabilities. You could think of a scanning tool as a Badness-ometer.
Manual application security assessments result in a much deeper form of testing, because humans understand context.
What about scanning?BDD-Security makes use of the excellent Burp security scanner to perform the automated scanning in addition to the functional tests. Everything is driven from the JBehave stories, so it can all be executed from familiar build tools and integrated in continuous integration environments.
It uses a plugin we developed called resty-burp that allows Burp to be controlled through a web service interface over REST/JSON.