OK, so after a bit of trouble I managed to get it working on my Vagrant
instance.
Here's a brief summary of what I learned:
* It uses a MongoDB backend with Python and Flask as a front-end
* There are plugins that implement certain tests (e.g., nmap, skipfish)
* Plans are combinations of plugins, basically a test plan
* Sites are added into groups, and are then assigned plans
* Finally, you run plans on the frontend and they're run by a celery job
queue
From the looks of it, I don't think this would be
particularly useful for
individual developers, because many of the tests require a
full TLS setup
and whatnot.
What might be useful is to have a security instance running MediaWiki with
a similar setup to the actual en-wiki, and then have Minion running on an
instance and have it run the tests that way. Unfortunately, I don't know
how we would manage users (since it doesn't have LDAP integration) or when
we would run these tests (I'd imagine there wouldn't be a need to run them
on every change).
Thoughts?
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com
On Wed, Jul 31, 2013 at 2:39 PM, Chris Steipp <csteipp(a)wikimedia.org> wrote:
On Wed, Jul 31, 2013 at 11:23 AM, Tyler Romeo
<tylerromeo(a)gmail.com>
wrote:
Hey all,
Mozilla made an announcement yesterday about a new framework called
Minion:
http://blog.mozilla.org/security/2013/07/30/introducing-minion/
https://github.com/mozilla/minion
It's an automated security testing framework for use in testing web
applications. I'm currently looking into how to use it. Would there be
any
interest in setting up such a framework for
automated security testing of
MediaWiki?
I'm definitely interested in seeing if we can leverage something like
this. I'm not sure where it would fit alongside our current automated
testing, but I think it would be valuable to at least take a closer
look. And it's nice to see they're supporting ZAP and skipfish,
although unless they allow for more detailed configurations, both take
ages to completely scan a MediaWiki install.
If you get it running, please share your experience.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
www.whizkidztech.com | tylerromeo(a)gmail.com
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l