[QA] The case for security test scenarios

Jeremy Baron jeremy at tuxmachine.com
Sun Aug 10 16:39:35 UTC 2014

On Aug 10, 2014 12:03 PM, "Sherif Mansour" <cherifmansour at gmail.com> wrote:
> Equally I can provide you with an initial list of static code analysis
results from Fortify, if only as a benchmark for other findings etc..
> I am also very intruded by http://rips-
<http://rips-scanner.sourceforge.net/> this php opensource security static
code analyzer... but one thing at a time I guess :-)

This all sounds very interesting, looking forward to seeing what you come
up with.

Have we had any security bugs yet that would be good candidates for
fuzzing? e.g. parsing generated wikitext (php or parsoid in any direction)
or exif fields with weird values or math/timeline/etc input or API inputs?

btw, fyi, we also may need to change a Jenkins test that is not about
security but rather it simply tests whether or not the php has syntax
errors that that will prevent a script from running at all. (i.e. lint) I
think we're still at a good stage to be considering other options in case
someone has a tool to suggest. (See https
<https://bugzilla.wikimedia.org/68255> )

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/qa/attachments/20140810/c0870aa9/attachment.html>

More information about the QA mailing list