OK, so after a bit of trouble I managed to get it working on my Vagrant instance.
Here's a brief summary of what I learned: * It uses a MongoDB backend with Python and Flask as a front-end * There are plugins that implement certain tests (e.g., nmap, skipfish) * Plans are combinations of plugins, basically a test plan * Sites are added into groups, and are then assigned plans * Finally, you run plans on the frontend and they're run by a celery job queue
From the looks of it, I don't think this would be particularly useful for
individual developers, because many of the tests require a full TLS setup and whatnot.
What might be useful is to have a security instance running MediaWiki with a similar setup to the actual en-wiki, and then have Minion running on an instance and have it run the tests that way. Unfortunately, I don't know how we would manage users (since it doesn't have LDAP integration) or when we would run these tests (I'd imagine there wouldn't be a need to run them on every change).
Thoughts?
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Wed, Jul 31, 2013 at 2:39 PM, Chris Steipp csteipp@wikimedia.org wrote:
On Wed, Jul 31, 2013 at 11:23 AM, Tyler Romeo tylerromeo@gmail.com wrote:
Hey all,
Mozilla made an announcement yesterday about a new framework called
Minion:
http://blog.mozilla.org/security/2013/07/30/introducing-minion/ https://github.com/mozilla/minion
It's an automated security testing framework for use in testing web applications. I'm currently looking into how to use it. Would there be
any
interest in setting up such a framework for automated security testing of MediaWiki?
I'm definitely interested in seeing if we can leverage something like this. I'm not sure where it would fit alongside our current automated testing, but I think it would be valuable to at least take a closer look. And it's nice to see they're supporting ZAP and skipfish, although unless they allow for more detailed configurations, both take ages to completely scan a MediaWiki install.
If you get it running, please share your experience.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l