blankdots
commented
2 years ago can we move it to https://github.com/CSCfi/metadata-submitter to track it in backend?
Open lilachic opened 2 years ago
blankdots
commented
2 years ago can we move it to https://github.com/CSCfi/metadata-submitter to track it in backend?
lilachic
commented
2 years ago Oh, sorry my bad, it should be in backend. Is there an easy way to move it?
blankdots
commented
2 years ago for automation we could use https://github.com/marketplace/actions/owasp-zap-api-scan
Description
It would be good to know what kind of coverage we have against OWASP API top 10 and OWASP top 10 vulnerabilities in backend. https://owasp.org/www-project-api-security/ and https://owasp.org/Top10/ . Could this be partly automated like Github's dependabot against OWASP top 10 number 6.
Should we have some more automatic testing against known vulnerabilities and should we manually check some known vulnerabilities need to be decided.
DoD (Definition of Done)
There is a task to automate vulnerability testing and we have checked that existing configurations comply mitigation of OWASP API or where more accurate newer OWASP top 10.
Testing
Peer review or group discussion about the task.