search

iriusrisk / bdd-security

BDD Automated Security Tests for Web Applications
http://www.continuumsecurity.net/bdd-intro.html
GNU Affero General Public License v3.0
561 stars 178 forks source link

OWASP Application Security Validation Mapped to BDD-Security Security Requirements #31

Open lfatty opened 9 years ago

lfatty commented 9 years ago

I was thinking about way we could map OWASP Application Security Verification Standards to BDD-Security security requirements in each story.

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

iriusrisk commented 9 years ago

Yes, very easy to do, just add a new meta tag to the story, e.g.:

Scenario: Transmit authentication credentials over HTTPS Meta: @id auth_https @cwe-319-auth @ASVS-2014-1.23 ...

tarciziovn commented 8 years ago

ifatty, I had the same idea about create BDD requirements for ASVS. I would like to know if someone are working on this task because I have interest in start this activity in the next days. My idea is create something like a set of BDD stories that could be used as a model or for inspire developers and security teams when creating BDDs focused in security.

iriusrisk commented 8 years ago

@tarciziovn you are very welcome to start working on this! Note that the new v2.0 version was released yesterday which is 100% Cucumber and not JBehave. The only change to the meta tags is that there is no longer an "ID" tag, they are just free form, e.g.: @cwe-319-auth @ASVS-2014-1.23