SpoC 007 - WebScarab NG Security Test Automation
AoC Candidate: Darren Edmonds
Project coordinator: Dinis Cruz
Project Progress: 0% Complete, Progress Page
Darren Edmonds - WebScarab NG Security Test Automation
I am a 28 year old software developer from the UK with a background in java based web development and application security testing. I have strong mathematical skills, a degree in software engineering, a SCJP qualification and 8 years of commercial development experience. I have created many web based and standalone applications delivering on time and adhering to common software practices. I'm an avid supporter of open source software and try to use it whenever possible in a commercial environment. I've made contributions to the Geotools mapping project, written a securing tomcat article for OWASP and developed a full modification for the first person shooter Quake 3.
Having used numerous penetration testing applications I believe there is a need for an open source application which supports some, or all, of the features of the more expensive commercial products. I propose to make WebScarab generate, record, and playback security test cases so that regression testing is possible. If time permits I would also like to include some extra automated tests that are not always feasible during manual testing; searching for backup files (~, Copy of X), checking non-authorised access to authorised areas, common and brute force name directory searching, etc. Perhaps include the ability to read the test database of other scanning tools such as nikto. I have already made contact with Rogan Dawes, original WebScarab NG author, to discuss some initial ideas. I believe it is important that Rogan is consulted during the initial planning phase to make sure the project keeps to a set of consistent guidelines.
- Research regression testing features in other applications
- Create a functional specification
- Build testing framework (possible inclusion of scripting language for user defined tests)
Why I should be sponsored for the project
I believe I am an ideal candidate to develop the proposed additions to WebScarab NG, not just because of my qualifications and experience, but because I plan to use WebScarab NG in my work to help perform the initial testing of web applications. As well as my own time my current employer will allocate me a set amount of time to ensure the project achieves its milestones. The end result will make WebScarab NG a much more powerful testing tool and will be a great asset to the OWASP community. With continued development and input from the community I see no reason why WebScarab NG cannot rival commercial testing application features, usability, and business benefit. Increasing WebScarab's features will result in increased community awareness bringing in extra developers, ensuring continual development and so the cycle starts again.