Friday 4 May 2012

Using BDD-Security to test WebServices Authorization Rules?

Stephen de Vries just pointed me to BDD-Security which looks pretty powerful (BDD is definitely something I want to get more into).

Here are a couple references for BDD-Security:

I'm in :)

... now let's make this work: what is the best way to integrate BDD-Security with a .NET app like TeamMentor? 

I see a couple things to figure out:
  • Execute the BDD-Security tests outside Eclipse
  • Write the stories in a .Net environment (like O2, VisualStudio, MonoDevelop, SharpDevelop, LinqPad, etc...)
  • Find a way to convert the 'TeamMentor spreadsheet rules' into BDD security rules (in fact before we do that , we need to have working BDD tests for each of the WebServices (since most need state in order to even be executed))
  • I wonder if I could use IKVM or Sharpen or other to be able to run BDD-Security natively in .NET? :)
The way I'm looking at this, we need:
  • The official 'these are the business rules' mappings (in a consumable format like the spreadsheet below)
  • The static analysis of the code that extracts the current behaviour from the code (which in TeamMentor are implemented as CAS Security Demands)
  • The Dynamic invocation of the webservices methods (i.e. the attack surface)
  • The analysis of all this data (with the blind spots being vulnerabilities)
Related Posts: