Using BDD-Security to test WebServices Authorization Rules?

Stephen de Vries just pointed me to BDD-Security which looks pretty powerful (BDD is definitely something I want to get more into).

Here are a couple references for BDD-Security:

• Example of Matrices and BDD stories / scenarios - Access control should be enforced on the server side and should matche the authorisation model for this application
• Jenkins integration with BDD Security  
• Step 0: Running BDD Security before you build your web application 
• Tutorial  (checkout the Burp integration)
• Video of Example Run
• Two more videos ('Configuring BDD-Security to Login to an application', 'Scanning the application using Burp Suite')
• https://github.com/stephendv/bdd-security - el code

I'm in :)

... now let's make this work: what is the best way to integrate BDD-Security with a .NET app like TeamMentor? 

I see a couple things to figure out:

• Execute the BDD-Security tests outside Eclipse
• Write the stories in a .Net environment (like O2, VisualStudio, MonoDevelop, SharpDevelop, LinqPad, etc...)
• Find a way to convert the 'TeamMentor spreadsheet rules' into BDD security rules (in fact before we do that , we need to have working BDD tests for each of the WebServices (since most need state in order to even be executed))
• I wonder if I could use IKVM or Sharpen or other to be able to run BDD-Security natively in .NET? :)

The way I'm looking at this, we need:

• The official 'these are the business rules' mappings (in a consumable format like the spreadsheet below)
• The static analysis of the code that extracts the current behaviour from the code (which in TeamMentor are implemented as CAS Security Demands)
• The Dynamic invocation of the webservices methods (i.e. the attack surface)
• The analysis of all this data (with the blind spots being vulnerabilities)

Update: see Stephen's Response to using BDD Security to test WebServices

Related Posts:

• Documenting how to test WebServices using scripts - the story so far