Remove outdated security tool development section
The security SIG hasn't maintained the two projects listed under the "Security tool development" section in quite a while. This change removes the section entirely since the information it has is no longer relevant to the security SIG. Change-Id: I49aee997751b2b4f7ca6e879883a85c56087c0a1
This commit is contained in:
Gage Hugo
parent
0e4118d19e
commit
d4785ae6fd
|
|
@ -222,56 +222,3 @@ information. Specifically, they are responsible for the following functions:
|
|||
researchers who responsibly report issues in OpenStack.
|
||||
|
||||
See :doc:`vmt-process` for details on our open process.
|
||||
|
||||
|
||||
Security tool development
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Security project are constantly looking at ways to introduce tooling and
|
||||
automation to improve the overall security of OpenStack projects. Some of these
|
||||
projects are outlined below.
|
||||
|
||||
Bandit - static analysis for Python
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Bandit is a security static analysis tool for Python source code, utilizing the
|
||||
ast module from the Python standard library. The **ast** module is used to
|
||||
convert source code into a parsed tree of Python syntax nodes. Bandit allows
|
||||
users to define custom tests that are performed against those nodes. At the
|
||||
completion of testing, a report is generated that lists security issues
|
||||
identified within the target source code.
|
||||
|
||||
Bandit is currently a stand-alone tool which can be downloaded by end-users and
|
||||
run against arbitrary source code. Although early in development it is already
|
||||
adding value to the OpenStack code base with several projects leveraging it
|
||||
in their CI gate tests. As the project matures the desire is to see widespread
|
||||
adoption of Bandit in the OpenStack community.
|
||||
|
||||
Bandit can be obtained by cloning the `repository <https://git.openstack.org/openstack/bandit.git>`_.
|
||||
The README.rst file contains documentation regarding installation, usage,
|
||||
and configuration.
|
||||
|
||||
* `Bandit Git Repository <https://git.openstack.org/cgit/openstack/bandit>`_
|
||||
* `Bandit Gerrit <https://review.openstack.org/#/q/bandit,n,z>`_
|
||||
* `Bandit Launchpad <https://bugs.launchpad.net/bandit>`_
|
||||
|
||||
Syntribos - Python API security testing tool
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Syntribos is an open source automated API security testing tool that is
|
||||
maintained by members of the `OpenStack Security Project <https://wiki.openstack.org/wiki/Security>`_.
|
||||
|
||||
Given a simple configuration file and an example HTTP request, syntribos
|
||||
can replace any API URL, URL parameter, HTTP header and request body
|
||||
field with a given set of strings. Syntribos iterates through each position
|
||||
in the request automatically. The tool aims to automatically detect common
|
||||
security defects such as SQL injection, LDAP injection, buffer overflow, etc.
|
||||
In addition, it can be used to help identify new security defects
|
||||
by automated fuzzing.
|
||||
|
||||
Syntribos can be installed directly from `pypi with pip <https://pypi.python.org/pypi/pip>`_.
|
||||
|
||||
* `Syntribos developer documentation <http://docs.openstack.org/developer/syntribos/>`_
|
||||
* `Syntribos Git Repository <https://git.openstack.org/cgit/openstack/syntribos>`_
|
||||
* `Syntribos Gerrit <https://review.openstack.org/#/q/syntribos,n,z>`_
|
||||
* `Syntribos Launchpad <https://bugs.launchpad.net/syntribos>`_
|
||||
|
|
|
|||
Loading…
Reference in New Issue