On Thu, Sep 12, 2013 at 10:17 AM, Thomas Biege <thomas at suse.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > ... > my team made fuzz tests about one year ago using > https://gitorious.org/test-suite/test-suite/source > /1809ffcf2684e53e073e00aeb356b9710969aff2:fuzz_xmlrpc.pl , other > tools and manual requests. > > Everything we found was put into the bug tracking system. > Unfortunately I cannot remember the details. > > There is also a blueprint for automatic security testing: > https://blueprints.launchpad.net/marconi/+spec/security-testing-basic This is good. It needs to be done with every change to the web gear, which probably means continuous testing. Here's some suff that was suggested to me for continuous web app testing in the past: https://www.whitehatsec.com/sentinel_services/sentinel_services.html http://www1.contrastsecurity.com/ https://code.google.com/p/threadfix/ Since HP is active on the project, I would expect Fortify to be available. Jeff > Am 12.09.2013 12:15, schrieb André Van Daele: >> Hi, >> >> I do not know if this is the correct place to post this question. >> Then please feel free to point me to the right direction. >> >> >> My question: Is there any kind of fuzzing done on the standard >> openstack API's. This tests could have been performed by a tool >> called radamsa or defensics or others. >> >> And in case any vulnerabilities found fed back to the openstack >> community for fixes? >> >> Brgds, André Van Daele