Replies: 5 comments
-
|
Summon @miriamgreis |
Beta Was this translation helpful? Give feedback.
-
|
Great idea. This will make basic API security testing much more accessible if Portman supports this out-of-the-box. |
Beta Was this translation helpful? Give feedback.
-
|
Is it possible to support the top 10? https://owasp.org/www-project-api-security/ |
Beta Was this translation helpful? Give feedback.
-
|
OWASP ZAP already handles this and also takes in an OAS doc. It supports a lot of scan rules, some of which don't necessarily apply to REST APIs (but if you run it and specify it's an API it will adjust). While I think additional tests are interesting, I would personally probably always keep this off and just run the Docker version of OWASP ZAP. If this does get added, it may be interesting to consider some sort of plugin model for Portman, where it's not "all built in" but instead has "test generation plugins" - one plugin generates contract tests, one plugin generates security tests... and if you want to add your own plugins, you can. That'd potentially be a pretty big lift from an internals perspective, but I think it'd be valuable going forward - now folks want some other kind of test generated? Add a plugin. Need to test the various test generators in isolation? Add/remove plugins. |
Beta Was this translation helpful? Give feedback.
-
|
@tillig A plugin model, where it is possible to extend the Portman core with specific extensions, would be a great way to facilitate the specific needs from the community. It would also mean a large rework on the internals, so something we could take into account when modernising Portman. |
Beta Was this translation helpful? Give feedback.
-
This article in API's You Wont Hate triggered me to think about automatically adding some OWASP variation tests by Portman.
Questions:
Looking for some input from the community: @nicklloyd @danielkocot @tillig @savage-alex
Beta Was this translation helpful? Give feedback.
All reactions