BDD-Security is a security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications.
The framework is essentially a set of Cucumber-JVM features that are pre-wired with Selenium/WebDriver, OWASP ZAP, SSLyze and Tennable's Nessus scanner.
It tests Web Applications and API's from an external point of view and does not require access to the target source code.
- Cucumber-JVM replaced JBehave
- Gradle replaced Ant
- Rearranged files to fit Gradle/Maven conventions
- Removed command line runners. Tests run from gradle
Legacy JBehave version is available on the jbehave branch
- Integrated with OWASP ZAP 2.4.3.
- Support setting an API KEY for ZAP
- HtmlUnitDriver support, it is also the default driver if no other driver is specified in config.xml. BIG speed improvements.
- Support for testing non-browser based web services and APIs. See the getting started guide for more details.
- Removed all TestNG tests.
- Moved tables that are auto-generated during startup into the stories/auto-generated folder. Tables that are user editable stay in the stories/tables folder.
- Hosts and expected open ports are defined in the config.xml. Nessus and port scanning stories now read the target data from these files
- Moved the Nessus false positives to tables/nessus.false_positives.table
- Moved the OWASP ZAP false positives to tables/zap.false_positives.table
- Fixed bug in the portscan story
- Enabled portscanning of multiple hosts