OK, so after a bit of trouble I managed to get it working on my Vagrant instance.
Here's a brief summary of what I learned: * It uses a MongoDB backend with Python and Flask as a front-end * There are plugins that implement certain tests (e.g., nmap, skipfish) * Plans are combinations of plugins, basically a test plan * Sites are added into groups, and are then assigned plans * Finally, you run plans on the frontend and they're run by a celery job queue From the looks of it, I don't think this would be particularly useful for individual developers, because many of the tests require a full TLS setup and whatnot. What might be useful is to have a security instance running MediaWiki with a similar setup to the actual en-wiki, and then have Minion running on an instance and have it run the tests that way. Unfortunately, I don't know how we would manage users (since it doesn't have LDAP integration) or when we would run these tests (I'd imagine there wouldn't be a need to run them on every change). Thoughts? *-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science www.whizkidztech.com | tylerro...@gmail.com On Wed, Jul 31, 2013 at 2:39 PM, Chris Steipp <cste...@wikimedia.org> wrote: > On Wed, Jul 31, 2013 at 11:23 AM, Tyler Romeo <tylerro...@gmail.com> > wrote: > > Hey all, > > > > Mozilla made an announcement yesterday about a new framework called > Minion: > > > > http://blog.mozilla.org/security/2013/07/30/introducing-minion/ > > https://github.com/mozilla/minion > > > > It's an automated security testing framework for use in testing web > > applications. I'm currently looking into how to use it. Would there be > any > > interest in setting up such a framework for automated security testing of > > MediaWiki? > > I'm definitely interested in seeing if we can leverage something like > this. I'm not sure where it would fit alongside our current automated > testing, but I think it would be valuable to at least take a closer > look. And it's nice to see they're supporting ZAP and skipfish, > although unless they allow for more detailed configurations, both take > ages to completely scan a MediaWiki install. > > If you get it running, please share your experience. > > > *-- * > > *Tyler Romeo* > > Stevens Institute of Technology, Class of 2016 > > Major in Computer Science > > www.whizkidztech.com | tylerro...@gmail.com > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
