Mozilla develops Minion security testing framework
The Mozilla Foundation is developing an open source security framework called Minion and plans to release a beta version in the first quarter of 2013. Minion will allow developers to subject their web applications to a security check. The framework will target applications with well-established pen testing tools such as OWASP's Zed Attack Proxy (ZAP), Skipfish and NMAP. Further testing tools are planned to be incorporated into the framework as plugins.
Mozilla security developer Yvan Boily writes on his personal blog that Minion is designed for developers – including Mozilla's own team – "to do horrible things to the applications and services they write". The idea is that the tests can be run throughout the development of a web site and services and ensure the developers are aware of detected issues as early as possible. The finished version of Minion aims to provide this functionality at "the push of a button". A first impression is available in a presentation video in which Boily demonstrates the framework.
The data that is generated during testing is to be collected and evaluated. Appropriately, Mozilla's project wiki points out that Minion will need to "be _very_ secure", as it will be "holding very sensitive data", including information on the most widespread security problems. Contributors to the Minion project admit that criminals could use the framework to scan web sites for vulnerabilities. The developers are planning to implement functionality so that, before launching an attack on a web site, the service will verify whether the web site operators have actually requested a test.