Mozilla Developing Open Source Security Testing Framework – Minion

Dubbed Minion the framework’s beta version will be launched sometime this quarter.  Some of the testing tools incorporated into the framework are NMAP, OWASP’s Zed Attack Proxy (ZAP) and Skipfish. Mozilla plans to add more plugins as the development progresses.

Yvan Boily, security developer at Mozilla, describes Minion on his personal blog as a framework meant “to do horrible things to the applications and services” that developers write. Through the use of Minion, developers can identify and detect security issues earlier as compared to during the final phase of testing.

Mozilla is aiming to provide the framework in the form of Security As A Service platform and it wants to ensure that the functionalities of Minion are available easily like at “the push of a button”. The developers are not going to design the framework as just an information gathering tool but, are working towards defining formats that may be used to extract meaningful information. The team is busy developing the framework around REST APIs and modern-day web standards.

“By building Minion around REST APIs and modern web standards, it is possible to build any kind of mashup you can think of with the data that Minion collects and the results it tracks”, notes Boily.

“Want to create a fancy dashboard for C-Level executives?  Minion should allow that.  Want to write a module to automate generating a report worthy of a typical audit firm?  Minion should allow you to do that!  Want to perform data mining to find out vulnerabilities that are most common in the applications you test?  Minion should allow that!”

The developer acknowledges that there are chances that beyond legitimate developers, hackers may also use the framework to find vulnerabilities in websites. To address this, Mozilla is going to implement a functionality whereby the service will check whether website operators have actually requested a security test or not.

Boily has given some insights into the framework through this video.