Key Features

check icon

Free and Open Source automated testing framework for security

check icon

Ready to run on a Continuous Integration Server , as part of the build/test/deploy process

check icon

Upgrade DevOps to SecDevOps

check icon

Generate reports, to easily be viewed and understood by business and security users

check icon

Tests are run dynamically against a deployed application, no need to access your source code

How it works

BDD How It Works 1

Choose a basic architecture to start with

and test specific functional and non-functional security requirements:

BDD How It Works 2

Security features are defined up front and are exposed to the whole team, developers, operations and security; and can be tested at a moments notice. In fact they would ideally be run on a continuous integration server.

The framework is architected so that the security features and the application specific navigation logic are independent. This means that the same security requirements can be applied to multiple applications with minimal or no changes to the requirements themselves. Navigation logic goes into an application specific class file. This is similar in spirit to the page object pattern in that navigation is abstracted, but we don’t use separate objects for each page.


BDD-Security does not need access to your source code to run its tests! Although the BDD tests are backed by Java, they are all executed over the network against a running instance of your app. The app under test can be written in any language and framework. If it talks HTTP/S, BDD-Security can test it.

BDD-Security is written in Java and based on Cucumber, Selenium 2 (WebDriver), OWASP ZAP and a number of other security tools. This means that any automated testing can be performed, while describing the actions in a easily understandable format.

Laptop Mac Preview
Clean iMac Preview

Testable Security requirements for DevOps

One of the guiding principles of DevOps is taking a systems approach to building services by breaking down the division between development and operations. This approach works equally well with security, and if we want to include security in the development and operations processes, then the security requirements and acceptance criteria should be exposed to, and understandable by those teams.

Security requirements are defined in one place, and can be tested on demand at any time, or even continuously.

Cucumber Compatible


BDD-Security reports are presented in Cucumber’s native JSON, XML and HTML formats in the: build/reports/cucumber directory

Prettier HTML reports are also generated by the cucumber-reporting project in the build/reports/cucumber/pretty directory

Standard JUnit reports are also generated if the “test” task is executed: build/test-results

  • The feature overview presents a summary of the test run.
  • Functional features such as the authorisation and access control feature provides a clear and detailed description of the tests.
  • While the automated scanning feature lists the results of the ZAP scans.

Continous Integration Tool

BDD-Security jobs can be run as a shell script or Gradle test and run from CI servers like Jenkins. The Jenkins Cucumber reporting plugin can be used to display the HTML reports.

Stay up to date with our latest news.
Subscribe now