automated security testing
TRANSCRIPT
Alan Parkinson
@alan_parkinson
Automated Security Testing
Disclaimer!
I'm NOT a Security Expert, but a developer passionate about quality
Why the interest in Security?● New Project - E-commerce● Compliance
● PCI● Privacy
● Ethics● No site is too small to break into
● Security Testing is expensive
Security Tools● Attack Proxies: Sit between the Tester and Application
● Searches for patterns in HTTP traffic● Help manual penetration testers● Change values in HTTP traffic
● 3rd Party OnDemand scanning services● Often for PCI compliance
Zed Attack Proxy (ZAP)● Open Source project forked from Paros Proxy● Released in 2010 and OWASP top level project● Easy to use Penetration testing tool – All Skill Levels● Features:
● Passive scanning of HTTP traffic● Active scanning of Web Apps● Spiders, Fuzzing, Brute force and many more....
Getting Started with ZAP
Beyond Passive Scanning● Use on Test Environments ONLY● Active Scanning● Spider vs Browser
● Real life Browser tests discover RESTful services● Automated Browser Tests can teach ZAP
Converting Browser Tests
Using the ZAP HTTP Proxy
Group test execution based on user roles
Integrating ZAP into the build
RESTful APIAnt tasks
Maven Plugin
Session management: New, Save and OpenTasks: Spider and Active Attack
Results: Ignoring rules and Failing the build
False Positives/Negatives
Humans are not out of a job
Some types of Security Vulnerabilities require Intelligence
CI: Ignoring false positives are parameters to the Ant tasks
Manual TestingRun BrowserTests
Start ZAP
Stop ZAP
Active Scan
CheckResults
SaveSession
Build Integration – Stage 1
Nightly Build with Passive and Active Scanning. The ZAP session is saved for
analysis by a human
Not fast feedback, but accurate results
Build Integration – Stage 2
Same Nightly Build with human analysis
Passive scanning in Continuous Build
Fast feedback, but for simple issues only
Build Integration – Stage 3
Passive and Active scanning in Continuous Build
Fast feedback but “Trigger Happy” on rule exclusion
Conclusion● Additional ROI on your tests● Great for catching...
● Injection based attacks: XSS and SQL● HTTP header and Cookie issues● URL Redirect abuse
● False Positives ● Can be large for some types of tests● Don't get “Trigger happy” on rule exceptions
Alan Parkinson
@alan_parkinson
Automated Security Testing
Demo: https://github.com/aparkinson/jenkins-webdriverZAP: http://code.google.com/p/zaproxy/OWASP: https://www.owasp.orgAnt Demo: https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml