Upload File

automated security testing

17

Click here to load reader

Upload: seleniumconf

Post on 08-May-2015

5.782 views

Category:

Technology


2 download

Report

TRANSCRIPT

Page 1: Automated Security Testing

Alan Parkinson

@alan_parkinson

Automated Security Testing

Page 2: Automated Security Testing

Disclaimer!

I'm NOT a Security Expert, but a developer passionate about quality

Page 3: Automated Security Testing

Why the interest in Security?● New Project - E-commerce● Compliance

● PCI● Privacy

● Ethics● No site is too small to break into

● Security Testing is expensive

Page 4: Automated Security Testing

Security Tools● Attack Proxies: Sit between the Tester and Application

● Searches for patterns in HTTP traffic● Help manual penetration testers● Change values in HTTP traffic

● 3rd Party OnDemand scanning services● Often for PCI compliance

Page 5: Automated Security Testing

Zed Attack Proxy (ZAP)● Open Source project forked from Paros Proxy● Released in 2010 and OWASP top level project● Easy to use Penetration testing tool – All Skill Levels● Features:

● Passive scanning of HTTP traffic● Active scanning of Web Apps● Spiders, Fuzzing, Brute force and many more....

Page 6: Automated Security Testing

Getting Started with ZAP

Page 7: Automated Security Testing

Beyond Passive Scanning● Use on Test Environments ONLY● Active Scanning● Spider vs Browser

● Real life Browser tests discover RESTful services● Automated Browser Tests can teach ZAP

Page 8: Automated Security Testing

Converting Browser Tests

Using the ZAP HTTP Proxy

Group test execution based on user roles

Page 9: Automated Security Testing
Page 10: Automated Security Testing

Integrating ZAP into the build

RESTful APIAnt tasks

Maven Plugin

Session management: New, Save and OpenTasks: Spider and Active Attack

Results: Ignoring rules and Failing the build

Page 11: Automated Security Testing

False Positives/Negatives

Humans are not out of a job

Some types of Security Vulnerabilities require Intelligence

CI: Ignoring false positives are parameters to the Ant tasks

Page 12: Automated Security Testing

Manual TestingRun BrowserTests

Start ZAP

Stop ZAP

Active Scan

CheckResults

SaveSession

Page 13: Automated Security Testing

Build Integration – Stage 1

Nightly Build with Passive and Active Scanning. The ZAP session is saved for

analysis by a human

Not fast feedback, but accurate results

Page 14: Automated Security Testing

Build Integration – Stage 2

Same Nightly Build with human analysis

Passive scanning in Continuous Build

Fast feedback, but for simple issues only

Page 15: Automated Security Testing

Build Integration – Stage 3

Passive and Active scanning in Continuous Build

Fast feedback but “Trigger Happy” on rule exclusion

Page 16: Automated Security Testing

Conclusion● Additional ROI on your tests● Great for catching...

● Injection based attacks: XSS and SQL● HTTP header and Cookie issues● URL Redirect abuse

● False Positives ● Can be large for some types of tests● Don't get “Trigger happy” on rule exceptions

Page 17: Automated Security Testing

Alan Parkinson

@alan_parkinson

Automated Security Testing

Demo: https://github.com/aparkinson/jenkins-webdriverZAP: http://code.google.com/p/zaproxy/OWASP: https://www.owasp.orgAnt Demo: https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml

https://www.owasp.org/

Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017

Continuous Security & privacy Monitoring - PwC · Testing Continuous security & privacy Monitoring Efficiency Savings IT General Controls IT General Controls Automated Controls Testing

Automated testing

Black Box versus White Box: Different App Testing Strategies … · 2020. 6. 8. · Black Box Assessments • Automated application security testing that view the security state of

Security Testing Web Applications throughout Automated ... · Section 7. Testing security in Integration Tests; Section 8. Testing security in Acceptance Tests; Section 9. Conclusion;

Security Testing Web Applications throughout Automated

Security Testing - uni-saarland.de · Security Testing • Introduces you to automated techniques for security testing • Enables you to implement and use such techniques • Aim:

Automated Testing

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery Pipeline

Successful Strategies for QA-Based Security …2011/Successful+Strategies...Successful Strategies for QA-Based Security Testing ... Software Security Testing: ... • Automated –

Automated Whitebox Fuzz Testing - Internet Society · Fuzz testing is an effective technique for finding security ... (Scalable, Automated, Guided Execution), a new tool employing

Automated Acceptance testing by Developers & Automated ... · Automated Acceptance testing by Developers & Automated Functional Testing by Testers. ... Case Study –An ... • Web

Test for Success: Automated Testing of SAS® Metadata ... Paper 1761-2014 Test for Success: Automated Testing of SAS ® Metadata Security Implementations Paul Homes, Metacoda ABSTRACT

Manual testing versus automated testing

Automated Mobile App Security Testing

Offshore Quality Assurance · Testing Security Testing With SQA Consultant Solutions: Requirements are clearly and accurately defined High quality automated testing checks software

Automated Testing vs Manual Testing

Automated Security Testing with Seccubus confidence 2015

Automated Software Testing. Elfriede Dustin Latest book “Implementing Automated Software Testing” Mar 2009 Book “The Art of Software Security Testing”

Security Testing through Automated Software Tests

Automated Acceptance testing by Developers & Automated ...nordictestingdays.eu/files/files/gowrishankar-automated-acceptance.pdf · Automated Acceptance testing by Developers & Automated

Automated Security Testing (2)

Automated cryptanalysis using statistical testing...Automated cryptanalysis using statistical testing Karel Kub cek Centre for Research on Cryptography and Security (CRoCS), Masaryk

The SecuriTy TeSTing improvemenTS profile (STip)...Dynamic Application Security Testing Automated Model-based security testing At this level, security test engineers define and execute

Automated Testing Nathan Weiss April 23, 2007. Overview History of Testing Advantages to Automated Testing Types of Automated Testing Automated Testing

Automated Mobile Application Security Testing with Mobile ... · Automated Mobile Application Security Testing with ... A FREE and Open Source Security Tool for Mobile ... Some Android

· PDF file... Automated Unit Testing, Automated IntegrationTesting, Performance & Load Testing, Security Testing, Selenium, Cucumber, JMeter, Loadrunner,

Large-scale Internet Automated Security Testing

Integrating Automated Security Testing in the Agile ...840439/FULLTEXT01.pdf · Integrating Automated Security Testing in the Agile Development Process Earlier Vulnerability Detection

Automated Security Testing - ANZTB · with complete manual testing to get the best penetration testing results. • OWASP Mantra Security Framework Mantra is a web application security

AN OVERVIEW OF SAUCE LABS SECURITY … the Sauce Labs Automated Testing Platform. ... Software Security ... Network Security Through custom network configurations,

Manual to automated web application security testing: the story of EDS’s successful use of integrated security platform

BUILDING A MOBILE APP PEN TESTING BLUEPRINT · Automated Mobile AppSec Testing Software. Expert Pen Testing & Security Services. Powers Security in Agile & DevOps Teams. World-Class

Security Testing - University Of Maryland · Bypass Testing Bypass client side input validation in order to create tests for web application robustness and security • Allows automated

Semi-Automated Security Testing of Web applications