Automated Security Testing

8,334 views
7,716 views

Published on

Published in: Technology
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,334
On SlideShare
0
From Embeds
0
Number of Embeds
268
Actions
Shares
0
Downloads
126
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

Automated Security Testing

  1. 1. Automated Security Testing Alan Parkinson @alan_parkinson
  2. 2. Disclaimer!Im NOT a Security Expert, but a developer passionate about quality
  3. 3. Why the interest in Security?● New Project - E-commerce● Compliance ● PCI ● Privacy● Ethics ● No site is too small to break into● Security Testing is expensive
  4. 4. Security Tools● Attack Proxies: Sit between the Tester and Application ● Searches for patterns in HTTP traffic ● Help manual penetration testers ● Change values in HTTP traffic● 3rd Party OnDemand scanning services ● Often for PCI compliance
  5. 5. Zed Attack Proxy (ZAP)● Open Source project forked from Paros Proxy● Released in 2010 and OWASP top level project● Easy to use Penetration testing tool – All Skill Levels● Features: ● Passive scanning of HTTP traffic ● Active scanning of Web Apps ● Spiders, Fuzzing, Brute force and many more....
  6. 6. Getting Started with ZAP
  7. 7. Beyond Passive Scanning● Use on Test Environments ONLY● Active Scanning● Spider vs Browser ● Real life Browser tests discover RESTful services ● Automated Browser Tests can teach ZAP
  8. 8. Converting Browser Tests Using the ZAP HTTP ProxyGroup test execution based on user roles
  9. 9. Integrating ZAP into the build RESTful API Ant tasks Maven PluginSession management: New, Save and Open Tasks: Spider and Active AttackResults: Ignoring rules and Failing the build
  10. 10. False Positives/Negatives Humans are not out of a job Some types of Security Vulnerabilities require IntelligenceCI: Ignoring false positives are parameters to the Ant tasks
  11. 11. Start ZAP Run BrowserManual Testing Tests Active Scan Check Save Results Session Stop ZAP
  12. 12. Build Integration – Stage 1 Nightly Build with Passive and ActiveScanning. The ZAP session is saved for analysis by a humanNot fast feedback, but accurate results
  13. 13. Build Integration – Stage 2Same Nightly Build with human analysis Passive scanning in Continuous BuildFast feedback, but for simple issues only
  14. 14. Build Integration – Stage 3 Passive and Active scanning in Continuous BuildFast feedback but “Trigger Happy” on rule exclusion
  15. 15. Conclusion● Additional ROI on your tests● Great for catching... ● Injection based attacks: XSS and SQL ● HTTP header and Cookie issues ● URL Redirect abuse● False Positives ● Can be large for some types of tests ● Dont get “Trigger happy” on rule exceptions
  16. 16. Automated Security Testing Alan Parkinson @alan_parkinsonDemo: https://github.com/aparkinson/jenkins-webdriverZAP: http://code.google.com/p/zaproxy/OWASP: https://www.owasp.orgAnt Demo:https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml

×