• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Automated Security Testing

Automated Security Testing






Total Views
Views on SlideShare
Embed Views



5 Embeds 190

http://lanyrd.com 75
http://microchipatwork.com 73 30
https://twitter.com 8
http://www.scoop.it 4



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Automated Security Testing Automated Security Testing Presentation Transcript

    • Automated Security Testing Alan Parkinson @alan_parkinson
    • Disclaimer!Im NOT a Security Expert, but a developer passionate about quality
    • Why the interest in Security?● New Project - E-commerce● Compliance ● PCI ● Privacy● Ethics ● No site is too small to break into● Security Testing is expensive
    • Security Tools● Attack Proxies: Sit between the Tester and Application ● Searches for patterns in HTTP traffic ● Help manual penetration testers ● Change values in HTTP traffic● 3rd Party OnDemand scanning services ● Often for PCI compliance
    • Zed Attack Proxy (ZAP)● Open Source project forked from Paros Proxy● Released in 2010 and OWASP top level project● Easy to use Penetration testing tool – All Skill Levels● Features: ● Passive scanning of HTTP traffic ● Active scanning of Web Apps ● Spiders, Fuzzing, Brute force and many more....
    • Getting Started with ZAP
    • Beyond Passive Scanning● Use on Test Environments ONLY● Active Scanning● Spider vs Browser ● Real life Browser tests discover RESTful services ● Automated Browser Tests can teach ZAP
    • Converting Browser Tests Using the ZAP HTTP ProxyGroup test execution based on user roles
    • Integrating ZAP into the build RESTful API Ant tasks Maven PluginSession management: New, Save and Open Tasks: Spider and Active AttackResults: Ignoring rules and Failing the build
    • False Positives/Negatives Humans are not out of a job Some types of Security Vulnerabilities require IntelligenceCI: Ignoring false positives are parameters to the Ant tasks
    • Start ZAP Run BrowserManual Testing Tests Active Scan Check Save Results Session Stop ZAP
    • Build Integration – Stage 1 Nightly Build with Passive and ActiveScanning. The ZAP session is saved for analysis by a humanNot fast feedback, but accurate results
    • Build Integration – Stage 2Same Nightly Build with human analysis Passive scanning in Continuous BuildFast feedback, but for simple issues only
    • Build Integration – Stage 3 Passive and Active scanning in Continuous BuildFast feedback but “Trigger Happy” on rule exclusion
    • Conclusion● Additional ROI on your tests● Great for catching... ● Injection based attacks: XSS and SQL ● HTTP header and Cookie issues ● URL Redirect abuse● False Positives ● Can be large for some types of tests ● Dont get “Trigger happy” on rule exceptions
    • Automated Security Testing Alan Parkinson @alan_parkinsonDemo: https://github.com/aparkinson/jenkins-webdriverZAP: http://code.google.com/p/zaproxy/OWASP: https://www.owasp.orgAnt Demo:https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml