• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Automated Security Testing
 

Automated Security Testing

on

  • 5,453 views

 

Statistics

Views

Total Views
5,453
Views on SlideShare
5,263
Embed Views
190

Actions

Likes
2
Downloads
74
Comments
0

5 Embeds 190

http://lanyrd.com 75
http://microchipatwork.com 73
http://198.199.79.89 30
https://twitter.com 8
http://www.scoop.it 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Automated Security Testing Automated Security Testing Presentation Transcript

    • Automated Security Testing Alan Parkinson @alan_parkinson
    • Disclaimer!Im NOT a Security Expert, but a developer passionate about quality
    • Why the interest in Security?● New Project - E-commerce● Compliance ● PCI ● Privacy● Ethics ● No site is too small to break into● Security Testing is expensive
    • Security Tools● Attack Proxies: Sit between the Tester and Application ● Searches for patterns in HTTP traffic ● Help manual penetration testers ● Change values in HTTP traffic● 3rd Party OnDemand scanning services ● Often for PCI compliance
    • Zed Attack Proxy (ZAP)● Open Source project forked from Paros Proxy● Released in 2010 and OWASP top level project● Easy to use Penetration testing tool – All Skill Levels● Features: ● Passive scanning of HTTP traffic ● Active scanning of Web Apps ● Spiders, Fuzzing, Brute force and many more....
    • Getting Started with ZAP
    • Beyond Passive Scanning● Use on Test Environments ONLY● Active Scanning● Spider vs Browser ● Real life Browser tests discover RESTful services ● Automated Browser Tests can teach ZAP
    • Converting Browser Tests Using the ZAP HTTP ProxyGroup test execution based on user roles
    • Integrating ZAP into the build RESTful API Ant tasks Maven PluginSession management: New, Save and Open Tasks: Spider and Active AttackResults: Ignoring rules and Failing the build
    • False Positives/Negatives Humans are not out of a job Some types of Security Vulnerabilities require IntelligenceCI: Ignoring false positives are parameters to the Ant tasks
    • Start ZAP Run BrowserManual Testing Tests Active Scan Check Save Results Session Stop ZAP
    • Build Integration – Stage 1 Nightly Build with Passive and ActiveScanning. The ZAP session is saved for analysis by a humanNot fast feedback, but accurate results
    • Build Integration – Stage 2Same Nightly Build with human analysis Passive scanning in Continuous BuildFast feedback, but for simple issues only
    • Build Integration – Stage 3 Passive and Active scanning in Continuous BuildFast feedback but “Trigger Happy” on rule exclusion
    • Conclusion● Additional ROI on your tests● Great for catching... ● Injection based attacks: XSS and SQL ● HTTP header and Cookie issues ● URL Redirect abuse● False Positives ● Can be large for some types of tests ● Dont get “Trigger happy” on rule exceptions
    • Automated Security Testing Alan Parkinson @alan_parkinsonDemo: https://github.com/aparkinson/jenkins-webdriverZAP: http://code.google.com/p/zaproxy/OWASP: https://www.owasp.orgAnt Demo:https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml