Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Automated Security Scanning in Payment
Industry
t WITH PASSION TO QUALITY
Michał Buczko
QA CONFERENCE #1 IN UKRAINE, KYIV ...
Test Consultant
Public Speaker
Security enthusiast
t WITH PASSION TO QUALITY
KYIV 2018
About me:
1.) Why security?
2.) How hard it is to start?
3.) How to run automated scanners?
4.) Required investments?
5.) Main benef...
Why security is important?
Why Your team should focus around this
topic inside project or product delivery?
Data integrity and management
People give out their private data
Economnic impact of cybersecurity
attacks is significant
...
Biggest challenges with
starting security testing?
Domain klowledge if huge and
We don’t have expirience
Experts are expensive
It costs a lot of time and money
to start secu...
Automated security
scanners
Step by step guide how to enable
security scanning inside Your existing
test automation
Automated functional test
i.e. Webdriver
Security intercepting proxy
i.e. OWASP ZAProxy
Effective integration
OWASP ZAP
 open-source web application security scanner
 fully internationalized into over 25 languages
 Used as a prox...
UI and Report examples
Sounds easy but how to
start?
Where are the main investments in such
solutions?
How to enable scanner
in my automation?
How to decode and test
HTTPS traffic?
What is the impact
on project schedule?
Driver with proxy
Selenium 2.0
The simple way to:
 Set a manual proxy
 Accept all SSL Certs
 Run browser with proxy on ...
Driver with Proxy
Selenium 3.0
The simple way to:
 Set a manual proxy
 Accept all SSL Certs
 Run browser with proxy on ...
ZAP SSL certificate
in Firefox
 Open up OWASP ZAP
 go to Tools -> Options
 In the Certificates section, click on Genera...
ZAP SSL certificate
in Firefox
 Open up OWASP ZAP
 go to Tools -> Options
 In the Certificates section, click on Genera...
ZAP SSL certificate
in Firefox
 Open up OWASP ZAP
 go to Tools -> Options
 In the Certificates section, click on Genera...
ZAP SSL certificate
in Firefox
 Open up OWASP ZAP
 go to Tools -> Options
 In the Certificates section, click on Genera...
ZAP SSL certificate
in Firefox
 Open up OWASP ZAP
 go to Tools -> Options
 In the Certificates section, click on Genera...
ZAP SSL certificate
in Firefox
 Open up OWASP ZAP
 go to Tools -> Options
 In the Certificates section, click on Genera...
ZAP SSL certificate
in Firefox
 Open up OWASP ZAP
 go to Tools -> Options
 In the Certificates section, click on Genera...
How much does it cost?
• Webdriver - FREE
• ZAProxy - FREE
• YES, and..
• Investigation time
• Project interruption
• Lear...
What can I get from this?
What is the benefit for my:
• Team
• Project
• Product
• Company
Easy start with building image
about security of your system
Starting point for learning,
excercising, upskilling anyone
i...
How to maximize the
benefits?
Does any alternatives
exist?
How to enable simillar results via other
market available solutions?
Features
• Multiple integrated tools and solutions
• Free to use and adapt to Your needs
• Constant developement make by
O...
Features
• Open source on github
• BDD test enhancement without
technical skills requirement
• CI integrated
Risks
• BDD t...
Features
• Standalone scanning solution
• Do not require technical knowledge
• Push URL and wait for results
Risks
• No co...
Тема доклада
Тема доклада
Тема доклада
WITH PASSION TO QUALITY
KYIV 2018
Any questions?
QA CONFERENCE #1 IN UKRAINE KYIV 2...
Тема доклада
Тема доклада
Тема доклада
KYIV 2018
WITH PASSION TO QUALITY
QA CONFERENCE #1 IN UKRAINE
Upcoming SlideShare
Loading in …5
×

QA Fest 2018. Michał Buczko. Automated Security Scanning in Payment Industry

148 views

Published on

Our QA world is focused on two topics: Automation and Cybersecurity. This case study shows how you can combine them successfully, by enhancing your automation with security scanning. We will use WebDriver and OWASP ZAProxy as our examples. Even with low investment and entry knowledge you can start playing with tools like automated scanners. We will show case study how to get fast benefits from combining them with Selenium test automation. See how to reuse your existing automation to get additional security scan results with almost minimum effort. With that You can easily enter software security world with minimum investment.

Published in: Education
  • Be the first to comment

  • Be the first to like this

QA Fest 2018. Michał Buczko. Automated Security Scanning in Payment Industry

  1. 1. Automated Security Scanning in Payment Industry t WITH PASSION TO QUALITY Michał Buczko QA CONFERENCE #1 IN UKRAINE, KYIV 2018
  2. 2. Test Consultant Public Speaker Security enthusiast t WITH PASSION TO QUALITY KYIV 2018 About me:
  3. 3. 1.) Why security? 2.) How hard it is to start? 3.) How to run automated scanners? 4.) Required investments? 5.) Main benefits? 6.) Alternative options.. t WITH PASSION TO QUALITY KYIV 2018 Agenda:
  4. 4. Why security is important? Why Your team should focus around this topic inside project or product delivery?
  5. 5. Data integrity and management People give out their private data Economnic impact of cybersecurity attacks is significant IoT and digitalization of daily life
  6. 6. Biggest challenges with starting security testing?
  7. 7. Domain klowledge if huge and We don’t have expirience Experts are expensive It costs a lot of time and money to start security testing
  8. 8. Automated security scanners Step by step guide how to enable security scanning inside Your existing test automation
  9. 9. Automated functional test i.e. Webdriver Security intercepting proxy i.e. OWASP ZAProxy Effective integration
  10. 10. OWASP ZAP  open-source web application security scanner  fully internationalized into over 25 languages  Used as a proxy server, it allows the user to manipulate all of the traffic that passes through it, including traffic using https.  Cross-platform tool written in Java  Some of the built in features include:  Intercepting proxy server,  Automated scanner,  Passive scanner,  It has a plugin-based architecture and an online ‘marketplace’.
  11. 11. UI and Report examples
  12. 12. Sounds easy but how to start? Where are the main investments in such solutions?
  13. 13. How to enable scanner in my automation? How to decode and test HTTPS traffic? What is the impact on project schedule?
  14. 14. Driver with proxy Selenium 2.0 The simple way to:  Set a manual proxy  Accept all SSL Certs  Run browser with proxy on all popups
  15. 15. Driver with Proxy Selenium 3.0 The simple way to:  Set a manual proxy  Accept all SSL Certs  Run browser with proxy on all popups
  16. 16. ZAP SSL certificate in Firefox  Open up OWASP ZAP  go to Tools -> Options  In the Certificates section, click on Generate  Save the certificate in some location  Navigate to the Preferences of your browser  Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates  Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate  Check all the boxes  Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
  17. 17. ZAP SSL certificate in Firefox  Open up OWASP ZAP  go to Tools -> Options  In the Certificates section, click on Generate  Save the certificate in some location  Navigate to the Preferences of your browser  Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates  Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate  Check all the boxes  Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
  18. 18. ZAP SSL certificate in Firefox  Open up OWASP ZAP  go to Tools -> Options  In the Certificates section, click on Generate  Save the certificate in some location  Navigate to the Preferences of your browser  Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates  Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate  Check all the boxes  Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
  19. 19. ZAP SSL certificate in Firefox  Open up OWASP ZAP  go to Tools -> Options  In the Certificates section, click on Generate  Save the certificate in some location  Navigate to the Preferences of your browser  Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates  Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate  Check all the boxes  Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
  20. 20. ZAP SSL certificate in Firefox  Open up OWASP ZAP  go to Tools -> Options  In the Certificates section, click on Generate  Save the certificate in some location  Navigate to the Preferences of your browser  Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates  Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate  Check all the boxes  Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
  21. 21. ZAP SSL certificate in Firefox  Open up OWASP ZAP  go to Tools -> Options  In the Certificates section, click on Generate  Save the certificate in some location  Navigate to the Preferences of your browser  Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates  Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate  Check all the boxes  Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
  22. 22. ZAP SSL certificate in Firefox  Open up OWASP ZAP  go to Tools -> Options  In the Certificates section, click on Generate  Save the certificate in some location  Navigate to the Preferences of your browser  Click on the Advanced tab, navigate to the Certificates tab and click on View Certificates  Select the Authorities tab and click on Import and choose the OWASP ZAP Root Certificate  Check all the boxes  Browse sites with HTTPS enabled. You're no longer prompted with the SSL Security Exception Error message.
  23. 23. How much does it cost? • Webdriver - FREE • ZAProxy - FREE • YES, and.. • Investigation time • Project interruption • Learning attitude required
  24. 24. What can I get from this? What is the benefit for my: • Team • Project • Product • Company
  25. 25. Easy start with building image about security of your system Starting point for learning, excercising, upskilling anyone interested in security Security related pipeline inside Your CI/CD systems without investing in additional costly licences
  26. 26. How to maximize the benefits?
  27. 27. Does any alternatives exist? How to enable simillar results via other market available solutions?
  28. 28. Features • Multiple integrated tools and solutions • Free to use and adapt to Your needs • Constant developement make by Objectivity Risks • Require technical knowledge to start integration • Its a tool-set to re-use not box solution Benefits • Freedom of usage and adaptation • Open-source • Not limited by technology stack or business objective Objectivity Test Framework
  29. 29. Features • Open source on github • BDD test enhancement without technical skills requirement • CI integrated Risks • BDD tests are not easily owned inside organizations • Another layer on top of tool-set i.e. ZAP • No proven market value I heard Benefits • BDD in good setup can work very well • Few alternative routes to use • Less technical requirements to enable such solutions F-Secure Mittn BDD Security
  30. 30. Features • Standalone scanning solution • Do not require technical knowledge • Push URL and wait for results Risks • No control over the scanning scope • Not cheap solution – costly licences • Sometimes to big for the problem Benefits • Easy to understand visualisation • Well documented results • Catalog feature, if applied on multiple projects Qualys Web Scanner
  31. 31. Тема доклада Тема доклада Тема доклада WITH PASSION TO QUALITY KYIV 2018 Any questions? QA CONFERENCE #1 IN UKRAINE KYIV 2018 Thanks !!
  32. 32. Тема доклада Тема доклада Тема доклада KYIV 2018 WITH PASSION TO QUALITY QA CONFERENCE #1 IN UKRAINE

×