Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated security testing


Published on

Demo - how to build dynamic application security testing using Zap Proxy and Presented at OWASP Israel Chapter Meetup.

Published in: Software
  • Be the first to comment

Automated security testing

  1. 1. Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017
  2. 2. Demo: Building Security Testing from existing automation tests
  3. 3. Agenda Approaches to Application Security Testing Building Blocks Live demo Future plans
  4. 4. About me Software Developer and Security Evangelist at Soluto 26yrs old Writing code for the last 8 years @omerlh: Github/Twitter
  5. 5.
  6. 6. Approaches to Application Security Testing Static: Code analysis - Checkmarx (our host :)) Dynamic: Live analysis Integrated: Combination of Static and Dynamic
  7. 7. Building Blocks
  8. 8. ZAP - Zed Attack Proxy “The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools” API/cli Active Scan Mode (spider) Passive Scan Mode
  9. 9.
  10. 10. “WebdriverIO lets you control a browser or a mobile application with just a few lines of code.” Simple Selenium binding for JS Very popular framework for automation testing
  11. 11.
  12. 12. Docker “Docker is the world’s leading software container platform” “Using containers, everything required to make a piece of software run is packaged into isolated containers”
  13. 13.
  14. 14. OWASP Mutillidae “free, open source, deliberately vulnerable web-application” Used to demonstrate ZAP Capabilities Docker image
  15. 15. Putting it all together...
  16. 16. Demo Setup Selenium Hub ChromeTest Code MutilidaeZAP Proxy
  17. 17. Live Demo All the code is available at Github
  18. 18. Comparison with Zap Active Scan Better coverage of the tested app Take advantage of existing tests No additional setup - baseline scan Mixed tests types - automation and security
  19. 19. Future Plans Alerts processing - see this issue Use Jenkins plugin? (we are using TeamCity) Dedicated security tests Integrate Active Scan (XSS Dom plugin) SSL/HSTS Mobile/Certificate pinning override
  20. 20. Questions? We are hiring! Checkout our blog