Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated security testing

483 views

Published on

Demo - how to build dynamic application security testing using Zap Proxy and WebDriver.io. Presented at OWASP Israel Chapter Meetup.

Published in: Software
  • Be the first to comment

Automated security testing

  1. 1. Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017 http://goo.gl/sphN9w
  2. 2. Demo: Building Security Testing from existing automation tests http://goo.gl/sphN9w
  3. 3. Agenda Approaches to Application Security Testing Building Blocks Live demo Future plans http://goo.gl/sphN9w
  4. 4. About me Software Developer and Security Evangelist at Soluto 26yrs old Writing code for the last 8 years @omerlh: Github/Twitter http://goo.gl/sphN9w
  5. 5. http://goo.gl/sphN9w
  6. 6. Approaches to Application Security Testing Static: Code analysis - Checkmarx (our host :)) Dynamic: Live analysis Integrated: Combination of Static and Dynamic http://goo.gl/sphN9w
  7. 7. Building Blocks http://goo.gl/sphN9w
  8. 8. ZAP - Zed Attack Proxy “The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools” API/cli Active Scan Mode (spider) Passive Scan Mode http://goo.gl/sphN9w
  9. 9. http://goo.gl/sphN9w
  10. 10. “WebdriverIO lets you control a browser or a mobile application with just a few lines of code.” Simple Selenium binding for JS Very popular framework for automation testing Webdriver.io http://goo.gl/sphN9w
  11. 11. http://goo.gl/sphN9w
  12. 12. Docker “Docker is the world’s leading software container platform” “Using containers, everything required to make a piece of software run is packaged into isolated containers” http://goo.gl/sphN9w
  13. 13. http://goo.gl/sphN9w
  14. 14. OWASP Mutillidae “free, open source, deliberately vulnerable web-application” Used to demonstrate ZAP Capabilities Docker image http://goo.gl/sphN9w
  15. 15. Putting it all together... http://goo.gl/sphN9w
  16. 16. Demo Setup Selenium Hub ChromeTest Code MutilidaeZAP Proxy http://goo.gl/sphN9w
  17. 17. Live Demo All the code is available at Github http://goo.gl/sphN9w
  18. 18. Comparison with Zap Active Scan Better coverage of the tested app Take advantage of existing tests No additional setup - baseline scan Mixed tests types - automation and security http://goo.gl/sphN9w
  19. 19. Future Plans Alerts processing - see this issue Use Jenkins plugin? (we are using TeamCity) Dedicated security tests Integrate Active Scan (XSS Dom plugin) SSL/HSTS Mobile/Certificate pinning override http://goo.gl/sphN9w
  20. 20. Questions? We are hiring! Checkout our blog http://goo.gl/sphN9w

×