SlideShare a Scribd company logo

Automated Security Testing (2)

Download as PPTX, PDF
S
Srikanth Nellore
1 of 14
AUTOMATED SECURITY TESTING
AGENDA • What is Security Testing ? • Why we Testers need to worry about it ? • Why Automated Security Testing? • How can we Automate this? • Demo • Resources
WHAT IS SECURITY TESTING • Part of Software Testing • Process intended to reveal flaws in the security mechanism.
I AM NOT A SECURITY TESTER ! • Why do we, Testers need to worry about security testing ? Isn’t there a Security Team to handle this ? • Tester = { Functional testing + Non Functional (Performance, Security..)}
WHY AUTOMATED SECURITY TESTING?
• Detect known vulnerabilities early in the cycle • Reduce Costs – Amount of time you need to hire Security professional • 10 min to get you started with your first Attack proxy and scan • Can use your existing automated functional tests to generate HTTP traffic, no need to write special security tests.
WHERE ARE WE ? AS ON 2014 United States Japan Spain United Kingdom Germany China Ukraine Switzerland Mexico Canada
HOW DID WE DO? “ATTACK PROXIES” • Sit between Target and Tester - Search for http traffic patterns - Manipulate headers - Scan for vulnerabilities - Fuzzing
ALWAYS REMEMBER • Never run any Security Tests on sites that you aren’t authorised to do so.
IN ACTION…
RESOURCES – SO MANY OPTIONS TO EXPLORE! • https://www.owasp.org/index.php/Appendix_A:_Testing_Tools
BDD IN SECURITY TESTING. IS IT POSSIBLE?
ON GITHUB • https://github.com/impeccable-tester/SecurityTesting
I AM NOW A SECURITY TESTER 

Recommended

Put yourself in the #appsec pipeline
Put yourself in the #appsec pipelinePut yourself in the #appsec pipeline
Put yourself in the #appsec pipelinePaolo Perego
 
Continuous Deployment (english)
Continuous Deployment (english)Continuous Deployment (english)
Continuous Deployment (english)Titas Norkūnas
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
How to Maintain Traceability - While Using Jira
How to Maintain Traceability - While Using JiraHow to Maintain Traceability - While Using Jira
How to Maintain Traceability - While Using JiraPerforce
 
Machine learning in software testing
Machine learning in software testingMachine learning in software testing
Machine learning in software testingThoughtworks
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 

Recommended

Put yourself in the #appsec pipeline
Put yourself in the #appsec pipelinePut yourself in the #appsec pipeline
Put yourself in the #appsec pipelinePaolo Perego
 
Continuous Deployment (english)
Continuous Deployment (english)Continuous Deployment (english)
Continuous Deployment (english)Titas Norkūnas
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
How to Maintain Traceability - While Using Jira
How to Maintain Traceability - While Using JiraHow to Maintain Traceability - While Using Jira
How to Maintain Traceability - While Using JiraPerforce
 
Machine learning in software testing
Machine learning in software testingMachine learning in software testing
Machine learning in software testingThoughtworks
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
App Assessments Reloaded
App Assessments ReloadedApp Assessments Reloaded
App Assessments ReloadedErnest Mueller
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Kris Buytaert
 
5 top pain points of test automation
5 top pain points of test automation5 top pain points of test automation
5 top pain points of test automationMikalai Alimenkou
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Build FAST with parallel_calabash
Build FAST with parallel_calabashBuild FAST with parallel_calabash
Build FAST with parallel_calabashThoughtworks
 
What a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisWhat a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisAndrey Karpov
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Unit testing
Unit testingUnit testing
Unit testingBrian Hu
 
Continuous everything
Continuous everythingContinuous everything
Continuous everythingTEST Huddle
 
ReportPortal.io - Open Source experience. Showcase, benefits
ReportPortal.io - Open Source experience. Showcase, benefits ReportPortal.io - Open Source experience. Showcase, benefits
ReportPortal.io - Open Source experience. Showcase, benefits COMAQA.BY
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Test automation lesson
Test automation lessonTest automation lesson
Test automation lessonSadaaki Emura
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
Leandro Melendez - Switching Performance Left & Right
Leandro Melendez - Switching Performance Left & RightLeandro Melendez - Switching Performance Left & Right
Leandro Melendez - Switching Performance Left & RightNeotys_Partner
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - JourneyVandana Verma
 
We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?mkujalowicz
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 

More Related Content

What's hot

App Assessments Reloaded
App Assessments ReloadedApp Assessments Reloaded
App Assessments ReloadedErnest Mueller
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Kris Buytaert
 
5 top pain points of test automation
5 top pain points of test automation5 top pain points of test automation
5 top pain points of test automationMikalai Alimenkou
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Build FAST with parallel_calabash
Build FAST with parallel_calabashBuild FAST with parallel_calabash
Build FAST with parallel_calabashThoughtworks
 
What a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisWhat a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisAndrey Karpov
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Unit testing
Unit testingUnit testing
Unit testingBrian Hu
 
Continuous everything
Continuous everythingContinuous everything
Continuous everythingTEST Huddle
 
ReportPortal.io - Open Source experience. Showcase, benefits
ReportPortal.io - Open Source experience. Showcase, benefits ReportPortal.io - Open Source experience. Showcase, benefits
ReportPortal.io - Open Source experience. Showcase, benefits COMAQA.BY
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Test automation lesson
Test automation lessonTest automation lesson
Test automation lessonSadaaki Emura
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional testsAnkita Gupta
 
Leandro Melendez - Switching Performance Left & Right
Leandro Melendez - Switching Performance Left & RightLeandro Melendez - Switching Performance Left & Right
Leandro Melendez - Switching Performance Left & RightNeotys_Partner
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 

What's hot (20)

App Assessments Reloaded
App Assessments ReloadedApp Assessments Reloaded
App Assessments Reloaded
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?Devops, Secops, Opsec, DevSec *ops *.* ?
Devops, Secops, Opsec, DevSec *ops *.* ?
 
5 top pain points of test automation
5 top pain points of test automation5 top pain points of test automation
5 top pain points of test automation
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Build FAST with parallel_calabash
Build FAST with parallel_calabashBuild FAST with parallel_calabash
Build FAST with parallel_calabash
 
What a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysisWhat a DevOps specialist has to know about static code analysis
What a DevOps specialist has to know about static code analysis
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Unit testing
Unit testingUnit testing
Unit testing
 
Continuous everything
Continuous everythingContinuous everything
Continuous everything
 
ReportPortal.io - Open Source experience. Showcase, benefits
ReportPortal.io - Open Source experience. Showcase, benefits ReportPortal.io - Open Source experience. Showcase, benefits
ReportPortal.io - Open Source experience. Showcase, benefits
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
 
Test automation lesson
Test automation lessonTest automation lesson
Test automation lesson
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
Hacker Proof web app using Functional tests
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
 
Leandro Melendez - Switching Performance Left & Right
Leandro Melendez - Switching Performance Left & RightLeandro Melendez - Switching Performance Left & Right
Leandro Melendez - Switching Performance Left & Right
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - Journey
 

Similar to Automated Security Testing (2)

We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?mkujalowicz
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Mt s1 basic_fundamentals
Mt s1 basic_fundamentalsMt s1 basic_fundamentals
Mt s1 basic_fundamentalsTestingGeeks
 
What Do We Automate First
What Do We Automate FirstWhat Do We Automate First
What Do We Automate Firstrrice2000
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptxosandadeshan
 
SDLC. QA Role
SDLC. QA RoleSDLC. QA Role
SDLC. QA Roleeleksdev
 
InterSystems test automation
InterSystems test automationInterSystems test automation
InterSystems test automationMassTLC
 
How to make Automation an asset for Organization
How to make Automation an asset for OrganizationHow to make Automation an asset for Organization
How to make Automation an asset for Organizationanuvip
 
Quest for the ultimate autotest coverage
Quest for the ultimate autotest coverageQuest for the ultimate autotest coverage
Quest for the ultimate autotest coverageAlexander Pushkarev
 
Introduction to Automated Testing
Introduction to Automated TestingIntroduction to Automated Testing
Introduction to Automated TestingLars Thorup
 
Introduction to-automated-testing
Introduction to-automated-testingIntroduction to-automated-testing
Introduction to-automated-testingBestBrains
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Software testing
Software testingSoftware testing
Software testingnidhip216
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionAlienVault
 
Karishma Kolli – Myth Busters on Test Automation
Karishma Kolli – Myth Busters on Test AutomationKarishma Kolli – Myth Busters on Test Automation
Karishma Kolli – Myth Busters on Test AutomationPractiTest
 
Real Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps PresentationReal Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps PresentationAdam Sandman
 
Thomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdfThomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdfQA or the Highway
 

Similar to Automated Security Testing (2) (20)

We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?We did it!!? There is place for QAs in Agile!!?
We did it!!? There is place for QAs in Agile!!?
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Mt s1 basic_fundamentals
Mt s1 basic_fundamentalsMt s1 basic_fundamentals
Mt s1 basic_fundamentals
 
What Do We Automate First
What Do We Automate FirstWhat Do We Automate First
What Do We Automate First
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptx
 
SDLC. QA Role
SDLC. QA RoleSDLC. QA Role
SDLC. QA Role
 
InterSystems test automation
InterSystems test automationInterSystems test automation
InterSystems test automation
 
How to make Automation an asset for Organization
How to make Automation an asset for OrganizationHow to make Automation an asset for Organization
How to make Automation an asset for Organization
 
Quest for the ultimate autotest coverage
Quest for the ultimate autotest coverageQuest for the ultimate autotest coverage
Quest for the ultimate autotest coverage
 
Istqb foundation level day 1
Istqb foundation level day 1Istqb foundation level day 1
Istqb foundation level day 1
 
Introduction to Automated Testing
Introduction to Automated TestingIntroduction to Automated Testing
Introduction to Automated Testing
 
Introduction to-automated-testing
Introduction to-automated-testingIntroduction to-automated-testing
Introduction to-automated-testing
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Software testing
Software testingSoftware testing
Software testing
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
How to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat DetectionHow to Leverage Log Data for Effective Threat Detection
How to Leverage Log Data for Effective Threat Detection
 
Karishma Kolli – Myth Busters on Test Automation
Karishma Kolli – Myth Busters on Test AutomationKarishma Kolli – Myth Busters on Test Automation
Karishma Kolli – Myth Busters on Test Automation
 
Real Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps PresentationReal Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps Presentation
 
Thomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdfThomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdf
 

Automated Security Testing (2)

  • 2. AGENDA • What is Security Testing ? • Why we Testers need to worry about it ? • Why Automated Security Testing? • How can we Automate this? • Demo • Resources
  • 3. WHAT IS SECURITY TESTING • Part of Software Testing • Process intended to reveal flaws in the security mechanism.
  • 4. I AM NOT A SECURITY TESTER ! • Why do we, Testers need to worry about security testing ? Isn’t there a Security Team to handle this ? • Tester = { Functional testing + Non Functional (Performance, Security..)}
  • 6. • Detect known vulnerabilities early in the cycle • Reduce Costs – Amount of time you need to hire Security professional • 10 min to get you started with your first Attack proxy and scan • Can use your existing automated functional tests to generate HTTP traffic, no need to write special security tests.
  • 7. WHERE ARE WE ? AS ON 2014 United States Japan Spain United Kingdom Germany China Ukraine Switzerland Mexico Canada
  • 8. HOW DID WE DO? “ATTACK PROXIES” • Sit between Target and Tester - Search for http traffic patterns - Manipulate headers - Scan for vulnerabilities - Fuzzing
  • 9. ALWAYS REMEMBER • Never run any Security Tests on sites that you aren’t authorised to do so.
  • 11. RESOURCES – SO MANY OPTIONS TO EXPLORE! • https://www.owasp.org/index.php/Appendix_A:_Testing_Tools
  • 12. BDD IN SECURITY TESTING. IS IT POSSIBLE?
  • 14. I AM NOW A SECURITY TESTER 