SlideShare a Scribd company logo

DevSecCon Boston2018 - advanced mobile security automation with bdd

Download as PPTX, PDF
Davide Cioccia
Davide Cioccia

Presentation at DevSecCon Boston 2018

Internet
1 of 34
BOSTON 10-11 SEPT 2018 ADVANCED MOBILE SECURITY AUTOMATION IN YOUR SDLC WITH BDD TESTS DAVIDE CIOCCIA
BOSTON 10-11 SEPT 2018 #whoami • Davide Cioccia Security Engineer @ ING Co-Founder @ IoTsec.eu • Mobile Security Lead • OWASP MSTG contributor • IoT, IIoT breaker • @davide107 • davidecioccia.com
BOSTON 10-11 SEPT 2018 Agenda • Background • BDD introduction • Mobile BDD security tests • Workshop
BOSTON 10-11 SEPT 2018 Background
BOSTON 10-11 SEPT 2018 Why mobile security matters?
BOSTON 10-11 SEPT 2018 The mistake WRITE_EXTERNAL_STORAGE
BOSTON 10-11 SEPT 2018 Why do developers make mistakes? • We need it ASAP • Agile environment requires multiple release per day/week • Security requirements are not followed • Threat model not in place • Rely on SAST tools for vulnerability detection • Security testing is not embedded in the CI/CD • Security is too late in the SDLC
BOSTON 10-11 SEPT 2018 Security teams challenges • Provide security at the DevOps speed • Have developers understand security • Detect vulnerabilities in early stage • Have Pentesters focus on “serious” stuff
BOSTON 10-11 SEPT 2018 Mobile security challenges • Different Operating Systems • Client side testing • Different apps (native, hybrid, web) • Different languages (poor SAST tool support) • Different security controls
BOSTON 10-11 SEPT 2018 Improve the testing • Security must be an accelerator and not a step back • Extend the SDLC with security integration tests
BOSTON 10-11 SEPT 2018 BDD Security Tests
BOSTON 10-11 SEPT 2018 Testing in Agile BDD ATDD TDD
BOSTON 10-11 SEPT 2018 What do we solve with BDD
BOSTON 10-11 SEPT 2018 Why BDD in security • BDD offers more precise guidance on organizing the conversation between developers, testers and security experts • Notations originating in the BDD approach, in particular the given-when-then canvas, are closer to everyday language and have a shallower learning curve • Tools targeting a BDD approach generally afford the automatic generation of technical and end user documentation from BDD “specifications"
BOSTON 10-11 SEPT 2018 BDD steps
BOSTON 10-11 SEPT 2018 Cucumber as engine for BDD Features + Step definitions Java C# Python Ruby JavaScript …more Gherkin
BOSTON 10-11 SEPT 2018 BDD test example Business facing Technology facing
BOSTON 10-11 SEPT 2018 Mobile BDD security
BOSTON 10-11 SEPT 2018 OWASP MSTG to BDD Test scripts .features steps
BOSTON 10-11 SEPT 2018 Process Test scripts APK .features steps.rb Emulator / Device
BOSTON 10-11 SEPT 2018 Full process in CI/CD Security Requirements Threat modelling (abuse case generation) Implement BDD standard security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test casesMASVS Checklist Manual PT Identify what can be automated Requirements Design Code Build Test Release Deploy Operate
BOSTON 10-11 SEPT 2018 Attack surface 22 Application layer OS and architecture layer Network layer AUTHENTICATION ACCESS CONTROLS SESSION MANAGEMENT ENCRYPTION OBFUSCATION INPUT & ERROR VALIDATION DATA PROTECTION MORE PERMISSION MODEL SERVICES LIBRARIES RESIDUAL DATA MORE CERTIFICATE PINNING ENCRYPTION MITM URL WHITELISTING WEB SERVER ASSESSMENT NETWORK SCAN MORE INTERACTION WITH OS
BOSTON 10-11 SEPT 2018 What are we going to do • Automate MASVS using Calabash, Gherkin and Ruby • Identify what we can automate from the MSTG • Extend UI/UX testing framework to create security integration tests • Write BDD tests
BOSTON 10-11 SEPT 2018 Why • MASVS is becoming the standard de facto for security testing • MSTG is the technical sister (thanks Sven Sneiler and Bernard Muller) • All the checks are currently performed manually from pentesters, security engineers, developers, • ..or integrating SAST tools in the pipeline. But SAST is not too smart! • With BDD security is pushed left in the SDLC
BOSTON 10-11 SEPT 2018 Benefits • Increase security maturity of the teams • Perform security integration tests on every build improves the code • Simplify pentesterts life • Decrease TTR (Time To Release) and enhance security • Translate threats in tests • Have a ready-to-use documentation
BOSTON 10-11 SEPT 2018 WORKSHOP
BOSTON 10-11 SEPT 2018 Setup • Dockerfile • Calabash • Android SDK • Android tools • JDK • Genymotion for Personal use (FREE) • Emulate any Android device • IDE / Text Editor of your choice • Recommended: Sublime with Gherkin syntax plugin
BOSTON 10-11 SEPT 2018 Outcome • .features • A Feature File is an entry point to the Cucumber tests. This is a file where you will describe your tests in Descriptive language (Like English).
BOSTON 10-11 SEPT 2018 Steps • security_steps.rb • Implementation of the Gherkin syntax • Ruby function with parameters in input • We are going to use the android tools and to perform analysis on the device
BOSTON 10-11 SEPT 2018 .features Feature: Logs must not contain sensitive information @first_scenario Scenario: As a user I insert my sensitive information and I check that they are not reflected in the logfiles Given I clean "all" the application log
BOSTON 10-11 SEPT 2018 security_steps.rb Given /^I clean "(.*)" the application log$/ do |log| %x(adb logcat -b #{log} -c) end
BOSTON 10-11 SEPT 2018 Clone the GitHub repository https://github.com/ing-bank/bdd-mobile-security-automation-framework
BOSTON 10-11 SEPT 2018 Let’s do some work
BOSTON 10-11 SEPT 2018 Thank you

Recommended

Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupAvoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupDavide Cioccia
 
Improving Automated Tests with Fluent Assertions
Improving Automated Tests with Fluent Assertions Improving Automated Tests with Fluent Assertions
Improving Automated Tests with Fluent Assertions TestingCR
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Building Observable Infrastructure and Code
Building Observable Infrastructure and CodeBuilding Observable Infrastructure and Code
Building Observable Infrastructure and CodeUllyCarolinneSampaio
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...NETWAYS
 
Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...
Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...
Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...Codemotion
 
Containers and Kubernetes without limits
Containers and Kubernetes without limitsContainers and Kubernetes without limits
Containers and Kubernetes without limitsAntje Barth
 

Recommended

Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupAvoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupDavide Cioccia
 
Improving Automated Tests with Fluent Assertions
Improving Automated Tests with Fluent Assertions Improving Automated Tests with Fluent Assertions
Improving Automated Tests with Fluent Assertions TestingCR
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
Building Observable Infrastructure and Code
Building Observable Infrastructure and CodeBuilding Observable Infrastructure and Code
Building Observable Infrastructure and CodeUllyCarolinneSampaio
 
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...
stackconf 2021 | Embracing change: Policy-as-code for Kubernetes with OPA and...NETWAYS
 
Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...
Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...
Sviluppare applicazioni nell'era dei "Big Data" con Scala e Spark - Mario Car...Codemotion
 
Containers and Kubernetes without limits
Containers and Kubernetes without limitsContainers and Kubernetes without limits
Containers and Kubernetes without limitsAntje Barth
 
From Developer to Data Scientist - Gaines Kergosien
From Developer to Data Scientist - Gaines KergosienFrom Developer to Data Scientist - Gaines Kergosien
From Developer to Data Scientist - Gaines KergosienITCamp
 
Protecting Applications with Lambda@Edge and OAuth
Protecting Applications with Lambda@Edge and OAuthProtecting Applications with Lambda@Edge and OAuth
Protecting Applications with Lambda@Edge and OAuthAllan Denot
 
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...Codemotion
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...Theo Jungeblut
 
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...DevOpsDays Tel Aviv
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilersLibbySchulze
 
Can i service this from my raspberry pi
Can i service this from my raspberry piCan i service this from my raspberry pi
Can i service this from my raspberry piThoughtworks
 
Design and Evolution of APIs in Microservice Architecture
Design and Evolution of APIs in Microservice ArchitectureDesign and Evolution of APIs in Microservice Architecture
Design and Evolution of APIs in Microservice ArchitectureLohika_Odessa_TechTalks
 
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)Vladimir Roudakov
 
Europace's journey to InnerSource
Europace's journey to InnerSourceEuropace's journey to InnerSource
Europace's journey to InnerSourceEnrico Hartung
 
Generic Test Automation Architecture
Generic Test Automation ArchitectureGeneric Test Automation Architecture
Generic Test Automation ArchitectureTestingCR
 
Reactive Microservices with Quarkus
Reactive Microservices with QuarkusReactive Microservices with Quarkus
Reactive Microservices with QuarkusNiklas Heidloff
 
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020Liran Tal
 
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali....NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...NETFest
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"GlobalLogic Ukraine
 
Distributed Tracing Velocity2016
Distributed Tracing Velocity2016Distributed Tracing Velocity2016
Distributed Tracing Velocity2016Reshmi Krishna
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
Kubernetes für Workstations Edge und IoT Devices
Kubernetes für Workstations Edge und IoT DevicesKubernetes für Workstations Edge und IoT Devices
Kubernetes für Workstations Edge und IoT DevicesQAware GmbH
 
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon
 
Maintainability Sogeti Qx Day 2020
Maintainability Sogeti Qx Day 2020Maintainability Sogeti Qx Day 2020
Maintainability Sogeti Qx Day 2020Peter Rombouts
 

More Related Content

What's hot

From Developer to Data Scientist - Gaines Kergosien
From Developer to Data Scientist - Gaines KergosienFrom Developer to Data Scientist - Gaines Kergosien
From Developer to Data Scientist - Gaines KergosienITCamp
 
Protecting Applications with Lambda@Edge and OAuth
Protecting Applications with Lambda@Edge and OAuthProtecting Applications with Lambda@Edge and OAuth
Protecting Applications with Lambda@Edge and OAuthAllan Denot
 
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...Codemotion
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...Theo Jungeblut
 
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...DevOpsDays Tel Aviv
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilersLibbySchulze
 
Can i service this from my raspberry pi
Can i service this from my raspberry piCan i service this from my raspberry pi
Can i service this from my raspberry piThoughtworks
 
Design and Evolution of APIs in Microservice Architecture
Design and Evolution of APIs in Microservice ArchitectureDesign and Evolution of APIs in Microservice Architecture
Design and Evolution of APIs in Microservice ArchitectureLohika_Odessa_TechTalks
 
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)Vladimir Roudakov
 
Europace's journey to InnerSource
Europace's journey to InnerSourceEuropace's journey to InnerSource
Europace's journey to InnerSourceEnrico Hartung
 
Generic Test Automation Architecture
Generic Test Automation ArchitectureGeneric Test Automation Architecture
Generic Test Automation ArchitectureTestingCR
 
Reactive Microservices with Quarkus
Reactive Microservices with QuarkusReactive Microservices with Quarkus
Reactive Microservices with QuarkusNiklas Heidloff
 
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020Liran Tal
 
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali....NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...NETFest
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"GlobalLogic Ukraine
 
Distributed Tracing Velocity2016
Distributed Tracing Velocity2016Distributed Tracing Velocity2016
Distributed Tracing Velocity2016Reshmi Krishna
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
Kubernetes für Workstations Edge und IoT Devices
Kubernetes für Workstations Edge und IoT DevicesKubernetes für Workstations Edge und IoT Devices
Kubernetes für Workstations Edge und IoT DevicesQAware GmbH
 

What's hot (20)

From Developer to Data Scientist - Gaines Kergosien
From Developer to Data Scientist - Gaines KergosienFrom Developer to Data Scientist - Gaines Kergosien
From Developer to Data Scientist - Gaines Kergosien
 
Protecting Applications with Lambda@Edge and OAuth
Protecting Applications with Lambda@Edge and OAuthProtecting Applications with Lambda@Edge and OAuth
Protecting Applications with Lambda@Edge and OAuth
 
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
Building advanced Chats Bots and Voice Interactive Assistants - Stève Sfartz ...
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...
 
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...
Clean Code III - Software Craftsmanship at SoCal Code Camp San Diego (07/27/2...
 
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...
SPOTLIGHT IGNITE (10 MINUTES): THE FUTURE OF DEVELOPER TOOLS: FROM STACKOVERF...
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilers
 
Can i service this from my raspberry pi
Can i service this from my raspberry piCan i service this from my raspberry pi
Can i service this from my raspberry pi
 
Design and Evolution of APIs in Microservice Architecture
Design and Evolution of APIs in Microservice ArchitectureDesign and Evolution of APIs in Microservice Architecture
Design and Evolution of APIs in Microservice Architecture
 
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)
Gitlab for JS developers (BrisJs meetup, 2019-Apr-01)
 
Europace's journey to InnerSource
Europace's journey to InnerSourceEuropace's journey to InnerSource
Europace's journey to InnerSource
 
Generic Test Automation Architecture
Generic Test Automation ArchitectureGeneric Test Automation Architecture
Generic Test Automation Architecture
 
Reactive Microservices with Quarkus
Reactive Microservices with QuarkusReactive Microservices with Quarkus
Reactive Microservices with Quarkus
 
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020
OWASP Workshop: Docker Image Security Best Practices by Liran Tal - January 2020
 
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali....NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
.NET Fest 2019. Сергей Медведев. How serverless makes Integration TDD a reali...
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
 
C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"C++ Webinar "Why Should You Learn C++ in 2021-22?"
C++ Webinar "Why Should You Learn C++ in 2021-22?"
 
Distributed Tracing Velocity2016
Distributed Tracing Velocity2016Distributed Tracing Velocity2016
Distributed Tracing Velocity2016
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
 
Kubernetes für Workstations Edge und IoT Devices
Kubernetes für Workstations Edge und IoT DevicesKubernetes für Workstations Edge und IoT Devices
Kubernetes für Workstations Edge und IoT Devices
 

Similar to DevSecCon Boston2018 - advanced mobile security automation with bdd

DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon
 
Maintainability Sogeti Qx Day 2020
Maintainability Sogeti Qx Day 2020Maintainability Sogeti Qx Day 2020
Maintainability Sogeti Qx Day 2020Peter Rombouts
 
Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017
Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017
Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017Cisco
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
 
Sogeti Java Meetup - How to ensure your code is maintainable
Sogeti Java Meetup - How to ensure your code is maintainableSogeti Java Meetup - How to ensure your code is maintainable
Sogeti Java Meetup - How to ensure your code is maintainablePeter Rombouts
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfibramax
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)Priyanka Aash
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1Qualcomm Developer Network
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxDeepakgupta273447
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container PlatformSanjeev Rampal
 
Codecoon - A technical Case Study
Codecoon - A technical Case StudyCodecoon - A technical Case Study
Codecoon - A technical Case StudyMichael Lihs
 
Philipe Riand - Building Social Applications using the Social Business Toolki...
Philipe Riand - Building Social Applications using the Social Business Toolki...Philipe Riand - Building Social Applications using the Social Business Toolki...
Philipe Riand - Building Social Applications using the Social Business Toolki...LetsConnect
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth Pilli
 
Studio 5000® Application Code Manager: Introduction and Demonstration
Studio 5000® Application Code Manager: Introduction and DemonstrationStudio 5000® Application Code Manager: Introduction and Demonstration
Studio 5000® Application Code Manager: Introduction and DemonstrationRockwell Automation
 
Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices LivePerson
 
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Lietuvos kompiuterininkų sąjunga
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試Secview
 

Similar to DevSecCon Boston2018 - advanced mobile security automation with bdd (20)

DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
 
Maintainability Sogeti Qx Day 2020
Maintainability Sogeti Qx Day 2020Maintainability Sogeti Qx Day 2020
Maintainability Sogeti Qx Day 2020
 
Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017
Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017
Embed Spark calling SDK in Your App - Olivier PROFFIT - Cisco Live Berlin 2017
 
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfSoftware Bill of Materials - Accelerating Your Secure Embedded Development.pdf
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdf
 
Sogeti Java Meetup - How to ensure your code is maintainable
Sogeti Java Meetup - How to ensure your code is maintainableSogeti Java Meetup - How to ensure your code is maintainable
Sogeti Java Meetup - How to ensure your code is maintainable
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdf
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 1
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Container security within Cisco Container Platform
Container security within Cisco Container PlatformContainer security within Cisco Container Platform
Container security within Cisco Container Platform
 
Codecoon - A technical Case Study
Codecoon - A technical Case StudyCodecoon - A technical Case Study
Codecoon - A technical Case Study
 
Philipe Riand - Building Social Applications using the Social Business Toolki...
Philipe Riand - Building Social Applications using the Social Business Toolki...Philipe Riand - Building Social Applications using the Social Business Toolki...
Philipe Riand - Building Social Applications using the Social Business Toolki...
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
 
Studio 5000® Application Code Manager: Introduction and Demonstration
Studio 5000® Application Code Manager: Introduction and DemonstrationStudio 5000® Application Code Manager: Introduction and Demonstration
Studio 5000® Application Code Manager: Introduction and Demonstration
 
Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices Mobile SDK: Considerations & Best Practices
Mobile SDK: Considerations & Best Practices
 
CDK - The next big thing - Quang Phuong
CDK - The next big thing - Quang PhuongCDK - The next big thing - Quang Phuong
CDK - The next big thing - Quang Phuong
 
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
 

More from Davide Cioccia

Black Hat Europe 2018 Arsenal Tools - Squatm3
Black Hat Europe 2018 Arsenal Tools - Squatm3Black Hat Europe 2018 Arsenal Tools - Squatm3
Black Hat Europe 2018 Arsenal Tools - Squatm3Davide Cioccia
 
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gatorBH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gatorDavide Cioccia
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin Davide Cioccia
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Davide Cioccia
 
Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform Davide Cioccia
 
A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...Davide Cioccia
 

More from Davide Cioccia (8)

Black Hat Europe 2018 Arsenal Tools - Squatm3
Black Hat Europe 2018 Arsenal Tools - Squatm3Black Hat Europe 2018 Arsenal Tools - Squatm3
Black Hat Europe 2018 Arsenal Tools - Squatm3
 
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gatorBH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 
One shot eight banks
One shot eight banksOne shot eight banks
One shot eight banks
 
Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform
 
A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...
 

Recently uploaded

How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.soniya singh
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Recently uploaded (20)

How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 

DevSecCon Boston2018 - advanced mobile security automation with bdd

  • 1. BOSTON 10-11 SEPT 2018 ADVANCED MOBILE SECURITY AUTOMATION IN YOUR SDLC WITH BDD TESTS DAVIDE CIOCCIA
  • 2. BOSTON 10-11 SEPT 2018 #whoami • Davide Cioccia Security Engineer @ ING Co-Founder @ IoTsec.eu • Mobile Security Lead • OWASP MSTG contributor • IoT, IIoT breaker • @davide107 • davidecioccia.com
  • 3. BOSTON 10-11 SEPT 2018 Agenda • Background • BDD introduction • Mobile BDD security tests • Workshop
  • 4. BOSTON 10-11 SEPT 2018 Background
  • 5. BOSTON 10-11 SEPT 2018 Why mobile security matters?
  • 6. BOSTON 10-11 SEPT 2018 The mistake WRITE_EXTERNAL_STORAGE
  • 7. BOSTON 10-11 SEPT 2018 Why do developers make mistakes? • We need it ASAP • Agile environment requires multiple release per day/week • Security requirements are not followed • Threat model not in place • Rely on SAST tools for vulnerability detection • Security testing is not embedded in the CI/CD • Security is too late in the SDLC
  • 8. BOSTON 10-11 SEPT 2018 Security teams challenges • Provide security at the DevOps speed • Have developers understand security • Detect vulnerabilities in early stage • Have Pentesters focus on “serious” stuff
  • 9. BOSTON 10-11 SEPT 2018 Mobile security challenges • Different Operating Systems • Client side testing • Different apps (native, hybrid, web) • Different languages (poor SAST tool support) • Different security controls
  • 10. BOSTON 10-11 SEPT 2018 Improve the testing • Security must be an accelerator and not a step back • Extend the SDLC with security integration tests
  • 11. BOSTON 10-11 SEPT 2018 BDD Security Tests
  • 12. BOSTON 10-11 SEPT 2018 Testing in Agile BDD ATDD TDD
  • 13. BOSTON 10-11 SEPT 2018 What do we solve with BDD
  • 14. BOSTON 10-11 SEPT 2018 Why BDD in security • BDD offers more precise guidance on organizing the conversation between developers, testers and security experts • Notations originating in the BDD approach, in particular the given-when-then canvas, are closer to everyday language and have a shallower learning curve • Tools targeting a BDD approach generally afford the automatic generation of technical and end user documentation from BDD “specifications"
  • 15. BOSTON 10-11 SEPT 2018 BDD steps
  • 16. BOSTON 10-11 SEPT 2018 Cucumber as engine for BDD Features + Step definitions Java C# Python Ruby JavaScript …more Gherkin
  • 17. BOSTON 10-11 SEPT 2018 BDD test example Business facing Technology facing
  • 18. BOSTON 10-11 SEPT 2018 Mobile BDD security
  • 19. BOSTON 10-11 SEPT 2018 OWASP MSTG to BDD Test scripts .features steps
  • 20. BOSTON 10-11 SEPT 2018 Process Test scripts APK .features steps.rb Emulator / Device
  • 21. BOSTON 10-11 SEPT 2018 Full process in CI/CD Security Requirements Threat modelling (abuse case generation) Implement BDD standard security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test casesMASVS Checklist Manual PT Identify what can be automated Requirements Design Code Build Test Release Deploy Operate
  • 22. BOSTON 10-11 SEPT 2018 Attack surface 22 Application layer OS and architecture layer Network layer AUTHENTICATION ACCESS CONTROLS SESSION MANAGEMENT ENCRYPTION OBFUSCATION INPUT & ERROR VALIDATION DATA PROTECTION MORE PERMISSION MODEL SERVICES LIBRARIES RESIDUAL DATA MORE CERTIFICATE PINNING ENCRYPTION MITM URL WHITELISTING WEB SERVER ASSESSMENT NETWORK SCAN MORE INTERACTION WITH OS
  • 23. BOSTON 10-11 SEPT 2018 What are we going to do • Automate MASVS using Calabash, Gherkin and Ruby • Identify what we can automate from the MSTG • Extend UI/UX testing framework to create security integration tests • Write BDD tests
  • 24. BOSTON 10-11 SEPT 2018 Why • MASVS is becoming the standard de facto for security testing • MSTG is the technical sister (thanks Sven Sneiler and Bernard Muller) • All the checks are currently performed manually from pentesters, security engineers, developers, • ..or integrating SAST tools in the pipeline. But SAST is not too smart! • With BDD security is pushed left in the SDLC
  • 25. BOSTON 10-11 SEPT 2018 Benefits • Increase security maturity of the teams • Perform security integration tests on every build improves the code • Simplify pentesterts life • Decrease TTR (Time To Release) and enhance security • Translate threats in tests • Have a ready-to-use documentation
  • 26. BOSTON 10-11 SEPT 2018 WORKSHOP
  • 27. BOSTON 10-11 SEPT 2018 Setup • Dockerfile • Calabash • Android SDK • Android tools • JDK • Genymotion for Personal use (FREE) • Emulate any Android device • IDE / Text Editor of your choice • Recommended: Sublime with Gherkin syntax plugin
  • 28. BOSTON 10-11 SEPT 2018 Outcome • .features • A Feature File is an entry point to the Cucumber tests. This is a file where you will describe your tests in Descriptive language (Like English).
  • 29. BOSTON 10-11 SEPT 2018 Steps • security_steps.rb • Implementation of the Gherkin syntax • Ruby function with parameters in input • We are going to use the android tools and to perform analysis on the device
  • 30. BOSTON 10-11 SEPT 2018 .features Feature: Logs must not contain sensitive information @first_scenario Scenario: As a user I insert my sensitive information and I check that they are not reflected in the logfiles Given I clean "all" the application log
  • 31. BOSTON 10-11 SEPT 2018 security_steps.rb Given /^I clean "(.*)" the application log$/ do |log| %x(adb logcat -b #{log} -c) end
  • 32. BOSTON 10-11 SEPT 2018 Clone the GitHub repository https://github.com/ing-bank/bdd-mobile-security-automation-framework
  • 33. BOSTON 10-11 SEPT 2018 Let’s do some work
  • 34. BOSTON 10-11 SEPT 2018 Thank you

Editor's Notes

  1. Today we are going to touch three topics: Security, Mobile and Automation
  2. Because this workshop is heavily focus on how to implement BDD test, the questions come along: how many of you use BDD tests in their company? How many of you have used BDD at least once? how many of you know what BDD is? Great so let’s introduce BDD
  3. We are in the era of Agile right, this is the time where teams release once ,twice, three , four five six times per second right? But they also need to test at least once twice three times etc. How do DevOps test? As you know we have 3 main different type of testing
  4. Avoid or limits the gap between development and security