SlideShare a Scribd company logo
Robots with Pentest Recipes:
Democratizing Security Testing for DevOps Wins
Abhay Bhargav - CTO, we45
Yours Truly
• Co-author of Secure Java For Web
Application Development
• Author of PCI Compliance: A Definitive
Guide
• Speaker at Conferences worldwide
• Chief Architect of Orchestron
• AppSec Automation Junkie
• Lead Trainer - DevSecOps Training
A Few Demos
Demo Gods! Please let this work
Today's Session
• A Different Side of DevSecOps => Some Key Challenges
• Introducing the Robot Framework
• AppSec Testing Recipes with Robots
• Case Studies
Security in DevOps
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
Threat
modeling
SAST
Security - Composition
DAST
IAST
Security in
IaC
Security monitoring
& attack detection
The Need of the Hour….
To Find and Fix
Security Bugs
early and often
Security to
integrate with
your Agile
Development
Security to
seamlessly work with
your Continuous
Delivery Pipeline
We need to
continuously
test for security?
Let’s get real for a minute
We’re still running into some serious issues
Application Security is overwhelmed
• CI/CD Pipeline
• Security Reviews
• Bug Bounties
• Threat Modeling
• Security Assessments
• to name a few….
Automating AppSec - Challenging
• Multiple SAST and DAST Tools
• Their OWN API - Complexities
• Running them in a purely automated
workflow gets complex
• Custom Security Flaws - Hard to
weave into a fabric
In Short….
What do we need?
Engineering - Run Security Locally
• Engineering - Run Localized Security
• Engagement with Security Teams - For High Value Added
Requirements
• Make Security a “First Class Citizen”
More Effective Pentest Efforts
• Have your Pentest Teams work on finding more complex vulnerabilities
• Get them to script out complex pentest findings into Security Regression
Scripts
• Get them involved in AppSec Automation
Get QA/QE Involved
• Quality Engineering - Usually
develops a great deal of Test
Automation
• Would be great to leverage their
Test Automation For Security Testing
• Would be EVEN better to give
them a single fabric for both Test
Automation and Security Testing
Abhay Bhargav - Robots with Pentest Recipes - OWASP AppSec Cali 2018
Single Fabric => Test Automation + Security Testing
• Create Test Suites that combine capabilities of Software Test Automation and
Security Testing tools
• Run a combination of tools - to provide coverage across different abstractions
• Use Pentest Results as Security Regressions
• Basically, create repeatable and reproducible recipes that work for your
product
Enter, Robot Framework…
What is Robot Framework
• Generic Test Automation Framework
- Acceptance Testing and
Acceptance Test Driven
Development
• Extend Libraries in Python and Java
• Modular Architecture
Single Slide Introduction to ATDD
How it works…
• When the test starts, Framework
parses Test Data
• Utilizes Keywords from Test Libraries
to interact with system being tested
• Libraries can communicate with the
system either directly or using other
test tools as drivers
• Reports generated as HTML and
XML
Why we like it?
• Flexible Natural Language Syntax - FTW!
• Easy to develop API for Tools
• Modular
• Comes with Reporting out of the Box
• Python and Java Support 😁
Natural Language Syntax
*** Test Cases ***
Login to Healthcare App
[Tags] login
input text email_id bruce.banner@we45.com
input password password cwasp
click button id=submit
set browser implicit wait 10
location should be ${BASE_URL}dashboard/
Popular Third Party Libraries - Robot Framework
• Android and iOS Automation - Calabash
• Selenium
• Appium
• Python Requests
• Diff Library
• SSH
Robot Framework - QuickStart
• Test Suite - A Set of Test Cases
• Variables - Used to dynamically/statically assign values as input params to
test cases
• Settings - Set of Library Imports
• Keywords - Natural Language Declared statements that execute some test
action (can be user-defined as well)
Security Tool Libraries - Robot Framework
Robot Framework - OWASP ZAP Integration => RoboZAP
Robot Framework - Nmap Integration => RoboNmap
Robot Framework - BurpSuite Integration => Robo2Burp
Robot Framework - Sublist3r Integration
Robot Framework OWASP Dependency Check
Robot Framework - Arachni Integration
Adapting it for security
• Empowering Engineering Teams to
Run their own Security Testing
• Engaging Functional Test Automation
Teams to contribute to security
• Combining Functional Testing as an
Input to DAST Tools
• Lowering the Entry Barrier for
Security Testing
• Canned Recipes for Pentesters
The idea here is to reduce this…
Understand Security Testing Steps and Processes
Understanding and Using Security Testing Tools
Automating them with their API in the Pipeline + Parameterization
Pulling Results from each Scan
To This…
start zap active scan ${TARGET}
write results to DB ${DB_PATH}
Reducing Friction in the way we use and interact with Security Testing
Tools
Demo
Demo Gods! Please let this work
Use-Cases and Patterns
• Automate Pentest Activities - Creating an Automated Pentest Pipeline
• Parameterized Application Security Testing in the Pipeline
• Run Security Regressions in the Pipeline
Automated Pentesting Pipeline
• Automate specific Pentest Scripts in a sequential process
• Saves time - Pentesters
• Democratizes Security Testing - Including Engineering and QA
Example
nmap script scan ${TARGET}
nmap print results
…(run selenium automation script)
start zap active scan ${TARGET}
write results to DB ${DB_PATH}
Demo
Demo Gods! Please let this work
Parameterized Application Security Testing Pipeline
Demo
Demo Gods! Please let this work
Parameterized Application Security Testing Pipeline
Some FAQs
Why NOT BDD?
Are All tools easy to integrate?
Parallel Execution?
Docker?
The Future
• My team and I will be working on
more integrations
• And open sourcing most of them
• Happy to have more people
contribute
Reach Us
• Twitter: @abhaybhargav
• LinkedIn: www.linkedin.com/in/
abhaybhargav
• Twitter: @we45
• Website: www.we45.com

More Related Content

Recently uploaded

IE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptx
IE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptxIE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptx
IE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptx
BehairyAhmed2
 
GUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdf
GUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdfGUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdf
GUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdf
ProexportColombia1
 
Synthetic Test Collections for Retrieval Evaluation (Poster)
Synthetic Test Collections for Retrieval Evaluation (Poster)Synthetic Test Collections for Retrieval Evaluation (Poster)
Synthetic Test Collections for Retrieval Evaluation (Poster)
Hossein A. (Saeed) Rahmani
 
EAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagne
EAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagneEAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagne
EAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagne
idelewebmestre
 
Online airline reservation system project report.pdf
Online airline reservation system project report.pdfOnline airline reservation system project report.pdf
Online airline reservation system project report.pdf
Kamal Acharya
 
杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<
杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<
杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<
amzhoxvzidbke
 
Traffic Engineering-MODULE-1 vtu syllabus.pptx
Traffic Engineering-MODULE-1 vtu syllabus.pptxTraffic Engineering-MODULE-1 vtu syllabus.pptx
Traffic Engineering-MODULE-1 vtu syllabus.pptx
mailmad391
 
Presentation python programming vtu 6th sem
Presentation python programming vtu 6th semPresentation python programming vtu 6th sem
Presentation python programming vtu 6th sem
ssuser8f6b1d1
 
Online toll plaza booking system project report.doc.pdf
Online toll plaza booking system project report.doc.pdfOnline toll plaza booking system project report.doc.pdf
Online toll plaza booking system project report.doc.pdf
Kamal Acharya
 
Disaster Management and Mitigation presentation
Disaster Management and Mitigation presentationDisaster Management and Mitigation presentation
Disaster Management and Mitigation presentation
RajaRamannaTarigoppu
 
Quadcopter Dynamics, Stability and Control
Quadcopter Dynamics, Stability and ControlQuadcopter Dynamics, Stability and Control
Quadcopter Dynamics, Stability and Control
Blesson Easo Varghese
 
Monitoring and reporting of transparent forest data and information under the...
Monitoring and reporting of transparent forest data and information under the...Monitoring and reporting of transparent forest data and information under the...
Monitoring and reporting of transparent forest data and information under the...
Pilar Valbuena Perez
 
SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...
SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...
SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...
Jim Mimlitz, P.E.
 
Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in City
sunnuchadda
 
Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...
Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...
Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...
YanKing2
 
Conservation of Natural Resources Biodiversity.pptx
Conservation of Natural Resources Biodiversity.pptxConservation of Natural Resources Biodiversity.pptx
Conservation of Natural Resources Biodiversity.pptx
AdarshaMR1
 
Stiffness Method for structure analysis - Truss
Stiffness Method  for structure analysis - TrussStiffness Method  for structure analysis - Truss
Stiffness Method for structure analysis - Truss
adninhaerul
 
RECENT DEVELOPMENTS IN RING SPINNING.pptx
RECENT DEVELOPMENTS IN RING SPINNING.pptxRECENT DEVELOPMENTS IN RING SPINNING.pptx
RECENT DEVELOPMENTS IN RING SPINNING.pptx
peacesoul123
 
Chlorine and Nitric Acid application, properties, impacts.pptx
Chlorine and Nitric Acid application, properties, impacts.pptxChlorine and Nitric Acid application, properties, impacts.pptx
Chlorine and Nitric Acid application, properties, impacts.pptx
yadavsuyash008
 
Adv. Digital Signal Processing LAB MANUAL.pdf
Adv. Digital Signal Processing LAB MANUAL.pdfAdv. Digital Signal Processing LAB MANUAL.pdf
Adv. Digital Signal Processing LAB MANUAL.pdf
T.D. Shashikala
 

Recently uploaded (20)

IE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptx
IE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptxIE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptx
IE-469-Lecture-Notes-3IE-469-Lecture-Notes-3.pptx
 
GUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdf
GUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdfGUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdf
GUIA_LEGAL_CHAPTER-9_COLOMBIAN ELECTRICITY (1).pdf
 
Synthetic Test Collections for Retrieval Evaluation (Poster)
Synthetic Test Collections for Retrieval Evaluation (Poster)Synthetic Test Collections for Retrieval Evaluation (Poster)
Synthetic Test Collections for Retrieval Evaluation (Poster)
 
EAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagne
EAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagneEAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagne
EAAP2023 : Durabilité et services écosystémiques de l'élevage ovin de montagne
 
Online airline reservation system project report.pdf
Online airline reservation system project report.pdfOnline airline reservation system project report.pdf
Online airline reservation system project report.pdf
 
杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<
杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<
杨洋李一桐做爱视频流出【网芷:ht28.co】国产国产午夜精华>>>[网趾:ht28.co】]<<<
 
Traffic Engineering-MODULE-1 vtu syllabus.pptx
Traffic Engineering-MODULE-1 vtu syllabus.pptxTraffic Engineering-MODULE-1 vtu syllabus.pptx
Traffic Engineering-MODULE-1 vtu syllabus.pptx
 
Presentation python programming vtu 6th sem
Presentation python programming vtu 6th semPresentation python programming vtu 6th sem
Presentation python programming vtu 6th sem
 
Online toll plaza booking system project report.doc.pdf
Online toll plaza booking system project report.doc.pdfOnline toll plaza booking system project report.doc.pdf
Online toll plaza booking system project report.doc.pdf
 
Disaster Management and Mitigation presentation
Disaster Management and Mitigation presentationDisaster Management and Mitigation presentation
Disaster Management and Mitigation presentation
 
Quadcopter Dynamics, Stability and Control
Quadcopter Dynamics, Stability and ControlQuadcopter Dynamics, Stability and Control
Quadcopter Dynamics, Stability and Control
 
Monitoring and reporting of transparent forest data and information under the...
Monitoring and reporting of transparent forest data and information under the...Monitoring and reporting of transparent forest data and information under the...
Monitoring and reporting of transparent forest data and information under the...
 
SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...
SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...
SCADAmetrics Instrumentation for Sensus Water Meters - Core and Main Training...
 
Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Chennai 000XX00000 Provide Best And Top Girl Service And No1 in City
 
Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...
Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...
Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...
 
Conservation of Natural Resources Biodiversity.pptx
Conservation of Natural Resources Biodiversity.pptxConservation of Natural Resources Biodiversity.pptx
Conservation of Natural Resources Biodiversity.pptx
 
Stiffness Method for structure analysis - Truss
Stiffness Method  for structure analysis - TrussStiffness Method  for structure analysis - Truss
Stiffness Method for structure analysis - Truss
 
RECENT DEVELOPMENTS IN RING SPINNING.pptx
RECENT DEVELOPMENTS IN RING SPINNING.pptxRECENT DEVELOPMENTS IN RING SPINNING.pptx
RECENT DEVELOPMENTS IN RING SPINNING.pptx
 
Chlorine and Nitric Acid application, properties, impacts.pptx
Chlorine and Nitric Acid application, properties, impacts.pptxChlorine and Nitric Acid application, properties, impacts.pptx
Chlorine and Nitric Acid application, properties, impacts.pptx
 
Adv. Digital Signal Processing LAB MANUAL.pdf
Adv. Digital Signal Processing LAB MANUAL.pdfAdv. Digital Signal Processing LAB MANUAL.pdf
Adv. Digital Signal Processing LAB MANUAL.pdf
 

Featured

2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design ProcessStorytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 

Featured (20)

2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing2024 Trend Updates: What Really Works In SEO & Content Marketing
2024 Trend Updates: What Really Works In SEO & Content Marketing
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design ProcessStorytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design Process
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 

Abhay Bhargav - Robots with Pentest Recipes - OWASP AppSec Cali 2018

  • 1. Robots with Pentest Recipes: Democratizing Security Testing for DevOps Wins Abhay Bhargav - CTO, we45
  • 2. Yours Truly • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A Definitive Guide • Speaker at Conferences worldwide • Chief Architect of Orchestron • AppSec Automation Junkie • Lead Trainer - DevSecOps Training
  • 3. A Few Demos Demo Gods! Please let this work
  • 4. Today's Session • A Different Side of DevSecOps => Some Key Challenges • Introducing the Robot Framework • AppSec Testing Recipes with Robots • Case Studies
  • 5. Security in DevOps Plan Code Build Test Release Deploy Operate Monitor Threat modeling SAST Security - Composition DAST IAST Security in IaC Security monitoring & attack detection
  • 6. The Need of the Hour…. To Find and Fix Security Bugs early and often Security to integrate with your Agile Development Security to seamlessly work with your Continuous Delivery Pipeline
  • 8. Let’s get real for a minute
  • 9. We’re still running into some serious issues
  • 10. Application Security is overwhelmed • CI/CD Pipeline • Security Reviews • Bug Bounties • Threat Modeling • Security Assessments • to name a few….
  • 11. Automating AppSec - Challenging • Multiple SAST and DAST Tools • Their OWN API - Complexities • Running them in a purely automated workflow gets complex • Custom Security Flaws - Hard to weave into a fabric
  • 13. What do we need?
  • 14. Engineering - Run Security Locally • Engineering - Run Localized Security • Engagement with Security Teams - For High Value Added Requirements • Make Security a “First Class Citizen”
  • 15. More Effective Pentest Efforts • Have your Pentest Teams work on finding more complex vulnerabilities • Get them to script out complex pentest findings into Security Regression Scripts • Get them involved in AppSec Automation
  • 16. Get QA/QE Involved • Quality Engineering - Usually develops a great deal of Test Automation • Would be great to leverage their Test Automation For Security Testing • Would be EVEN better to give them a single fabric for both Test Automation and Security Testing
  • 18. Single Fabric => Test Automation + Security Testing • Create Test Suites that combine capabilities of Software Test Automation and Security Testing tools • Run a combination of tools - to provide coverage across different abstractions • Use Pentest Results as Security Regressions • Basically, create repeatable and reproducible recipes that work for your product
  • 20. What is Robot Framework • Generic Test Automation Framework - Acceptance Testing and Acceptance Test Driven Development • Extend Libraries in Python and Java • Modular Architecture
  • 22. How it works… • When the test starts, Framework parses Test Data • Utilizes Keywords from Test Libraries to interact with system being tested • Libraries can communicate with the system either directly or using other test tools as drivers • Reports generated as HTML and XML
  • 23. Why we like it? • Flexible Natural Language Syntax - FTW! • Easy to develop API for Tools • Modular • Comes with Reporting out of the Box • Python and Java Support 😁
  • 24. Natural Language Syntax *** Test Cases *** Login to Healthcare App [Tags] login input text email_id bruce.banner@we45.com input password password cwasp click button id=submit set browser implicit wait 10 location should be ${BASE_URL}dashboard/
  • 25. Popular Third Party Libraries - Robot Framework • Android and iOS Automation - Calabash • Selenium • Appium • Python Requests • Diff Library • SSH
  • 26. Robot Framework - QuickStart • Test Suite - A Set of Test Cases • Variables - Used to dynamically/statically assign values as input params to test cases • Settings - Set of Library Imports • Keywords - Natural Language Declared statements that execute some test action (can be user-defined as well)
  • 27. Security Tool Libraries - Robot Framework Robot Framework - OWASP ZAP Integration => RoboZAP Robot Framework - Nmap Integration => RoboNmap Robot Framework - BurpSuite Integration => Robo2Burp Robot Framework - Sublist3r Integration Robot Framework OWASP Dependency Check Robot Framework - Arachni Integration
  • 28. Adapting it for security • Empowering Engineering Teams to Run their own Security Testing • Engaging Functional Test Automation Teams to contribute to security • Combining Functional Testing as an Input to DAST Tools • Lowering the Entry Barrier for Security Testing • Canned Recipes for Pentesters
  • 29. The idea here is to reduce this… Understand Security Testing Steps and Processes Understanding and Using Security Testing Tools Automating them with their API in the Pipeline + Parameterization Pulling Results from each Scan
  • 30. To This… start zap active scan ${TARGET} write results to DB ${DB_PATH} Reducing Friction in the way we use and interact with Security Testing Tools
  • 31. Demo Demo Gods! Please let this work
  • 32. Use-Cases and Patterns • Automate Pentest Activities - Creating an Automated Pentest Pipeline • Parameterized Application Security Testing in the Pipeline • Run Security Regressions in the Pipeline
  • 33. Automated Pentesting Pipeline • Automate specific Pentest Scripts in a sequential process • Saves time - Pentesters • Democratizes Security Testing - Including Engineering and QA
  • 34. Example nmap script scan ${TARGET} nmap print results …(run selenium automation script) start zap active scan ${TARGET} write results to DB ${DB_PATH}
  • 35. Demo Demo Gods! Please let this work
  • 37. Demo Demo Gods! Please let this work
  • 39. Some FAQs Why NOT BDD? Are All tools easy to integrate? Parallel Execution? Docker?
  • 40. The Future • My team and I will be working on more integrations • And open sourcing most of them • Happy to have more people contribute
  • 41. Reach Us • Twitter: @abhaybhargav • LinkedIn: www.linkedin.com/in/ abhaybhargav • Twitter: @we45 • Website: www.we45.com