Stephen de Vries, profile picture
Uploaded byStephen de Vries
PPTX, PDF10,922 views

Automating security tests for Continuous Integration

The document discusses automating security tests within continuous integration frameworks, emphasizing the need for collaboration between security, development, and operations teams. It highlights the importance of fast feedback cycles, ownership of security tests by cross-functional teams, and the use of automated testing tools integrated with existing CI/CD practices. Additionally, it details various tools and frameworks available for security testing, such as BDD-security and OWASP ZAP, to enhance security throughout the software development lifecycle.

Embed presentation

Downloaded 246 times
Automating Security Tests for Continuous Integration Stephen de Vries @stephendv www.continuumsecurity.net
About Continuum Security • Founded 2012 • Services: Security Testing, BDD-Security jump start • Products: Securing the SDLC – Open Source • BDD-Security Testing Framework • OWASP ZAP integration with JUnit • Nessus Java client API – Commercial • IriusRisk Risk Management for Application Security: www.iriusrisk.com
Security Testing • Performed after build • Uses external testers • Process is opaque to dev/opts Unit/Integration/Functiona l Testing • Performed during build • Owned by dev/test • Tests visible to the team
Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Agile • Short iterative cycles • Extensive automated testing • Low/zero cost to test • Tests can replace documentation Security Testing Waterfall
Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Delivery with DevOps • Automated delivery into pre-prod • Automated acceptance tests
Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with DevOps Security Testing • Etsy: 50+ deploys per day • Amazon: 300+ per hour • Gov.uk: 10+ deploys per day
• Everyone is responsible for • Move testing closer to the code • Continuous automated testing • Tests are visible to the team quality quality security security ^
Design Build Integration TestsUnit Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with SecDevOps: Blocking tests
Design Build Integration Tests Unit Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Deployment with Semi-SecDevOps: Parallel tests
Who owns the security tests? A) Security team • Benefits of automation • Fast feedback • Poor collaboration • Lack of ownership by DevOps
Who owns the security tests? B) DevOps team with oversight by Security • Better collaboration • More sense of ownership of security • Good stepping stone to…
Who owns the security tests? C) Sec + Dev + Ops in a cross-functional team • Security testing is our problem • We have the tools and skills to manage it
Automated Security Tests should: • return either a pass or fail result • execute quickly (similar to acceptance tests) • test infrastructure and application tiers • test functional security features, e.g. Login, Password Reset • capture manual testing processes and automate them, i.e. security regression tests • be checked into version control along with the code • be understandable by the whole team
BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security BDD-Security = JBehave + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications Selenium +
Infrastructure Security Testing
Application Security Testing
HTTP/S Proxy Manual Application Security Testing with OWASP ZAP
HTTP/S Proxy Manual Application Security Testing with OWASP ZAP ^ BDD-Security
Functional Security Tests
Integrating with Jenkins • Configuration • Test run
Summary • Security testing is just another form of software testing • Automate as much as possible for faster feedback • Security Tests can be treated as security requirements • Self Verifying Requirements! • Tests written in a BDD language foster collaboration between sec, dev and ops • Automated Security tests should include more than just scanning
Other related tools • Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn • ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver • Guantlet (Ruby) http://gauntlt.org/ • OWASP ZAP Jenkins plugin https://wiki.jenkins- ci.org/display/JENKINS/Zapper+Plugin
Thank you www.continuumsecurity.net @stephendv

More Related Content

PPTX
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
PDF
T23 HTML5 Security Testing at Spotify
byTechWell
 
PDF
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
PDF
Continuous Security Testing - DevSecCon
byStephen de Vries
 
PDF
Just Enough Threat Modeling
byStephen de Vries
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
T23 HTML5 Security Testing at Spotify
byTechWell
 
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
Continuous Security Testing - DevSecCon
byStephen de Vries
 
Just Enough Threat Modeling
byStephen de Vries
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 

What's hot

PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PPTX
Integrating security into Continuous Delivery
byTom Stiehm
 
PDF
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
PDF
Automated Security Testing
byseleniumconf
 
PDF
SecDevOps
byPeter Lamar
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
PDF
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
PDF
Proactive Security AppSec Case Study
byAndy Hoernecke
 
PPTX
Hacker Proof web app using Functional tests
byAnkita Gupta
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
PDF
Dev seccon london 2016 intelliment security
byDevSecCon
 
PPTX
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
PPTX
Integrating Security into DevOps
byCloudPassage
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
we45 - SecDevOps Concept Presentation
byAbhay Bhargav
 
PPT
Code Quality - Security
bysedukull
 
PDF
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 
SecDevOps: The New Black of IT
byCloudPassage
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
DevOps & Security: Here & Now
byCheckmarx
 
Integrating security into Continuous Delivery
byTom Stiehm
 
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
Automated Security Testing
byseleniumconf
 
SecDevOps
byPeter Lamar
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
Devops security-An Insight into Secure-SDLC
bySuman Sourav
 
Proactive Security AppSec Case Study
byAndy Hoernecke
 
Hacker Proof web app using Functional tests
byAnkita Gupta
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
Dev seccon london 2016 intelliment security
byDevSecCon
 
we45 SecDevOps Presentation - ISACA Chennai
byAbhay Bhargav
 
Integrating Security into DevOps
byCloudPassage
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
we45 - SecDevOps Concept Presentation
byAbhay Bhargav
 
Code Quality - Security
bysedukull
 
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 

Similar to Automating security tests for Continuous Integration

PPTX
Continuous Security Testing in a Devops World
byStephen de Vries
 
PDF
Continuous Security Testing
byRay Lai
 
PPTX
Zero to tested
byMagenTys
 
PDF
Better Security Testing: Using the Cloud and Continuous Delivery
byTechWell
 
PDF
Better Security Testing: Using the Cloud and Continuous Delivery
byCoveros, Inc.
 
PDF
Better Security Testing: Using the Cloud and Continuous Delivery
byGene Gotimer
 
PDF
Including security in devops
byJérémy Matos
 
PDF
Presentation security automation (Selenium Camp)
byArtyom Rozumenko
 
PPTX
DevSecCon Boston2018 - advanced mobile security automation with bdd
byDavide Cioccia
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PPTX
Security testautomation
byLinkesh Kanna Velu
 
PDF
Pragmatic Pipeline Security
byJames Wickett
 
PDF
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
byChristian Schneider
 
PPT
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
byMohammed A. Imran
 
PDF
DAST in CI/CD pipelines using Selenium & OWASP ZAP
bysrini0x00
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
PDF
Automating OWASP Tests in your CI/CD
byrkadayam
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
byChristian Schneider
 
Continuous Security Testing in a Devops World
byStephen de Vries
 
Continuous Security Testing
byRay Lai
 
Zero to tested
byMagenTys
 
Better Security Testing: Using the Cloud and Continuous Delivery
byTechWell
 
Better Security Testing: Using the Cloud and Continuous Delivery
byCoveros, Inc.
 
Better Security Testing: Using the Cloud and Continuous Delivery
byGene Gotimer
 
Including security in devops
byJérémy Matos
 
Presentation security automation (Selenium Camp)
byArtyom Rozumenko
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
byDavide Cioccia
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Security testautomation
byLinkesh Kanna Velu
 
Pragmatic Pipeline Security
byJames Wickett
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
byChristian Schneider
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
byMohammed A. Imran
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
bysrini0x00
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
we45 DEFCON Workshop - Building AppSec Automation with Python
byAbhay Bhargav
 
Automating OWASP Tests in your CI/CD
byrkadayam
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
byChristian Schneider
 

Recently uploaded

PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
PPTX
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
HuemanAI Platform Overview.pptx (1) (2).pdf
byAnkur Handoo
 
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 

Automating security tests for Continuous Integration

Editor's Notes

  • #2 Story: There is a gap between sec testing and every other type of software testing Sec is still stuck in waterfall model History of testing and sec testing Benefits of agile, fast feedback, low cost tests = run them more often TDD and BDD: Tests as communication mechanism DevOps is Agile for the rest of the organisation Don’t need to look far to find answers to integrating security into dev: quality Sec testing is subset Security testing > automated scanning Security testing > Penetration Testing BDD-Sec intro: objectives. Default set of security tests + allows building more specific tests
  • #4 There is a considerable gap between how we use security testing and how we use almost every other type of software test.
  • #5 The first great leap forward for software testing was Agile But even though we had this benefit of fast feedback, it was constrained to the dev environment.
  • #6 …there’s a manual step before deploying into production.
  • #7 All security testing, automated scans and manual penetration testing.
  • #8 And looking at how testing has evolved over time two things stand out: we’re doing more automation, and we’re doing that automated testing closer to the code. Our unit and integration tests are a key part to making continuous delivery possible. And I claim that that we can and should take the same approach with security testing: automated as much as possible, so that we can run them continuously and get feedback as quick as possible. Not to replace manual security testing, but to complement it.
  • #9 The primary control is the automated security tests, the secondary control is the manual tests.
  • #10 Automated tests can run in parallel, but at same pace as integration tests.
  • #14 The first activity that springs to mind when talking about automated security testing is probably scanning.
  • #15 BDD Behaviour Driven Development
  • #18 False positives
  • #19 From
  • #24 From
  • #25 From