SlideShare a Scribd company logo

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

Download as PPTX, PDF
Smals
Smals

The document discusses using open source tools for security test automation in software development. It describes FindBugs, PMD and Zed Attack Proxy as tools for static source code analysis and automated testing. These tools can find bugs and vulnerabilities but have some limitations. Commercial tools may perform better in a more integrated environment. Manual security reviews by experts can produce the best results but are also the most expensive option and performed late in the process. Overall, open source tools provide a good starting point for security test automation in an agile development process.

Technology
1 of 32
Information Security Web Application Security Security Test Automation in Software Development using Open Source Tools Information Security
About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
Introduction  Security Test Automation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
Application Security Disclaimer Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
Hacking is illegal under Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
Security myths Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
Security myths SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
Security myths The Application framework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
OWASP Top Ten (2013 Edition) 9
SQL Injection User: John xxxx password: secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
Stored XSS <script> Coming home Steal password at 5 o'clock </script> passwords Information Security11
Reflected XSS http://site.com/index?<script>steal password</script> http://site.com/index?<script>steal password</script> Error: reason (<script>steal password</script>) unknown passwords Information Security12
Sensitive Data Exposure Clear text transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
Sensitive Data Exposure Error messages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
Cross Site Request Forgery http://bank.com/transaction?amoun t=10000&acc=001.1234567.27 http://bank.com/transaction?amount= 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
Secure SDLC Security requirements Design Review Risk analysis Requirements and use cases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
Findbugs  Static Source code analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
Findbugs  For security patterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant string passed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
Demo Findbugs  Eclipse 20 Information Security
PMD     Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
PMD  For security patterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
Demo PMD  Eclipse 23 Information Security
Zed Attack Proxy        24 Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
Zed Attack Proxy  Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
Demo Zaproxy  Eclipse 26 Information Security
Demo: Automatic Build Proces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
TODO’s  Maven  Zed Attack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
Links FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
Resources … • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
Reflection  Open Source  Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security
Questions 32 Information Security

Recommended

Secure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne BurkeSecure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne Burke
EC-Council
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingsrivinayak
 
Cv gulam rasool
Cv gulam rasoolCv gulam rasool
Cv gulam rasool
Gulam Rasool
 
Sql injection
Sql injectionSql injection
Sql injection
Dilan Warnakulasooriya
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
Proposal
ProposalProposal
Proposalwilcbrowning
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
Chandan Bagai, GWAPT, CEHv8, CCNA
 
A Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 VulnerabilitiesA Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 Vulnerabilities
milagerova
 

Recommended

Secure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne BurkeSecure Code the Cyber Pandemic Vaccine - Wayne Burke
Secure Code the Cyber Pandemic Vaccine - Wayne Burke
EC-Council
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testingsrivinayak
 
Cv gulam rasool
Cv gulam rasoolCv gulam rasool
Cv gulam rasool
Gulam Rasool
 
Sql injection
Sql injectionSql injection
Sql injection
Dilan Warnakulasooriya
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
Proposal
ProposalProposal
Proposalwilcbrowning
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
Chandan Bagai, GWAPT, CEHv8, CCNA
 
A Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 VulnerabilitiesA Security Overview of OWASP's Top 10 Vulnerabilities
A Security Overview of OWASP's Top 10 Vulnerabilities
milagerova
 
WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)
AshishKakne
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
Dilan Warnakulasooriya
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
Cahyo Darujati
 
Database Security
Database SecurityDatabase Security
Database Security
alraee
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Surelog Intelligence
Surelog IntelligenceSurelog Intelligence
Surelog Intelligence
Ertugrul Akbas
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
ANKUR AGGARWAL
ANKUR AGGARWALANKUR AGGARWAL
ANKUR AGGARWALAnkur Aggarwal
 
[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)
Fortifier. IT Company
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
Bill Nelson
 
Windows network
Windows networkWindows network
Windows networkJithesh Nair
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Web attacks
Web attacksWeb attacks
Web attacks
husnara mohammad
 
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)
ShahDhruv21
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
Thibault Debatty
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
Op Sy 03 Ch 61a
Op Sy 03 Ch 61aOp Sy 03 Ch 61a
Op Sy 03 Ch 61a Google
 
Acuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesAcuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information services
GO opleidingen
 
Radiation reactors
Radiation reactorsRadiation reactors
Radiation reactorsjmocherman
 

More Related Content

What's hot

WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)
AshishKakne
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
Dilan Warnakulasooriya
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
Cahyo Darujati
 
Database Security
Database SecurityDatabase Security
Database Security
alraee
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Surelog Intelligence
Surelog IntelligenceSurelog Intelligence
Surelog Intelligence
Ertugrul Akbas
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)
Fortifier. IT Company
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
Bill Nelson
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
Barry Dorrans
 
Web attacks
Web attacksWeb attacks
Web attacks
husnara mohammad
 
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)
ShahDhruv21
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
Thibault Debatty
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
Precise Testing Solution
 
Op Sy 03 Ch 61a
Op Sy 03 Ch 61aOp Sy 03 Ch 61a
Op Sy 03 Ch 61a Google
 

What's hot (20)

WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)WAP Hack (Windows Password Hacking)
WAP Hack (Windows Password Hacking)
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
 
Database Security
Database SecurityDatabase Security
Database Security
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Surelog Intelligence
Surelog IntelligenceSurelog Intelligence
Surelog Intelligence
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
ANKUR AGGARWAL
ANKUR AGGARWALANKUR AGGARWAL
ANKUR AGGARWAL
 
[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)[Fortifier] Reliable Software Engineering (Daria)
[Fortifier] Reliable Software Engineering (Daria)
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
Windows network
Windows networkWindows network
Windows network
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)
Secure Hash Algorithm (SHA)
 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Op Sy 03 Ch 61a
Op Sy 03 Ch 61aOp Sy 03 Ch 61a
Op Sy 03 Ch 61a
 

Viewers also liked

Acuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesAcuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information services
GO opleidingen
 
Radiation reactors
Radiation reactorsRadiation reactors
Radiation reactorsjmocherman
 
Viral is a Dirty Word
Viral is a Dirty WordViral is a Dirty Word
Viral is a Dirty Word
Ogilvy
 
Targets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don WilliamsTargets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don WilliamsHELIGLIASA
 
Content Curation; or how to be an Information Hero
Content Curation; or how to be an Information HeroContent Curation; or how to be an Information Hero
Content Curation; or how to be an Information Hero
GO opleidingen
 
禽流感和人流感簡介
禽流感和人流感簡介禽流感和人流感簡介
禽流感和人流感簡介honan4108
 
13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)Marius Lazauskas
 
Engage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online EngagementEngage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online Engagement
Farra Trompeter, Big Duck
 
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Dra. Roxana Silva Ch.
 
Content Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: EpilogueContent Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: Epilogue
Content Marketing Institute
 
Measuring change presentation
Measuring change presentationMeasuring change presentation
Measuring change presentation
Ninti_One
 
名人美食經
名人美食經名人美食經
名人美食經honan4108
 
Drongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele DocumentenDrongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele Documenten
NOTaS
 
Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador
Dra. Roxana Silva Ch.
 
2
22
2
Szymon Konkol - Publikacje Cyfrowe
 
Dimension política de las redes sociales
Dimension política de las redes socialesDimension política de las redes sociales
Dimension política de las redes socialesCristina Juesas
 
Hiscox case study
Hiscox case studyHiscox case study
Hiscox case study
Newsworks
 
Виховна робота
Виховна робота Виховна робота
Виховна робота
kpschool7
 
My influences
My influencesMy influences
My influences
Beth Johnson
 
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...Chile Sustentable
 

Viewers also liked (20)

Acuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information servicesAcuril 2016: Transition to customer focused Information services
Acuril 2016: Transition to customer focused Information services
 
Radiation reactors
Radiation reactorsRadiation reactors
Radiation reactors
 
Viral is a Dirty Word
Viral is a Dirty WordViral is a Dirty Word
Viral is a Dirty Word
 
Targets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don WilliamsTargets as tools, not talismans - Don Williams
Targets as tools, not talismans - Don Williams
 
Content Curation; or how to be an Information Hero
Content Curation; or how to be an Information HeroContent Curation; or how to be an Information Hero
Content Curation; or how to be an Information Hero
 
禽流感和人流感簡介
禽流感和人流感簡介禽流感和人流感簡介
禽流感和人流感簡介
 
13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)13-07-2015 Greenlight (Visualisations removed)
13-07-2015 Greenlight (Visualisations removed)
 
Engage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online EngagementEngage All The Things: Rethinking Online Engagement
Engage All The Things: Rethinking Online Engagement
 
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
Consulta respecto a la Constitucionalidad de Norma Relacionada con la Pensión...
 
Content Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: EpilogueContent Marketing Master Class - San Francisco: Epilogue
Content Marketing Master Class - San Francisco: Epilogue
 
Measuring change presentation
Measuring change presentationMeasuring change presentation
Measuring change presentation
 
名人美食經
名人美食經名人美食經
名人美食經
 
Drongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele DocumentenDrongo: Zoeken in Audiovisuele Documenten
Drongo: Zoeken in Audiovisuele Documenten
 
Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador Código de Planificación y Finanzas Públicas Ecuador
Código de Planificación y Finanzas Públicas Ecuador
 
2
22
2
 
Dimension política de las redes sociales
Dimension política de las redes socialesDimension política de las redes sociales
Dimension política de las redes sociales
 
Hiscox case study
Hiscox case studyHiscox case study
Hiscox case study
 
Виховна робота
Виховна робота Виховна робота
Виховна робота
 
My influences
My influencesMy influences
My influences
 
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
Biodiversidad, erosión y contaminación genética del maíz nativo en américa la...
 

Similar to Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
mikemcbryde
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesYulian Slobodyan
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
Alok Babu
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
ThreatReel Podcast
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
Clint Edmonson
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
Gianluca Sartori
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
sandra sukarieh
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
Md Raffiqunnabi Rumman
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
Code securely
Code securelyCode securely
Code securely
Maksym Hopei
 

Similar to Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools (20)

Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security Issues
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Web Security
Web SecurityWeb Security
Web Security
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
GDG Dev Fest 2014 Cyber Security & Bangladesh (Raffiqunnabi Rumman )
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Code securely
Code securelyCode securely
Code securely
 

More from Smals

Wat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we zeWat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we ze
Smals
 
Wat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nlWat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nl
Smals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nlNamed entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Smals
 
Natural language generation nederlands
Natural language generation nederlandsNatural language generation nederlands
Natural language generation nederlands
Smals
 
Wat is ai en wat kan het nl
Wat is ai en wat kan het nlWat is ai en wat kan het nl
Wat is ai en wat kan het nl
Smals
 
Realite augmentee
Realite augmenteeRealite augmentee
Realite augmentee
Smals
 
Internet des objets
Internet des objetsInternet des objets
Internet des objets
Smals
 
Chatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sertChatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sert
Smals
 
Analyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sertAnalyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sert
Smals
 
Traduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introductionTraduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introduction
Smals
 
Automatisation des processus robotises introduction
Automatisation des processus robotises introductionAutomatisation des processus robotises introduction
Automatisation des processus robotises introduction
Smals
 
Interfaces conversationnelle introduction
Interfaces conversationnelle introductionInterfaces conversationnelle introduction
Interfaces conversationnelle introduction
Smals
 
Reconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introductionReconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introduction
Smals
 
Generation automatique de textes
Generation automatique de textesGeneration automatique de textes
Generation automatique de textes
Smals
 
Intelligence artificielle etroite introduction
Intelligence artificielle etroite introductionIntelligence artificielle etroite introduction
Intelligence artificielle etroite introduction
Smals
 
Named entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doenNamed entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doen
Smals
 
Real time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat hetReal time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat het
Smals
 
Wat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruikenWat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruiken
Smals
 
Wat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doenWat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doen
Smals
 
Exemples europeens comme source d inspiration
Exemples europeens comme source d inspirationExemples europeens comme source d inspiration
Exemples europeens comme source d inspiration
Smals
 

More from Smals (20)

Wat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we zeWat zijn chatbots en waarvoor gebruiken we ze
Wat zijn chatbots en waarvoor gebruiken we ze
 
Wat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nlWat is augmented reality en waarvoor gebruiken we het nl
Wat is augmented reality en waarvoor gebruiken we het nl
 
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nlNamed entity recognition hoe werkt het wat kunnen we er mee doen nl
Named entity recognition hoe werkt het wat kunnen we er mee doen nl
 
Natural language generation nederlands
Natural language generation nederlandsNatural language generation nederlands
Natural language generation nederlands
 
Wat is ai en wat kan het nl
Wat is ai en wat kan het nlWat is ai en wat kan het nl
Wat is ai en wat kan het nl
 
Realite augmentee
Realite augmenteeRealite augmentee
Realite augmentee
 
Internet des objets
Internet des objetsInternet des objets
Internet des objets
 
Chatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sertChatbots comment ca marche a quoi ca sert
Chatbots comment ca marche a quoi ca sert
 
Analyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sertAnalyse predictive comment ca marche a quoi ca sert
Analyse predictive comment ca marche a quoi ca sert
 
Traduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introductionTraduction vocale quasi instantanee introduction
Traduction vocale quasi instantanee introduction
 
Automatisation des processus robotises introduction
Automatisation des processus robotises introductionAutomatisation des processus robotises introduction
Automatisation des processus robotises introduction
 
Interfaces conversationnelle introduction
Interfaces conversationnelle introductionInterfaces conversationnelle introduction
Interfaces conversationnelle introduction
 
Reconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introductionReconnaissance d'entites nommees introduction
Reconnaissance d'entites nommees introduction
 
Generation automatique de textes
Generation automatique de textesGeneration automatique de textes
Generation automatique de textes
 
Intelligence artificielle etroite introduction
Intelligence artificielle etroite introductionIntelligence artificielle etroite introduction
Intelligence artificielle etroite introduction
 
Named entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doenNamed entity recognition hoe werkt het wat kunnen we er mee doen
Named entity recognition hoe werkt het wat kunnen we er mee doen
 
Real time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat hetReal time voice translation handig maar hoe ver staat het
Real time voice translation handig maar hoe ver staat het
 
Wat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruikenWat is predictive analytics en waarvoor kun je het gebruiken
Wat is predictive analytics en waarvoor kun je het gebruiken
 
Wat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doenWat is robotic process automation en wat kun je er mee doen
Wat is robotic process automation en wat kun je er mee doen
 
Exemples europeens comme source d inspiration
Exemples europeens comme source d inspirationExemples europeens comme source d inspiration
Exemples europeens comme source d inspiration
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 

Devoxx 2013 - David Tillemans - Security Test Automation in Software Development using Open Source Tools

  • 1. Information Security Web Application Security Security Test Automation in Software Development using Open Source Tools Information Security
  • 2. About Smals vzw-asbl One of Belgium's largest ICT-organisations: 1750 people "ICT for Society" Work: ex. Dimona-DmfA Salary & labour prestations Health: ex. eHealth-platform Secure exchange of medical data in Belgium Family life: ex. VESTA Home care for elderly (financial / operational support) In-house ICT-service, working exclusively for the government High priority for ICT Security & Privacy Information Security
  • 3. Introduction  Security Test Automation in Software Development using Open Source Tools  Can we do it?  What do we need?  Source code  Working parts of the application  Selenium tests for the functional part 33 Information Security
  • 4. Application Security Disclaimer Hacking is illegal and can be punished under the legal framework of the information criminality laws (Law issued on the 28 of november 2000 about informatica criminality). So the methods we show here are illegal if used without consent of the victim. 4 Information Security 4
  • 5. Hacking is illegal under Belgium Law  5 Article 550bis § 1 A person who, while he knows that he is not yet entitled to it, gain access to a computer system, or in it maintains, shall be punished with imprisonment from three months to one year and a fine of twenty-six [euro] to twenty-five thousand [euro] or with one of these penalties. If the crime referred to in the first paragraph, committed with fraudulent intent, the maximum six months imprisonment to two years. Information Security
  • 6. Security myths Firewalls … • Firewalls are always configured to allow web traffic -> HTTP(S) • Attacker appears to the web application as a normal user Information Security
  • 7. Security myths SSL secures the application… • Server-side SSL only guarantees confidentiality on transport level • Attacker also uses the SSL tunnel 7 Information Security
  • 8. Security myths The Application framework solves that… • Frameworks Don't Solve Security Issues • Some frameworks facilitate, but not by default • Some frameworks do, by default Workarounds exist to develop the security problems 8 Information Security
  • 9. OWASP Top Ten (2013 Edition) 9
  • 10. SQL Injection User: John xxxx password: secret ' or 1=1;-- SELECT user FROM SELECT user FROMWHERE users users WHERE AND user='xxx' user='John' AND password='' or 1=1;--'; password='secret'; John Aaron Welkom, Aaron John Information Security
  • 11. Stored XSS <script> Coming home Steal password at 5 o'clock </script> passwords Information Security11
  • 13. Sensitive Data Exposure Clear text transmission • Confidential information is just sent back to the User Improper web application implementation Secure and non-secure sections Improper analysis of the information Improper configuration Unsecured SESSION cookies 13 Information Security
  • 14. Sensitive Data Exposure Error messages • Error messages for developers carry a lot information to find the problem causing the error message Stack traces in JAVA SQL Error messages from Database PHP error messages … • Those error messages can give a lot information to the hacker, when displayed to him/her Information of dataflow in the Web application Database layout Operating System information Network information Application frameworks used 14 Information Security
  • 15. Cross Site Request Forgery http://bank.com/transaction?amoun t=10000&acc=001.1234567.27 http://bank.com/transaction?amount= 10000&acc=001.1234567.27 Transaction successfull Online to her bank Information Security
  • 16. Secure SDLC Security requirements Design Review Risk analysis Requirements and use cases Iterative approach Design Risk-based security tests Test plans Code Review 16 Static analysis (tools) Code Penetration testing Test results Information Security Field feedback
  • 17. Findbugs  Static Source code analyzer  Works on Java byte code  Source must compile!  Searches for bug patterns  Find bugs  Find false warnings  Eclipse plugin  By default almost all enabled 17 Information Security
  • 18. Findbugs  For security patterns:  DMI_CONSTANT_DB_PASSWORD Hardcoded constant database password  DMI_EMPTY_DB_PASSWORD Empty database password  EI_EXPOSE_REP May expose internal representation by returning reference to mutable objects  EI_EXPOSE_REP2 May expose internal representation by incorporating reference to mutable object  EI_EXPOSE_STATIC_REP2 May expose internal static state by storing a mutable object into a static field  MS_EXPOSE_REP Public static method may expose internal representation by returning array 18 Information Security
  • 19. Findbugs  SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Nonconstant string passed to execute method on an SQL statement  SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_ST RING A prepared statement is generated from a nonconstant String  XSS_REQUEST_PARAMETER_TO_SEND_ERROR JSP reflected cross site scripting vulnerability  XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER Servlet reflected cross site scripting vulnerability in error page  RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE Nullcheck of value previously dereferenced  NP_NULL_ON_SOME_PATH Possible null pointer dereference  NP_NULL_ON_SOME_PATH_EXCEPTION Possible null pointer dereference in method on exception path 19 Information Security
  • 21. PMD     Static Source code analyzer Runs against the Java source code Also searches for bug patterns There are no real security patterns included  Gotham Digital Science has a security rule set 21 Information Security
  • 22. PMD  For security patterns:         22 ArrayIsStoredDirectly AvoidCatchingThrowable AvoidPrintStackTrace AvoidThrowingNullPointerException DoNotCallSystemExit ExceptionAsFlowControl MethodReturnsInternalArray MisplacedNullCheck Information Security
  • 24. Zed Attack Proxy        24 Intercepting Proxy Traditional and AJAX spiders Automated scanner Forced Browsing Fuzzer Dynamic SSL Certificates Smartcard and Client Digital Certificates support Information Security
  • 25. Zed Attack Proxy  Web sockets support  Support for wide range of scripting languages  Plug-n-Hack support  Authentication and Session Support  Powerful REST based API  Automatic updating option  Integrated and growing marketplace of add-ons 25 Information Security
  • 27. Demo: Automatic Build Proces  Maven  Findbugs  PMD  Zaproxy 27 Information Security
  • 28. TODO’s  Maven  Zed Attack Proxy and site phase integration  SONAR integration of Zed Attack Proxy  How about Agile development?  Can we ingrate this process in TDD and BDD? 28 Information Security
  • 29. Links FindBugs™ - Find Bugs in Java Programs PMD – Don’t shoot the Messenger OWASP Zed Attack Proxy Project - OWASP ZAP Maven Plugin Automated Security Testing of web applications using OWASP Zed Attack Proxy  Belgium - OWASP  Gotham Digital Science      29 Information Security
  • 30. Resources … • Books: Software Security Microsoft Secure Development Lifecycle Enterprise Security Architecture 30 Information Security30
  • 31. Reflection  Open Source  Good start  Commercial Tools  Are more integrated in their environment  Perform better  Comes with a price  Manual review by experts     31 Best results Expensive Non constant reviews Very late in the process Information Security