SlideShare a Scribd company logo

Presentation security automation (Selenium Camp)

Artyom Rozumenko
Artyom Rozumenko

Presentation about my experience of enabling security automation for a big enterprise

Engineering
1 of 27
Download to read offline
Rollercoaster of Security Automation
Artem Rozumenko S o l u t i o n A r c h i t e c t 10+ years in Software testing 7+ years in non-functional testing 5+ years in Solution Architecture Preferable CI: Jenkins Preferable language: Python Preferable load tool: Gatling
5 Billions US Dollars MARKET 2x Security Breaches in 2018 vs 2017 >2BPersonal records LEAKED WHAT ABOUT SECURITY ? 4 Billions US Dollars FINES CARRIER | Continuous Test Execution Platform
Continuous Security Test Execution Integrate security tests/scans as a quality gate of CI/CD process Security Testing Service Perform manual security tests of application Application Security Program Enable S-SDLC for the whole company SCOPE OF SECURITY TESTING CARRIER | Continuous Test Execution Platform
Run security scanners in your CI, what a big deal ? CARRIER | Continuous Test Execution Platform
RUN STATIC SCANS RUN DYNAMIC SCANS VALIDATE SCAN RESULTS VALIDATE FIXES 25%68%6%1% 85% of findings are false-positives CARRIER | Continuous Test Execution Platform LET’S SEE WHERE THE TIMEOF AN ENGINEER IS
CARRIER | Continuous Test Execution Platform LET’S SEE WHERE THE TIMEOF AN ENGINEER IS
CARRIER | Continuous Test Execution Platform WHAT WE HAVE NOW • Many products release with significant security issues that cause data leaks or service failures • Out of the box solutions mostly build for security engineers and barely suitable for CI • Scanners generate enormous amount of noise that results in complete ignorance from development
CARRIER | Continuous Test Execution Platform SOUNDS LIKE WE GOT A TARGET • Run Static Scan in CI as a quality gate • Make it run for less then 10 minutes • Create results that won’t be ignored by developers • Make Dynamic scans useful
EXPERIMENT CARRIER | Continuous Test Execution Platform • Take a public repo • Run Standard approach • Run Carrier approach • Compare results
CARRIER | Continuous Test Execution Platform SONAR + SpotBugs 19minutes 24Kfindings
CARRIER | Continuous Test Execution Platform CARRIER + SpotBugs 4.5minutes 4.5Kfindings
How to make results actionable with less efforts? CARRIER | Continuous Test Execution Platform
CARRIER | Continuous Test Execution Platform RE-PROCESSING OUTCOME • Group same type of vulnerabilities in same file • Translate findings to actions • Automatically filter false-positives • Do not convert all the valid findings into issues https://github.com/carrier-io/sast
This is how it works in production CARRIER | Continuous Test Execution Platform
CARRIER | Continuous Test Execution Platform CANONICAL DATA MODEL
CARRIER | Continuous Test Execution Platform DEDUPLICATION ON THE GO DEDUPLICATION GROUPING
CARRIER | Continuous Test Execution Platform FILTERING FALSE-POSITIVES https://github.com/reportportal/service-analyzer-equals
WHAT ABOUT DYNAMIC SCANS CARRIER | Continuous Test Execution Platform
CARRIER | Continuous Test Execution Platform THERE ARE DIFFERENT SCANS External Intruder Internal Intruder
EXPERIMENT CARRIER | Continuous Test Execution Platform • Take some well known site • Take single well known tool • Limit scope of vulnerabilities • Perform authenticated scan • Performance unauthenticated scan • Compare results
CARRIER | Continuous Test Execution Platform RESULTS External Intruder Internal Intruder 13M req 2h scan 17 findings 100% FPs 4M req 20h scan 200 findings 99% FPs
CARRIER | Continuous Test Execution Platform WE HAVE ANOTHER ONE Automated Tests ran through Security Tool
CARRIER | Continuous Test Execution Platform RESULTS Internal Intruder True Automated Intruder 200K req 25m scan 350 findings 95% FPs 4M req 20h scan 200 findings 99% FPs https://hub.docker.com/r/getcarrier/dast
CARRIER | Continuous Test Execution Platform
CARRIER | Continuous Test Execution Platform AS A SUMMARY • You should test security as a part of your delivery pipeline • Post-processing of results helps to save time on analysis • Automated tests helps to find great vulnerabilities • Complex vulnerabilities should be added to functional testing framework
CARRIER | Continuous Test Execution Platform THANKS https://github.com/carrier-io/sast https://github.com/carrier-io/dast https://hub.docker.com/r/getcarrier/sast https://hub.docker.com/r/getcarrier/dast

Recommended

DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваMail.ru Group
 
Trac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins PresentationTrac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins Presentationguest3fc4fa
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...Codemotion
 
Whatthestack using Tempest for testing your OpenStack deployment
Whatthestack using Tempest for testing your OpenStack deploymentWhatthestack using Tempest for testing your OpenStack deployment
Whatthestack using Tempest for testing your OpenStack deploymentChristian Schwede
 
Introduction to tempest
Introduction to tempest Introduction to tempest
Introduction to tempest openstackindia
 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack apiLiang Bo
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 

Recommended

DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваMail.ru Group
 
Trac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins PresentationTrac Project And Process Management For Developers And Sys Admins Presentation
Trac Project And Process Management For Developers And Sys Admins Presentationguest3fc4fa
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...
Lucio Grenzi - Building serverless applications on the Apache OpenWhisk platf...Codemotion
 
Whatthestack using Tempest for testing your OpenStack deployment
Whatthestack using Tempest for testing your OpenStack deploymentWhatthestack using Tempest for testing your OpenStack deployment
Whatthestack using Tempest for testing your OpenStack deploymentChristian Schwede
 
Introduction to tempest
Introduction to tempest Introduction to tempest
Introduction to tempest openstackindia
 
how to use openstack api
how to use openstack apihow to use openstack api
how to use openstack apiLiang Bo
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Multiple django applications on a single server with nginx
Multiple django applications on a single server with nginxMultiple django applications on a single server with nginx
Multiple django applications on a single server with nginxroskakori
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
Altitude SF 2017: Debugging Fastly VCL 101
Altitude SF 2017: Debugging Fastly VCL 101Altitude SF 2017: Debugging Fastly VCL 101
Altitude SF 2017: Debugging Fastly VCL 101Fastly
 
Tempest scenariotests 20140512
Tempest scenariotests 20140512Tempest scenariotests 20140512
Tempest scenariotests 20140512Masayuki Igawa
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microserviceGiulio De Donato
 
DevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is CodeDevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is Codesmalltown
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowKarsten Dambekalns
 
Open stack qa and tempest
Open stack qa and tempestOpen stack qa and tempest
Open stack qa and tempestKamesh Pemmaraju
 
Spring Boot to Quarkus: A real app migration experience | DevNation Tech Talk
Spring Boot to Quarkus: A real app migration experience | DevNation Tech TalkSpring Boot to Quarkus: A real app migration experience | DevNation Tech Talk
Spring Boot to Quarkus: A real app migration experience | DevNation Tech TalkRed Hat Developers
 
Altitude NY 2018: Programming the edge workshop
Altitude NY 2018: Programming the edge workshopAltitude NY 2018: Programming the edge workshop
Altitude NY 2018: Programming the edge workshopFastly
 
Dropwizard
DropwizardDropwizard
DropwizardAbdulhadi ÇELENLİOĞLU
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Tatsuhiko Miyagawa
 
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverAltitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverFastly
 
Logstash
LogstashLogstash
Logstash琛琳 饶
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Conor Svensson
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCLFastly
 
Building a serverless company on AWS lambda and Serverless framework
Building a serverless company on AWS lambda and Serverless frameworkBuilding a serverless company on AWS lambda and Serverless framework
Building a serverless company on AWS lambda and Serverless frameworkLuciano Mammino
 
DevOps tools for everyone - Vagrant, Puppet and Webmin
DevOps tools for everyone - Vagrant, Puppet and WebminDevOps tools for everyone - Vagrant, Puppet and Webmin
DevOps tools for everyone - Vagrant, Puppet and Webminpostrational
 
Embedding Quality Engineering in DevOps pipeline
Embedding Quality Engineering in DevOps pipelineEmbedding Quality Engineering in DevOps pipeline
Embedding Quality Engineering in DevOps pipelineAspire Systems
 
The DevOps Dance - Shift Left, Shift Right - Get It Right
The DevOps Dance - Shift Left, Shift Right - Get It RightThe DevOps Dance - Shift Left, Shift Right - Get It Right
The DevOps Dance - Shift Left, Shift Right - Get It RightInflectra
 

More Related Content

What's hot

Multiple django applications on a single server with nginx
Multiple django applications on a single server with nginxMultiple django applications on a single server with nginx
Multiple django applications on a single server with nginxroskakori
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4琛琳 饶
 
Altitude SF 2017: Debugging Fastly VCL 101
Altitude SF 2017: Debugging Fastly VCL 101Altitude SF 2017: Debugging Fastly VCL 101
Altitude SF 2017: Debugging Fastly VCL 101Fastly
 
Tempest scenariotests 20140512
Tempest scenariotests 20140512Tempest scenariotests 20140512
Tempest scenariotests 20140512Masayuki Igawa
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGIMike Pittaro
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microserviceGiulio De Donato
 
DevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is CodeDevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is Codesmalltown
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowKarsten Dambekalns
 
Spring Boot to Quarkus: A real app migration experience | DevNation Tech Talk
Spring Boot to Quarkus: A real app migration experience | DevNation Tech TalkSpring Boot to Quarkus: A real app migration experience | DevNation Tech Talk
Spring Boot to Quarkus: A real app migration experience | DevNation Tech TalkRed Hat Developers
 
Altitude NY 2018: Programming the edge workshop
Altitude NY 2018: Programming the edge workshopAltitude NY 2018: Programming the edge workshop
Altitude NY 2018: Programming the edge workshopFastly
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Simon Bennetts
 
Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Tatsuhiko Miyagawa
 
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverAltitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverFastly
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Conor Svensson
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCLFastly
 
Building a serverless company on AWS lambda and Serverless framework
Building a serverless company on AWS lambda and Serverless frameworkBuilding a serverless company on AWS lambda and Serverless framework
Building a serverless company on AWS lambda and Serverless frameworkLuciano Mammino
 
DevOps tools for everyone - Vagrant, Puppet and Webmin
DevOps tools for everyone - Vagrant, Puppet and WebminDevOps tools for everyone - Vagrant, Puppet and Webmin
DevOps tools for everyone - Vagrant, Puppet and Webminpostrational
 

What's hot (20)

Multiple django applications on a single server with nginx
Multiple django applications on a single server with nginxMultiple django applications on a single server with nginx
Multiple django applications on a single server with nginx
 
{{more}} Kibana4
{{more}} Kibana4{{more}} Kibana4
{{more}} Kibana4
 
Altitude SF 2017: Debugging Fastly VCL 101
Altitude SF 2017: Debugging Fastly VCL 101Altitude SF 2017: Debugging Fastly VCL 101
Altitude SF 2017: Debugging Fastly VCL 101
 
Tempest scenariotests 20140512
Tempest scenariotests 20140512Tempest scenariotests 20140512
Tempest scenariotests 20140512
 
OpenStack API's and WSGI
OpenStack API's and WSGIOpenStack API's and WSGI
OpenStack API's and WSGI
 
Import golang; struct microservice
Import golang; struct microserviceImport golang; struct microservice
Import golang; struct microservice
 
DevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is CodeDevOpsDays Taipei 2017 - Terraform: Everything Is Code
DevOpsDays Taipei 2017 - Terraform: Everything Is Code
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 Flow
 
Open stack qa and tempest
Open stack qa and tempestOpen stack qa and tempest
Open stack qa and tempest
 
Spring Boot to Quarkus: A real app migration experience | DevNation Tech Talk
Spring Boot to Quarkus: A real app migration experience | DevNation Tech TalkSpring Boot to Quarkus: A real app migration experience | DevNation Tech Talk
Spring Boot to Quarkus: A real app migration experience | DevNation Tech Talk
 
Altitude NY 2018: Programming the edge workshop
Altitude NY 2018: Programming the edge workshopAltitude NY 2018: Programming the edge workshop
Altitude NY 2018: Programming the edge workshop
 
Dropwizard
DropwizardDropwizard
Dropwizard
 
Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk Automating OWASP ZAP - DevCSecCon talk
Automating OWASP ZAP - DevCSecCon talk
 
Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011Deploying Plack Web Applications: OSCON 2011
Deploying Plack Web Applications: OSCON 2011
 
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverAltitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
 
Logstash
LogstashLogstash
Logstash
 
Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring Java Microservices with Netflix OSS & Spring
Java Microservices with Netflix OSS & Spring
 
Solving anything in VCL
Solving anything in VCLSolving anything in VCL
Solving anything in VCL
 
Building a serverless company on AWS lambda and Serverless framework
Building a serverless company on AWS lambda and Serverless frameworkBuilding a serverless company on AWS lambda and Serverless framework
Building a serverless company on AWS lambda and Serverless framework
 
DevOps tools for everyone - Vagrant, Puppet and Webmin
DevOps tools for everyone - Vagrant, Puppet and WebminDevOps tools for everyone - Vagrant, Puppet and Webmin
DevOps tools for everyone - Vagrant, Puppet and Webmin
 

Similar to Presentation security automation (Selenium Camp)

Embedding Quality Engineering in DevOps pipeline
Embedding Quality Engineering in DevOps pipelineEmbedding Quality Engineering in DevOps pipeline
Embedding Quality Engineering in DevOps pipelineAspire Systems
 
The DevOps Dance - Shift Left, Shift Right - Get It Right
The DevOps Dance - Shift Left, Shift Right - Get It RightThe DevOps Dance - Shift Left, Shift Right - Get It Right
The DevOps Dance - Shift Left, Shift Right - Get It RightInflectra
 
Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...
Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...
Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...Perfecto by Perforce
 
AppSphere 2016 - Automate performance testing with AppDynamics using continuo...
AppSphere 2016 - Automate performance testing with AppDynamics using continuo...AppSphere 2016 - Automate performance testing with AppDynamics using continuo...
AppSphere 2016 - Automate performance testing with AppDynamics using continuo...Brad Stoner
 
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...VMware Tanzu
 
Ramesh Krishnamurthy, CTO at World DevOps Summit 2016
Ramesh Krishnamurthy, CTO at World DevOps Summit 2016Ramesh Krishnamurthy, CTO at World DevOps Summit 2016
Ramesh Krishnamurthy, CTO at World DevOps Summit 2016Indium Software
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectDevOps.com
 
Advanced Codeless Testing for Web Apps
Advanced Codeless Testing for Web AppsAdvanced Codeless Testing for Web Apps
Advanced Codeless Testing for Web AppsPerfecto by Perforce
 
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16AppDynamics
 
4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM
4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM
4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQMIBM Rational
 
Neotys PAC 2018 - Ramya Ramalinga Moorthy
Neotys PAC 2018 - Ramya Ramalinga MoorthyNeotys PAC 2018 - Ramya Ramalinga Moorthy
Neotys PAC 2018 - Ramya Ramalinga MoorthyNeotys_Partner
 
Traditional Testing: The Silent Killer of DevOps
Traditional Testing: The Silent Killer of DevOpsTraditional Testing: The Silent Killer of DevOps
Traditional Testing: The Silent Killer of DevOpsTechWell
 
Manoj kolhe - Continuous Integration Testing
Manoj kolhe - Continuous Integration TestingManoj kolhe - Continuous Integration Testing
Manoj kolhe - Continuous Integration TestingManoj Kolhe
 
DevOps and Splunk
DevOps and SplunkDevOps and Splunk
DevOps and SplunkSplunk
 
How to Guarantee Continuous Value from your Test Automation
How to Guarantee Continuous Value from your Test AutomationHow to Guarantee Continuous Value from your Test Automation
How to Guarantee Continuous Value from your Test AutomationPerfecto by Perforce
 
Continuous testing at scale
Continuous testing at scaleContinuous testing at scale
Continuous testing at scaleGergely Orosz
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Release Automation: Better Quality, Faster Deployment, Amazing ROI
Release Automation: Better Quality, Faster Deployment, Amazing ROIRelease Automation: Better Quality, Faster Deployment, Amazing ROI
Release Automation: Better Quality, Faster Deployment, Amazing ROITechWell
 
Keeping Your Continuous Test Automation Continuously Valuable
Keeping Your Continuous Test Automation Continuously ValuableKeeping Your Continuous Test Automation Continuously Valuable
Keeping Your Continuous Test Automation Continuously ValuablePerfecto by Perforce
 
How to get the most out of your CI/CD workflow using automated testing - Sauc...
How to get the most out of your CI/CD workflow using automated testing - Sauc...How to get the most out of your CI/CD workflow using automated testing - Sauc...
How to get the most out of your CI/CD workflow using automated testing - Sauc...twaintaylorb2b
 

Similar to Presentation security automation (Selenium Camp) (20)

Embedding Quality Engineering in DevOps pipeline
Embedding Quality Engineering in DevOps pipelineEmbedding Quality Engineering in DevOps pipeline
Embedding Quality Engineering in DevOps pipeline
 
The DevOps Dance - Shift Left, Shift Right - Get It Right
The DevOps Dance - Shift Left, Shift Right - Get It RightThe DevOps Dance - Shift Left, Shift Right - Get It Right
The DevOps Dance - Shift Left, Shift Right - Get It Right
 
Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...
Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...
Enhancing Your Test Automation Scenario Coverage with Selenium - QA or the Hi...
 
AppSphere 2016 - Automate performance testing with AppDynamics using continuo...
AppSphere 2016 - Automate performance testing with AppDynamics using continuo...AppSphere 2016 - Automate performance testing with AppDynamics using continuo...
AppSphere 2016 - Automate performance testing with AppDynamics using continuo...
 
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
Concourse, Spinnaker, Cloud Foundry, Oh My! Creating Sophisticated Deployment...
 
Ramesh Krishnamurthy, CTO at World DevOps Summit 2016
Ramesh Krishnamurthy, CTO at World DevOps Summit 2016Ramesh Krishnamurthy, CTO at World DevOps Summit 2016
Ramesh Krishnamurthy, CTO at World DevOps Summit 2016
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-Architect
 
Advanced Codeless Testing for Web Apps
Advanced Codeless Testing for Web AppsAdvanced Codeless Testing for Web Apps
Advanced Codeless Testing for Web Apps
 
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
How CapitalOne Transformed DevTest or Continuous Delivery - AppSphere16
 
4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM
4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM
4.4.2013 Software Quality - Regression Testing Automated and Manual - RFT/RQM
 
Neotys PAC 2018 - Ramya Ramalinga Moorthy
Neotys PAC 2018 - Ramya Ramalinga MoorthyNeotys PAC 2018 - Ramya Ramalinga Moorthy
Neotys PAC 2018 - Ramya Ramalinga Moorthy
 
Traditional Testing: The Silent Killer of DevOps
Traditional Testing: The Silent Killer of DevOpsTraditional Testing: The Silent Killer of DevOps
Traditional Testing: The Silent Killer of DevOps
 
Manoj kolhe - Continuous Integration Testing
Manoj kolhe - Continuous Integration TestingManoj kolhe - Continuous Integration Testing
Manoj kolhe - Continuous Integration Testing
 
DevOps and Splunk
DevOps and SplunkDevOps and Splunk
DevOps and Splunk
 
How to Guarantee Continuous Value from your Test Automation
How to Guarantee Continuous Value from your Test AutomationHow to Guarantee Continuous Value from your Test Automation
How to Guarantee Continuous Value from your Test Automation
 
Continuous testing at scale
Continuous testing at scaleContinuous testing at scale
Continuous testing at scale
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Release Automation: Better Quality, Faster Deployment, Amazing ROI
Release Automation: Better Quality, Faster Deployment, Amazing ROIRelease Automation: Better Quality, Faster Deployment, Amazing ROI
Release Automation: Better Quality, Faster Deployment, Amazing ROI
 
Keeping Your Continuous Test Automation Continuously Valuable
Keeping Your Continuous Test Automation Continuously ValuableKeeping Your Continuous Test Automation Continuously Valuable
Keeping Your Continuous Test Automation Continuously Valuable
 
How to get the most out of your CI/CD workflow using automated testing - Sauc...
How to get the most out of your CI/CD workflow using automated testing - Sauc...How to get the most out of your CI/CD workflow using automated testing - Sauc...
How to get the most out of your CI/CD workflow using automated testing - Sauc...
 

Recently uploaded

HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxhumanexperienceaaa
 

Recently uploaded (20)

HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
 

Presentation security automation (Selenium Camp)

  • 2. Artem Rozumenko S o l u t i o n A r c h i t e c t 10+ years in Software testing 7+ years in non-functional testing 5+ years in Solution Architecture Preferable CI: Jenkins Preferable language: Python Preferable load tool: Gatling
  • 3. 5 Billions US Dollars MARKET 2x Security Breaches in 2018 vs 2017 >2BPersonal records LEAKED WHAT ABOUT SECURITY ? 4 Billions US Dollars FINES CARRIER | Continuous Test Execution Platform
  • 4. Continuous Security Test Execution Integrate security tests/scans as a quality gate of CI/CD process Security Testing Service Perform manual security tests of application Application Security Program Enable S-SDLC for the whole company SCOPE OF SECURITY TESTING CARRIER | Continuous Test Execution Platform
  • 5. Run security scanners in your CI, what a big deal ? CARRIER | Continuous Test Execution Platform
  • 6. RUN STATIC SCANS RUN DYNAMIC SCANS VALIDATE SCAN RESULTS VALIDATE FIXES 25%68%6%1% 85% of findings are false-positives CARRIER | Continuous Test Execution Platform LET’S SEE WHERE THE TIMEOF AN ENGINEER IS
  • 7. CARRIER | Continuous Test Execution Platform LET’S SEE WHERE THE TIMEOF AN ENGINEER IS
  • 8. CARRIER | Continuous Test Execution Platform WHAT WE HAVE NOW • Many products release with significant security issues that cause data leaks or service failures • Out of the box solutions mostly build for security engineers and barely suitable for CI • Scanners generate enormous amount of noise that results in complete ignorance from development
  • 9. CARRIER | Continuous Test Execution Platform SOUNDS LIKE WE GOT A TARGET • Run Static Scan in CI as a quality gate • Make it run for less then 10 minutes • Create results that won’t be ignored by developers • Make Dynamic scans useful
  • 10. EXPERIMENT CARRIER | Continuous Test Execution Platform • Take a public repo • Run Standard approach • Run Carrier approach • Compare results
  • 11. CARRIER | Continuous Test Execution Platform SONAR + SpotBugs 19minutes 24Kfindings
  • 12. CARRIER | Continuous Test Execution Platform CARRIER + SpotBugs 4.5minutes 4.5Kfindings
  • 13. How to make results actionable with less efforts? CARRIER | Continuous Test Execution Platform
  • 14. CARRIER | Continuous Test Execution Platform RE-PROCESSING OUTCOME • Group same type of vulnerabilities in same file • Translate findings to actions • Automatically filter false-positives • Do not convert all the valid findings into issues https://github.com/carrier-io/sast
  • 15. This is how it works in production CARRIER | Continuous Test Execution Platform
  • 16. CARRIER | Continuous Test Execution Platform CANONICAL DATA MODEL
  • 17. CARRIER | Continuous Test Execution Platform DEDUPLICATION ON THE GO DEDUPLICATION GROUPING
  • 18. CARRIER | Continuous Test Execution Platform FILTERING FALSE-POSITIVES https://github.com/reportportal/service-analyzer-equals
  • 19. WHAT ABOUT DYNAMIC SCANS CARRIER | Continuous Test Execution Platform
  • 20. CARRIER | Continuous Test Execution Platform THERE ARE DIFFERENT SCANS External Intruder Internal Intruder
  • 21. EXPERIMENT CARRIER | Continuous Test Execution Platform • Take some well known site • Take single well known tool • Limit scope of vulnerabilities • Perform authenticated scan • Performance unauthenticated scan • Compare results
  • 22. CARRIER | Continuous Test Execution Platform RESULTS External Intruder Internal Intruder 13M req 2h scan 17 findings 100% FPs 4M req 20h scan 200 findings 99% FPs
  • 23. CARRIER | Continuous Test Execution Platform WE HAVE ANOTHER ONE Automated Tests ran through Security Tool
  • 24. CARRIER | Continuous Test Execution Platform RESULTS Internal Intruder True Automated Intruder 200K req 25m scan 350 findings 95% FPs 4M req 20h scan 200 findings 99% FPs https://hub.docker.com/r/getcarrier/dast
  • 25. CARRIER | Continuous Test Execution Platform
  • 26. CARRIER | Continuous Test Execution Platform AS A SUMMARY • You should test security as a part of your delivery pipeline • Post-processing of results helps to save time on analysis • Automated tests helps to find great vulnerabilities • Complex vulnerabilities should be added to functional testing framework
  • 27. CARRIER | Continuous Test Execution Platform THANKS https://github.com/carrier-io/sast https://github.com/carrier-io/dast https://hub.docker.com/r/getcarrier/sast https://hub.docker.com/r/getcarrier/dast