seleniumconf, profile picture
Uploaded byseleniumconf
PDF, PPTX7,765 views

Automated Security Testing

This document discusses automated security testing using the Zed Attack Proxy (ZAP) tool. It describes how ZAP can be used to passively and actively scan web applications for security vulnerabilities by intercepting HTTP traffic. It also provides examples of integrating ZAP into continuous integration builds using its REST API and tasks for Ant and Maven. While automated testing finds many issues, some vulnerabilities still require human intelligence to identify false positives and negatives.

Embed presentation

Download as PDF, PPTX
Automated Security Testing Alan Parkinson @alan_parkinson
Disclaimer! I'm NOT a Security Expert, but a developer passionate about quality
Why the interest in Security? ● New Project - E-commerce ● Compliance ● PCI ● Privacy ● Ethics ● No site is too small to break into ● Security Testing is expensive
Security Tools ● Attack Proxies: Sit between the Tester and Application ● Searches for patterns in HTTP traffic ● Help manual penetration testers ● Change values in HTTP traffic ● 3rd Party OnDemand scanning services ● Often for PCI compliance
Zed Attack Proxy (ZAP) ● Open Source project forked from Paros Proxy ● Released in 2010 and OWASP top level project ● Easy to use Penetration testing tool – All Skill Levels ● Features: ● Passive scanning of HTTP traffic ● Active scanning of Web Apps ● Spiders, Fuzzing, Brute force and many more....
Getting Started with ZAP
Beyond Passive Scanning ● Use on Test Environments ONLY ● Active Scanning ● Spider vs Browser ● Real life Browser tests discover RESTful services ● Automated Browser Tests can teach ZAP
Converting Browser Tests Using the ZAP HTTP Proxy Group test execution based on user roles
Integrating ZAP into the build RESTful API Ant tasks Maven Plugin Session management: New, Save and Open Tasks: Spider and Active Attack Results: Ignoring rules and Failing the build
False Positives/Negatives Humans are not out of a job Some types of Security Vulnerabilities require Intelligence CI: Ignoring false positives are parameters to the Ant tasks
Start ZAP Run Browser Manual Testing Tests Active Scan Check Save Results Session Stop ZAP
Build Integration – Stage 1 Nightly Build with Passive and Active Scanning. The ZAP session is saved for analysis by a human Not fast feedback, but accurate results
Build Integration – Stage 2 Same Nightly Build with human analysis Passive scanning in Continuous Build Fast feedback, but for simple issues only
Build Integration – Stage 3 Passive and Active scanning in Continuous Build Fast feedback but “Trigger Happy” on rule exclusion
Conclusion ● Additional ROI on your tests ● Great for catching... ● Injection based attacks: XSS and SQL ● HTTP header and Cookie issues ● URL Redirect abuse ● False Positives ● Can be large for some types of tests ● Don't get “Trigger happy” on rule exceptions
Automated Security Testing Alan Parkinson @alan_parkinson Demo: https://github.com/aparkinson/jenkins-webdriver ZAP: http://code.google.com/p/zaproxy/ OWASP: https://www.owasp.org Ant Demo: https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml

More Related Content

PPTX
Hacker Proof web app using Functional tests
byAnkita Gupta
 
PPTX
Security testautomation
byLinkesh Kanna Velu
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
PPTX
Automating security tests for Continuous Integration
byStephen de Vries
 
PPTX
The OWASP Zed Attack Proxy
byAditya Gupta
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
ODP
Automating OWASP ZAP - DevCSecCon talk
bySimon Bennetts
 
PDF
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
Hacker Proof web app using Functional tests
byAnkita Gupta
 
Security testautomation
byLinkesh Kanna Velu
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
Automating security tests for Continuous Integration
byStephen de Vries
 
The OWASP Zed Attack Proxy
byAditya Gupta
 
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
Automating OWASP ZAP - DevCSecCon talk
bySimon Bennetts
 
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 

What's hot

PDF
Owasp zap
byColdFusionConference
 
PDF
T23 HTML5 Security Testing at Spotify
byTechWell
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
PDF
Security Testing using ZAP in SFDC
byThinqloud
 
PPT
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
byMohammed A. Imran
 
PDF
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PDF
Just Enough Threat Modeling
byStephen de Vries
 
PDF
Continuous Security Testing - DevSecCon
byStephen de Vries
 
PDF
Security Automation using ZAP
byVaibhav Gupta
 
PDF
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
PPTX
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
PDF
Proactive Security AppSec Case Study
byAndy Hoernecke
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
bySimon Bennetts
 
ODP
BlackHat 2014 OWASP ZAP Turbo Talk
bySimon Bennetts
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
bySimon Bennetts
 
PDF
The Joy of Proactive Security
byAndy Hoernecke
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
ODP
BSides Manchester 2014 ZAP Advanced Features
bySimon Bennetts
 
Owasp zap
byColdFusionConference
 
T23 HTML5 Security Testing at Spotify
byTechWell
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
Security Testing using ZAP in SFDC
byThinqloud
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
byMohammed A. Imran
 
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
DevOps & Security: Here & Now
byCheckmarx
 
Just Enough Threat Modeling
byStephen de Vries
 
Continuous Security Testing - DevSecCon
byStephen de Vries
 
Security Automation using ZAP
byVaibhav Gupta
 
SecDevOps - The Operationalisation of Security
byDinis Cruz
 
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
Proactive Security AppSec Case Study
byAndy Hoernecke
 
2014 ZAP Workshop 2: Contexts and Fuzzing
bySimon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
bySimon Bennetts
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
bySimon Bennetts
 
The Joy of Proactive Security
byAndy Hoernecke
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
BSides Manchester 2014 ZAP Advanced Features
bySimon Bennetts
 

Viewers also liked

PDF
Rugged DevOps: Bridging Security and DevOps
byJames Wickett
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
PDF
LasCon 2014 DevOoops
byChris Gates
 
PDF
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
PDF
Continous Integration of (JS) projects & check-build philosophy
byFrançois-Guillaume Ribreau
 
PDF
Pythonista も ls を読むべきか?
byKatsunori FUJIWARA
 
PDF
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
PPTX
Cybersecurity by the numbers
byAPNIC
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
PDF
Building Risk Management into Enterprise Architecture
byiasaglobal
 
PDF
Integración contínua con Jenkins
byCésar Hernández
 
ODP
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
PDF
New Farming Methods in the Epistemological Wasteland of Application Security
byJames Wickett
 
PDF
Real World Application Threat Modelling By Example
byNCC Group
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PPTX
The Journey to DevSecOps
bySeniorStoryteller
 
PPTX
Matt carroll - "Security patching system packages is fun" said no-one ever
byDevSecCon
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
Rugged DevOps: Bridging Security and DevOps
byJames Wickett
 
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
LasCon 2014 DevOoops
byChris Gates
 
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
Continous Integration of (JS) projects & check-build philosophy
byFrançois-Guillaume Ribreau
 
Pythonista も ls を読むべきか?
byKatsunori FUJIWARA
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
Cybersecurity by the numbers
byAPNIC
 
Threat Modeling And Analysis
byLalit Kale
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Building Risk Management into Enterprise Architecture
byiasaglobal
 
Integración contínua con Jenkins
byCésar Hernández
 
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
New Farming Methods in the Epistemological Wasteland of Application Security
byJames Wickett
 
Real World Application Threat Modelling By Example
byNCC Group
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
The Journey to DevSecOps
bySeniorStoryteller
 
Matt carroll - "Security patching system packages is fun" said no-one ever
byDevSecCon
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 

Similar to Automated Security Testing

PPT
Zap attack proxy
byArtem Vasilenko
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
bygmaran23
 
PDF
OWASP ZAP - Automated Security Analysis.pdf
byxotoyer152
 
PDF
DAST in CI/CD pipelines using Selenium & OWASP ZAP
bysrini0x00
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
bySimon Bennetts
 
PPTX
Owasp zap
bypenetration Tester
 
PPTX
OWASP ZAP API Automation
byThivya Lakshmi
 
PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
bygmaran23
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
bySimon Bennetts
 
PPTX
OWASP Zed Attack Proxy
byFadi Abdulwahab
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
bySimon Bennetts
 
ODP
OWASP 2012 AppSec Dublin ZAP Intro
bySimon Bennetts
 
ODP
2014 ZAP Workshop 1: Getting Started
bySimon Bennetts
 
PPTX
OWASP ZAP Workshop for QA Testers
byJavan Rasokat
 
ODP
OWASP 2014 AppSec EU ZAP Advanced Features
bySimon Bennetts
 
PPTX
Cyber ppt
bykarthik menon
 
PDF
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
byChristian Schneider
 
PPTX
OWSAP Zap Tool Execution - API Security Scan
byPalani Kumar
 
PDF
GECon2017_ Security testing and selenium tests can you do one using the other...
byGECon_Org Team
 
ODP
Simon Bennetts - Automating ZAP
byDevSecCon
 
Zap attack proxy
byArtem Vasilenko
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
bygmaran23
 
OWASP ZAP - Automated Security Analysis.pdf
byxotoyer152
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
bysrini0x00
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
bySimon Bennetts
 
Owasp zap
bypenetration Tester
 
OWASP ZAP API Automation
byThivya Lakshmi
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
bygmaran23
 
OWASP 2013 Limerick - ZAP: Whats even newer
bySimon Bennetts
 
OWASP Zed Attack Proxy
byFadi Abdulwahab
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
bySimon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
bySimon Bennetts
 
2014 ZAP Workshop 1: Getting Started
bySimon Bennetts
 
OWASP ZAP Workshop for QA Testers
byJavan Rasokat
 
OWASP 2014 AppSec EU ZAP Advanced Features
bySimon Bennetts
 
Cyber ppt
bykarthik menon
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
byChristian Schneider
 
OWSAP Zap Tool Execution - API Security Scan
byPalani Kumar
 
GECon2017_ Security testing and selenium tests can you do one using the other...
byGECon_Org Team
 
Simon Bennetts - Automating ZAP
byDevSecCon
 

More from seleniumconf

PDF
Using Selenium to Improve a Teams Development Cycle
byseleniumconf
 
PPT
Building Quality with Foundations of Mud
byseleniumconf
 
PDF
More Than Automation - How Good Acceptance Tests Can Make Your Team Happier
byseleniumconf
 
PDF
Building a Selenium Community One Meetup at a Time
byseleniumconf
 
PDF
Introduction to selenium_grid_workshop
byseleniumconf
 
PDF
Selenium: State of the Union
byseleniumconf
 
PDF
Introducing Selenium Builder – the Future of Test Development
byseleniumconf
 
PPTX
Self-Generating Test Artifacts for Selenium/WebDriver
byseleniumconf
 
PDF
Automated Web App Performance Testing Using WebDriver
byseleniumconf
 
PPTX
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
byseleniumconf
 
PPT
Building a Driver: Lessons Learned From Developing the Internet Explorer Driver
byseleniumconf
 
KEY
Massively Continuous Integration: From 3 days to 30 minutes
byseleniumconf
 
Using Selenium to Improve a Teams Development Cycle
byseleniumconf
 
Building Quality with Foundations of Mud
byseleniumconf
 
More Than Automation - How Good Acceptance Tests Can Make Your Team Happier
byseleniumconf
 
Building a Selenium Community One Meetup at a Time
byseleniumconf
 
Introduction to selenium_grid_workshop
byseleniumconf
 
Selenium: State of the Union
byseleniumconf
 
Introducing Selenium Builder – the Future of Test Development
byseleniumconf
 
Self-Generating Test Artifacts for Selenium/WebDriver
byseleniumconf
 
Automated Web App Performance Testing Using WebDriver
byseleniumconf
 
Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...
byseleniumconf
 
Building a Driver: Lessons Learned From Developing the Internet Explorer Driver
byseleniumconf
 
Massively Continuous Integration: From 3 days to 30 minutes
byseleniumconf
 

Recently uploaded

PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Workflow and decision Automation with Flowable
bychakib ch
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 

Automated Security Testing

  • 1.
    Automated Security Testing Alan Parkinson @alan_parkinson
  • 2.
    Disclaimer! I'm NOT aSecurity Expert, but a developer passionate about quality
  • 3.
    Why the interestin Security? ● New Project - E-commerce ● Compliance ● PCI ● Privacy ● Ethics ● No site is too small to break into ● Security Testing is expensive
  • 4.
    Security Tools ● Attack Proxies: Sit between the Tester and Application ● Searches for patterns in HTTP traffic ● Help manual penetration testers ● Change values in HTTP traffic ● 3rd Party OnDemand scanning services ● Often for PCI compliance
  • 5.
    Zed Attack Proxy(ZAP) ● Open Source project forked from Paros Proxy ● Released in 2010 and OWASP top level project ● Easy to use Penetration testing tool – All Skill Levels ● Features: ● Passive scanning of HTTP traffic ● Active scanning of Web Apps ● Spiders, Fuzzing, Brute force and many more....
  • 6.
  • 7.
    Beyond Passive Scanning ● Use on Test Environments ONLY ● Active Scanning ● Spider vs Browser ● Real life Browser tests discover RESTful services ● Automated Browser Tests can teach ZAP
  • 8.
    Converting Browser Tests Using the ZAP HTTP Proxy Group test execution based on user roles
  • 10.
    Integrating ZAP intothe build RESTful API Ant tasks Maven Plugin Session management: New, Save and Open Tasks: Spider and Active Attack Results: Ignoring rules and Failing the build
  • 11.
    False Positives/Negatives Humans are not out of a job Some types of Security Vulnerabilities require Intelligence CI: Ignoring false positives are parameters to the Ant tasks
  • 12.
    Start ZAP RunBrowser Manual Testing Tests Active Scan Check Save Results Session Stop ZAP
  • 13.
    Build Integration –Stage 1 Nightly Build with Passive and Active Scanning. The ZAP session is saved for analysis by a human Not fast feedback, but accurate results
  • 14.
    Build Integration –Stage 2 Same Nightly Build with human analysis Passive scanning in Continuous Build Fast feedback, but for simple issues only
  • 15.
    Build Integration –Stage 3 Passive and Active scanning in Continuous Build Fast feedback but “Trigger Happy” on rule exclusion
  • 16.
    Conclusion ● Additional ROI on your tests ● Great for catching... ● Injection based attacks: XSS and SQL ● HTTP header and Cookie issues ● URL Redirect abuse ● False Positives ● Can be large for some types of tests ● Don't get “Trigger happy” on rule exceptions
  • 17.
    Automated Security Testing Alan Parkinson @alan_parkinson Demo: https://github.com/aparkinson/jenkins-webdriver ZAP: http://code.google.com/p/zaproxy/ OWASP: https://www.owasp.org Ant Demo: https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml