Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to GECon2017_ Security testing and selenium tests can you do one using the other_Aliaksandr_Haurylau,Aliaksei Rabchanka
Similar to GECon2017_ Security testing and selenium tests can you do one using the other_Aliaksandr_Haurylau,Aliaksei Rabchanka (20)
More from GECon_Org Team
More from GECon_Org Team (10)
Recently uploaded
Recently uploaded (20)
GECon2017_ Security testing and selenium tests can you do one using the other_Aliaksandr_Haurylau,Aliaksei Rabchanka
- 1. Security testing and Selenium tests: can you do one using the other?
- 2. AGENDA Why web security matters OWASP and OWASP tools ZAProxy capabilities Integration with Selenium tests Summary and Q&A Security testing and Selenium tests: can you do one using the other?
- 3. 3 • 14+ years of experience in Software Development • 5+ years in Web Development • Above 3 years in EPAM • Involved in variety of complex projects (including SECURITY) ABOUT US Aliaksei Rabchanka
- 4. 4 WWW and Potential Hazards
- 5. 5 Security for Web applications
- 6. 6 1.Those whose site is already broken 2.Those whose website has not yet been broken 3.Those who are familiar with the main vectors Companies of 3 types
- 7. 7 Web-security bothers citizens and governments
- 8. 8 … Not Full Information…
- 9. 9 99% - known issues
- 10. 10 Web-security draws attention of businesses Cyber Crime Costs Projected To Reach $2 Trillion by 2019 (Forbes, 2016) Cybersecurity spending to exceed $1 trillion from 2017 to 2021 (CSO, 2017)
- 11. 11 What we have now?
- 12. 12 OWASP TOP 10
- 13. 13 Have you ever done anything?
- 14. 14 How to find threats?
- 16. • Started earning with programming in XX century • Less 2 years in EPAM • Current position: Test Automation Engineer • Current project tasks: implementing functional automated tests for Web- and Desktop applications using Java and C# ABOUT ME Aliaksandr Haurylau
- 17. 17 • Open source • Cross platform • Community based • I18nalized OWASP Zed Attack Proxy Project
- 18. 18 1. Proxy 2. Spider 3. Passive scanner 4. Active scanner OWASP Zed Attack Proxy Project
- 19. 19 ZAP Features: Intercepting Proxy
- 20. 20 ZAP Features: Passive scanner
- 22. 22 ZAP Features: Active Scanner
- 23. 23 ZAP Features: Active Scanner You should NOT use it on web applications that you do not own!
- 24. 24 ZAP Features: Active Scanner Logical vulnerabilities may be not found by any active automated vulnerability scanning!
- 25. 25 Vulnerability alerts, reports and solutions
- 26. 26 OWASP Cheat Sheet Series Authentication1 Sessions management2 Access Control3 Input Validation4 Output Encoding5 Cross Domain6 Secure Transmission7 Logging8 Uploads9
- 27. 27 Where get ZAP ? https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
- 28. 28 Launching and connecting to ZAP Recent release ZAP 2.6.0 (2017-03-29) Windows (64) Installer Windows (32) Installer Linux Installer Linux Package Mac OS/X Installer Cross Platform Package
- 29. 29 Launching and connecting to ZAP ZAP 2.6.0 (2017-03-29) Windows (64) Installer Windows (32) Installer Linux Installer Linux Package Mac OS/X Installer Cross Platform Package ZAP launches • Single or as a thread ? • Locally or remote ? • GUI or headless ? • Own or in CI/CD pipeline ?
- 30. 30 Launching and connecting to ZAP ZAP 2.6.0 (2017-03-29) Windows (64) Installer Windows (32) Installer Linux Installer Linux Package Mac OS/X Installer Cross Platform Package ZAP launches • Single or as a thread ? • Locally or remote ? • GUI or headless ? • Own or in CI/CD pipeline ? You have to: • Choose and set host:port • Generate API key • Generate CA Certificate
- 31. 31 ZAP usage flow: wrapping WebDriwer Start ZAP Start Selenium WebDriver Perform Selenium tests Close WebDriver Perform ZAP checks Close ZAP
- 32. 32 ZAP usage flow: running Selenium tests Start ZAP Start Selenium WebDriver Perform Selenium tests Close WebDriver Perform ZAP checks Close ZAP Passive scanning
- 33. 33 ZAP usage flow: performing ZAP checks Start ZAP Start Selenium WebDriver Perform Selenium tests Close WebDriver Perform ZAP checks Close ZAP Passive scanning Spidering Active scanning
- 34. 34 ZAP usage flow Start ZAP Start Selenium WebDriver Perform Selenium tests Close WebDriver Perform ZAP checks Close ZAP Passive scanning Spidering Active scanning Retrieving results
- 35. 35 API for interaction with ZAP
- 36. 36 API for interaction with ZAP https://github.com/zaproxy/zaproxy/wiki/ApiDetails Already “official” : Be approved soon:
- 37. 37 CI integration: Jenkins plugin https://wiki.jenkins.io/display/JENKINS/zap+plugin
- 38. 38 Summary: ideas to discuss:
- 39. 39 Summary: ideas to discuss:
- 40. 40 Thank you! Ready for ???
- 41. 41 Security testing and Selenium tests: can you do one using the other?