Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting...
Transcript of Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting...
![Page 1: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/1.jpg)
Automated Security TestingOWASP Israel 2017 Chapter Meeting
3 April 2017
http://goo.gl/sphN9w
![Page 2: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/2.jpg)
Demo: Building Security Testing from
existing automation tests
http://goo.gl/sphN9w
![Page 3: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/3.jpg)
Agenda
Approaches to Application Security Testing
Building Blocks
Live demo
Future plans
http://goo.gl/sphN9w
![Page 4: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/4.jpg)
About me
Software Developer and Security Evangelist at Soluto
26yrs old
Writing code for the last 8 years
@omerlh: Github/Twitter
http://goo.gl/sphN9w
![Page 6: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/6.jpg)
Approaches to Application Security Testing
Static: Code analysis - Checkmarx (our host :))
Dynamic: Live analysis
Integrated: Combination of Static and Dynamic
http://goo.gl/sphN9w
![Page 8: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/8.jpg)
ZAP - Zed Attack Proxy
“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most
popular free security tools”
API/cli
Active Scan Mode (spider)
Passive Scan Mode
http://goo.gl/sphN9w
![Page 10: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/10.jpg)
“WebdriverIO lets you control a browser or a mobile application
with just a few lines of code.”
Simple Selenium binding for JS
Very popular framework for automation testing
Webdriver.io
http://goo.gl/sphN9w
![Page 12: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/12.jpg)
Docker
“Docker is the world’s leading software container platform”
“Using containers, everything required to make a piece of
software run is packaged into isolated containers”
http://goo.gl/sphN9w
![Page 14: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/14.jpg)
OWASP Mutillidae
“free, open source, deliberately vulnerable web-application”
Used to demonstrate ZAP Capabilities
Docker image
http://goo.gl/sphN9w
![Page 17: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/17.jpg)
Live DemoAll the code is available at Github
http://goo.gl/sphN9w
![Page 18: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/18.jpg)
Comparison with Zap Active Scan
Better coverage of the tested app
Take advantage of existing tests
No additional setup - baseline scan
Mixed tests types - automation and security
http://goo.gl/sphN9w
![Page 19: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/19.jpg)
Future Plans
Alerts processing - see this issue
Use Jenkins plugin? (we are using TeamCity)
Dedicated security tests
Integrate Active Scan (XSS Dom plugin)
SSL/HSTS
Mobile/Certificate pinning override
http://goo.gl/sphN9w
![Page 20: Automated Security Testing - OWASP · Automated Security Testing OWASP Israel 2017 Chapter Meeting 3 April 2017](https://reader031.fdocuments.us/reader031/viewer/2022022609/5b9097cd09d3f2c1498c79b3/html5/thumbnails/20.jpg)
Questions?
We are hiring!
Checkout our blog
http://goo.gl/sphN9w