Automated Security Testing

Apr 18, 20129 likes7,759 views

This document discusses automated security testing using the Zed Attack Proxy (ZAP) tool. It describes how ZAP can be used to passively and actively scan web applications for security vulnerabilities by intercepting HTTP traffic. It also provides examples of integrating ZAP into continuous integration builds using its REST API and tasks for Ant and Maven. While automated testing finds many issues, some vulnerabilities still require human intelligence to identify false positives and negatives.

Automated Security Testing

Alan Parkinson

@alan_parkinson

Disclaimer!

I'm NOT a Security Expert, but a developer passionate
about quality

Why the interest in Security?
● New Project - E-commerce
● Compliance
● PCI
● Privacy
● Ethics
● No site is too small to break into
● Security Testing is expensive

Security Tools
● Attack Proxies: Sit between the Tester and Application
● Searches for patterns in HTTP traffic
● Help manual penetration testers
● Change values in HTTP traffic
●
3rd Party OnDemand scanning services
● Often for PCI compliance

Zed Attack Proxy (ZAP)
● Open Source project forked from Paros Proxy
● Released in 2010 and OWASP top level project
● Easy to use Penetration testing tool – All Skill Levels
● Features:
● Passive scanning of HTTP traffic
● Active scanning of Web Apps
● Spiders, Fuzzing, Brute force and many more....

Beyond Passive Scanning
● Use on Test Environments ONLY
● Active Scanning
● Spider vs Browser
● Real life Browser tests discover RESTful services
● Automated Browser Tests can teach ZAP

Converting Browser Tests

Using the ZAP HTTP Proxy

Group test execution based on user roles

Integrating ZAP into the build
RESTful API
Ant tasks
Maven Plugin

Session management: New, Save and Open
Tasks: Spider and Active Attack
Results: Ignoring rules and Failing the build

False Positives/Negatives

Humans are not out of a job

Some types of Security Vulnerabilities
require Intelligence

CI: Ignoring false positives are parameters to
the Ant tasks

Start ZAP

Run Browser
Manual Testing
Tests

Active Scan

Check Save
Results Session

Stop ZAP

Build Integration – Stage 1

Nightly Build with Passive and Active
Scanning. The ZAP session is saved for
analysis by a human

Not fast feedback, but accurate results

Build Integration – Stage 2

Same Nightly Build with human analysis

Passive scanning in Continuous Build

Fast feedback, but for simple issues only

Build Integration – Stage 3

Passive and Active scanning in
Continuous Build

Fast feedback but “Trigger Happy” on rule
exclusion

Conclusion
● Additional ROI on your tests
● Great for catching...
● Injection based attacks: XSS and SQL
● HTTP header and Cookie issues
● URL Redirect abuse
● False Positives
● Can be large for some types of tests
● Don't get “Trigger happy” on rule exceptions

Automated Security Testing

Alan Parkinson
@alan_parkinson

Demo: https://github.com/aparkinson/jenkins-webdriver
ZAP: http://code.google.com/p/zaproxy/
OWASP: https://www.owasp.org
Ant Demo:
https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml

This document discusses using functional test automation with the open source web application security scanner IronWasp to provide automated security testing of web applications. It outlines how Selenium test cases can be integrated with IronWasp to allow the scanner to crawl and test the full application workflow, providing security checks across all functional flows. This improves on traditional scanners by allowing testing of login screens, multi-page sequences, and ensuring the scanner has valid inputs to exercise all application features.

Security testautomationLinkesh Kanna Velu

This document discusses security test automation. It defines security testing and some key terms like vulnerability, spoofing, and SQL injection. It recommends tools from the OWASP project like ZAP and describes how to integrate ZAP into an automation workflow. An example workflow is described that uses ZAP to find issues like password autocomplete, application errors, and missing security headers. Integrating security scans with CI builds is advocated to improve security with little additional effort.

Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider

The document discusses integrating security testing into continuous integration pipelines, referred to as "Security DevOps". It proposes a "Security DevOps Maturity Model" with four axes: Static Depth, Dynamic Depth, Intensity, and Consolidation. For the Dynamic Depth axis, it describes different levels of integrating dynamic application security testing tools like ZAP, Arachni, BDD-Security, and Gauntlt to test public, authenticated, and backend application layers within a CI pipeline. Examples are given for configuring the tools to perform targeted scans during commits or nightly builds.

Automating security tests for Continuous IntegrationStephen de Vries

Two models for running automated security tests in a CI/CD pipeline: either blocking or parallel security tests Integration depends on the level of cultural integration of security into DevOps. 3 Models of test ownership: 1. Owned by Security team - least desirable 2. Owned by DevOps, overseen by security - better 3. Owned by SecDevOps, look Ma, no silos. Overview of BDD-Security Configuring Jenkins with BDD-Security as inline tests

The OWASP Zed Attack ProxyAditya Gupta

Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries

Automating OWASP ZAP - DevCSecCon talk Simon Bennetts

This document provides information about automating scans with the OWASP Zap security tool, including: - An introduction to the baseline scan, which runs quickly and can be easily integrated into continuous integration pipelines. - Options for more thorough scanning using the Zap command line interface, Jenkins plugin, or driving the Zap API directly from scripts. - Tips for customizing Zap scans, such as configuring authentication, tuning speed and accuracy, and getting help with the documentation and user community. - A demonstration of exploring targets using the Zap API, running passive and active scans, and generating reports programmatically.

Zed Attack Proxy (ZAP)JAINAM KAPADIYA

The document provides an overview of the OWASP Zed Attack Proxy (ZAP), an open-source web application security scanner. It discusses how ZAP can be used to automatically find vulnerabilities during development and testing. The document covers how to install ZAP and use its features like passive scanning, spidering, active scanning, fuzzing and brute forcing to analyze vulnerabilities. It also discusses ZAP's advantages in identifying issues and providing solutions, and potential disadvantages like lack of authentication.

Owasp zapColdFusionConference

This document discusses using the OWASP Zed Attack Proxy (ZAP) tool to find vulnerabilities in web applications. ZAP is a free and open-source web application penetration testing tool that can be used to conduct both automated and manual testing of applications. The document provides an overview of ZAP's features, how to install and configure it, how to test applications for vulnerabilities using both automated and direct methods, and how to integrate ZAP with other tools.

T23 HTML5 Security Testing at SpotifyTechWell

HTML5 is one of the hottest technologies around right now because HTML5 apps are beautiful, engaging, and can perform important and entertaining functions. With the wide range of devices and platforms to support, the promise of multi-platform support is appealing. But HTML5 apps present their own range of security issues. So, what do you do about security? How do you test HTML5 applications to ensure their security? Alexander Andelkovic works at Spotify where their streaming music player desktop client applications are all HTML5-based. Alexander explains how manual testers can get the most out of HTML5 app security testing and manifest of HTML5 apps. He covers these common security testing issues and more: cross-site scripting (script inclusion), privacy-related issues, data leakage, and permissions. Discover how, by being proactive, you can avoid having to search for security issues late in a development project.

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider

In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow. I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.

Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay

Zed Attack Proxy (ZAP) is a free and open source web application security tool that can be used to test for vulnerabilities during the development and testing phases. It includes features like an intercepting proxy, spidering to discover hidden links, both active and passive scanning to detect vulnerabilities, and reporting of results. ZAP allows users to intercept web traffic, modify requests and responses, scan sites for issues like XSS and SQLi, analyze results, and generate detailed vulnerability reports.

Security Testing using ZAP in SFDCThinqloud

ZAP is an open-source web application security scanner that can identify security vulnerabilities. It works as a proxy to intercept web traffic and modify requests during security tests. Key features include automated scanning, fuzzing, and generating reports with risk levels. The document provides steps to install ZAP, configure certificates to allow HTTPS scanning, and use ZAP to analyze a Salesforce org or other web application for issues like exposed session IDs or missing security headers.

Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran

In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP. Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE. He will cover Automating security tests using Selenium and OWASP ZAP. In this intriguing meetup, you will learn: 1. Introduction to automated vulnerability scans and their limitations. 2. A short introduction to how functional tests can be useful in performing robust security tests. 3. Introduction to selenium and OWASP ZAP 4. Proxying selenium tests through OWASP ZAP 5. Invoking authenticated active scans using OWASP ZAP 6. Obtaining scan reports … and more useful takeaways!

Vulnerabilities are bugs, Let's Test For Them!VAddy

The document introduces VAddy, a continuous security testing service that allows development teams to easily integrate automated vulnerability scans into their development workflows. It highlights issues with existing security testing tools, such as difficulty of setup and maintenance. VAddy aims to simplify continuous security testing through a SaaS model that requires no installation and supports various integration methods. It uses machine learning to scan applications automatically without extensive configuration.

DevOps & Security: Here & NowCheckmarx

How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.

Just Enough Threat ModelingStephen de Vries

This document discusses techniques for optimizing threat modeling to require fewer resources. It proposes using templates and risk patterns to generate threats and countermeasures for common application components and use cases. This allows for more efficient "just enough" threat modeling compared to traditional manual methods. The document demonstrates how to decompose templates into reusable risk patterns and generate threat models through a rules engine. It also introduces the open source IriusRisk tool for implementing this approach.

Continuous Security Testing - DevSecConStephen de Vries

This document discusses integrating security testing into continuous delivery pipelines. It argues that security testing should be performed continuously and automated like other tests, rather than as a separate process. The document recommends that development, operations, and security teams work together in a "SecDevOps" model where security testing is integrated into regular testing workflows and everyone shares responsibility. It presents the BDD-Security framework as an example of how behavior-driven development can be used to automate continuous security testing that runs with each code change.

Security Automation using ZAPVaibhav Gupta

The document discusses automating security scans using the Zed Attack Proxy (ZAP). It provides an overview of ZAP and its graphical user interface. It then discusses how various aspects of ZAP can be automated using its APIs, including spidering, passive scanning, active scanning, and authenticated scanning. It provides Python code examples to initialize ZAP, run spiders and scans, and access other ZAP features programmatically. It concludes with use cases for automating ZAP at scale or integrating it with continuous integration systems.

SecDevOps - The Operationalisation of SecurityDinis Cruz

Learn to pen-test with OWASP ZAPPaul Ionescu

Proactive Security AppSec Case StudyAndy Hoernecke

2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts

The document outlines an OWASP ZAP workshop on contexts and fuzzing. The plan is to demonstrate ZAP features, allow participants to experiment with them, and answer any questions. Contexts allow assigning characteristics like scope and authentication to groups of URLs. Practicals involve creating contexts, fuzzing input fields, using multi-fuzz tools, and advanced scanning options. Future sessions could cover other ZAP topics like scripts, Zest, the API, and marketplace add-ons.

BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts

OWASP ZAP is a free and open source web application security scanner used by both beginners and professionals. It has over 40,000 downloads and is the most active project within OWASP. ZAP provides both basic scanning functionality as well as advanced features like contexts, custom scanning policies, scripting via JavaScript and Zest, and integration with browsers through plug-n-hack. The tool is under active development with projects around improved fuzzing, access control testing, and a Zest add-on for Firefox.

OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts

The Joy of Proactive SecurityAndy Hoernecke

The document discusses Netflix's approach to proactive security. It outlines the challenges of securing a modern infrastructure with hundreds of applications and instances deploying code continuously. Netflix's solution is to implement proactive security controls that are integrated, automated, scalable and adaptive using tools like Monterey, Simian Army, Dirty Laundry, Security Monkey and Speedbump. The approach focuses on finding problems early, knowing weaknesses, monitoring for anomalies, collecting meaningful data, simplifying security for developers, reevaluating approaches, and sharing learnings with others.

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav

s its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority: - Integrate effective threat modeling into Agile development practices - Introduce Security Automation into Continuous Integration - Integrate Security Automation into Continuous Deployment While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic: - The talk will be replete with anecdotes from personal consulting and penetration testing experiences. - I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle. - I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app. - My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools. - Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.

BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts

The document discusses the advanced features of OWASP ZAP, an open source web application penetration testing tool. It provides statistics on ZAP's usage and development community. Key advanced features discussed include contexts for scoping tests, advanced scanning options, scripting through languages like Zest and JavaScript, plug-n-hack for browser integration, and various works in progress. The source code is currently hosted on Google Code but may move to GitHub.

Rugged DevOps: Bridging Security and DevOpsJames Wickett

DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver

More Related Content

What's hot (20)

Owasp zapColdFusionConference

T23 HTML5 Security Testing at SpotifyTechWell

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider

Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay

Security Testing using ZAP in SFDCThinqloud

Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran

Vulnerabilities are bugs, Let's Test For Them!VAddy

DevOps & Security: Here & NowCheckmarx

Just Enough Threat ModelingStephen de Vries

Continuous Security Testing - DevSecConStephen de Vries

Security Automation using ZAPVaibhav Gupta

SecDevOps - The Operationalisation of SecurityDinis Cruz

Learn to pen-test with OWASP ZAPPaul Ionescu

Proactive Security AppSec Case StudyAndy Hoernecke

2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts

BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts

OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts

The Joy of Proactive SecurityAndy Hoernecke

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav

BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts

Owasp zapColdFusionConference

T23 HTML5 Security Testing at SpotifyTechWell

Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider

Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay

Security Testing using ZAP in SFDCThinqloud

Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran

Vulnerabilities are bugs, Let's Test For Them!VAddy

DevOps & Security: Here & NowCheckmarx

Just Enough Threat ModelingStephen de Vries

Continuous Security Testing - DevSecConStephen de Vries

Security Automation using ZAPVaibhav Gupta

SecDevOps - The Operationalisation of SecurityDinis Cruz

Learn to pen-test with OWASP ZAPPaul Ionescu

Proactive Security AppSec Case StudyAndy Hoernecke

2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts

BlackHat 2014 OWASP ZAP Turbo TalkSimon Bennetts

OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts

The Joy of Proactive SecurityAndy Hoernecke

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav

BSides Manchester 2014 ZAP Advanced FeaturesSimon Bennetts

Viewers also liked (20)

Rugged DevOps: Bridging Security and DevOpsJames Wickett

DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver

Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries

This document discusses continuous security testing in a DevOps environment. It advocates treating security testing as a form of quality testing that is automated and integrated into continuous delivery pipelines. The author presents the BDD-Security testing framework, which uses behavior-driven development and test automation tools like Selenium to write security tests against applications. The framework wraps security scanning tools like OWASP ZAP and integrates security testing into continuous integration pipelines like Jenkins. This allows security to keep up with DevOps practices like deploying code changes multiple times per day.

LasCon 2014 DevOoops Chris Gates

In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure. Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.

Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker

Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers." Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP. In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.

Continous Integration of (JS) projects & check-build philosophyFrançois-Guillaume Ribreau

Pythonista も ls を読むべきか？Katsunori FUJIWARA

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group

Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security training effort, but data on training effectiveness remains scarce. Last year our research team delivered the first-ever survey that captured developer awareness of secure coding concepts and the impact of formal application security training on a developer’s ability to write secure code. We learned that most software developer were aware of certain application security concepts, yet when asked how to write more secure code, they faired poorly. This year’s 600-developer survey provides more quantitative data on what software developers understand about application security, both concepts and practices. It dives most deeply into awareness of defensive coding practices, which most developers largely did not grasp in the 2013 survey. It also is separates respondents by roles, so we can better understand how architects, developers, and QA staff grasp key application security concepts and put them to work. It better captures how software developers learn in general, so one can tailor any security training effort to how software developers, in practice, actually learn. This information will provide data to application security managers responsible for corporate security training that should allow them them to make more fact-based decisions about security training.

Cybersecurity by the numbersAPNIC

Threat Modeling And AnalysisLalit Kale

Continuous and Visible Security Testing with BDD-SecurityStephen de Vries

Building Risk Management into Enterprise Architectureiasaglobal

By Bill Estrem, MN Chapter Conference 11/15/2013 Get Lucky: Building Risk Management into Enterprise Architecture This presentation will examine how enterprise architects can apply risk management capabilities to the development and operation of an enterprise architecture. The approach incorporates the TOGAF 9 Risk Management framework along with other risk management methods. In particular, the approach will focus on the The Open Group Risk Management Taxonomy and Risk Assessment standard. Bill Estrem - President of Metaplexity Associates LLC

Integración contínua con JenkinsCésar Hernández

El documento habla sobre la integración continua y Jenkins. Explica los problemas con el ciclo de vida del software tradicional como falta de automatización y visibilidad. Jenkins es una herramienta que monitorea tareas de manera repetitiva para construir y probar software continuamente, resolviendo parcialmente estos problemas. Ofrece ventajas como prevención de errores y aseguramiento de calidad.

OWASP WTE - Now in the Cloud!Matt Tesauro

This document provides information about the OWASP Web Testing Environment (WTE) project and its leader Matt Tesauro. It discusses the history and goals of the WTE project, which provides a collection of web application security testing tools in an easy-to-use environment. It also outlines ideas for the future of the project, such as providing automated cloud-based instances of the WTE and aligning its tools with the OWASP Testing Guide.

New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett

Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches. We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing. http://lascon.org http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3

Real World Application Threat Modelling By ExampleNCC Group

This document provides an overview of threat modeling a virtual appliance called the Djigzo Email Encryption Gateway. It describes a process for enumerating the technologies, interfaces, and functionality of the appliance without initial knowledge. This includes getting shell access, mapping listening ports, reviewing processes, and examining the database. Next, it creates high-level and low-level dataflow diagrams. Finally, it develops an initial threat model by brainstorming threats against different interfaces like the web interface, admin console, and mail transfer agent. The presentation concludes that thorough threat modeling requires deep security knowledge and significant effort to understand risks and verify mitigations.

DevSecOps: Taking a DevOps Approach to SecurityAlert Logic

The Journey to DevSecOpsSeniorStoryteller

This document discusses the evolution of DevSecOps and provides guidance for security professionals. It notes that DevSecOps approaches have gained popularity as DevOps has grown over the past decade. It recommends that security professionals focus on detection over protection, embrace a blameless culture of continuous improvement, and get involved in DevSecOps communities to help build security tools and practices.

Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon

This document summarizes Matt Carroll's talk on making security patching of system packages less tedious for engineers. It discusses how automating work distribution and feedback through tools like JIRA, establishing clear deadlines, and streamlining documentation can increase agency and motivation. The overall goal is to reduce pain points and uncertainty to encourage proactive security practices rather than treating it as an "arcane ritual".

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath

Rugged DevOps: Bridging Security and DevOpsJames Wickett

DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver

Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries

LasCon 2014 DevOoops Chris Gates

Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker

Continous Integration of (JS) projects & check-build philosophyFrançois-Guillaume Ribreau

Pythonista も ls を読むべきか？Katsunori FUJIWARA

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group

Cybersecurity by the numbersAPNIC

Threat Modeling And AnalysisLalit Kale

Continuous and Visible Security Testing with BDD-SecurityStephen de Vries

Building Risk Management into Enterprise Architectureiasaglobal

Integración contínua con JenkinsCésar Hernández

OWASP WTE - Now in the Cloud!Matt Tesauro

New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett

Real World Application Threat Modelling By ExampleNCC Group

DevSecOps: Taking a DevOps Approach to SecurityAlert Logic

The Journey to DevSecOpsSeniorStoryteller

Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon

DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath

Similar to Automated Security Testing (20)

OWASP ZAP API AutomationThivya Lakshmi

This document provides an agenda for an OWASP ZAP API automation workshop. It will include an introduction to ZAP, familiarizing with the UI, using ZAP with Selenium for hands-on exercises, exploring key ZAP features like intercepting proxy, spider, passive/active scanners, fuzzing, and report generation using the ZAP API. It will also demonstrate integrating ZAP with CI/CD pipelines for security testing. The document provides details on active scanning, report generation, fuzzing, and accessing ZAP rules and a GitHub repo for hands-on exercises. It concludes with mentioning additional ZAP features like authentication, anti-CSRF, port scanning, and the ZAP marketplace.

Ui Testing with Ghost InspectorHarvard Web Working Group

Jay Luker will be presenting an introduction to Ghost Inspector, a cloud-based web UI testing service that takes some (some!) of the pain away from creating browser-based, web application tests. Think Selenium, but for projects that are short on the resources, infrastructure and/or coding expertise to confidently develop and manage a suite of fully automated, “good-enough” UI tests. Jay is a Senior Software Engineer at Harvard DCE where he works on back-end applications and software for analytics data collection, deployment automation, and integration testing for the Extension School’s video processing and delivery system. Previously he has been an IT Specialist at the Smithsonian Astrophysics Data System, and a Software Developer at Ex Libris.

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23

https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges. This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.

JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts

This document summarizes a presentation about using the OWASP Zed Attack Proxy (ZAP) for security testing during the development process. ZAP is an open source web application security scanner that can be used by developers to automate security testing. The presentation covers how to configure and use ZAP to explore applications, perform passive and active scans, and integrate ZAP into the development workflow through its API and scripting capabilities. It emphasizes that considering security early in development helps build more secure applications.

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oct 15 2017 http://cybersecurity.withthebest.com In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.

DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00

- The document discusses integrating the OWASP ZAP web application security scanner with Selenium automated tests to improve vulnerability coverage during dynamic application security testing (DAST). - It proposes proxying Selenium test traffic through ZAP to perform passive scanning, then triggering an active ZAP scan via API during the continuous integration/deployment pipeline. - Scan reports can be retrieved in various formats and findings imported into a vulnerability management system. A demonstration is provided.

2021 ZAP Automation in CI/CDSimon Bennetts

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev

API Testing with Frisby and MochaLyudmila Anisimova

Silent web app testing by example - BerlinSides 2011Abraham Aranguren

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23

we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav

OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23

The Best Postman Alternatives to Streamline API Testing.pdfronikakashyap1

Zap attack proxyArtem Vasilenko

Security testing is a process to determine if an information system protects data and functions as intended, and involves challenges like requiring specialized skills, ongoing effort, tools, budgets, and automation. The Zed Attack Proxy (ZAP) is an easy-to-use tool for finding vulnerabilities in web applications that can be used by developers, testers, and security specialists of all experience levels through both automated and manual scanning. ZAP provides passive and active scanning, reports, integration with CI/CD pipelines, and is open source.

High Performance Software Engineering TeamsLars Thorup

JoinSEC 2013 London - ZAP IntroSimon Bennetts

ZAP (Zed Attack Proxy) is a free and open-source web application penetration testing tool developed by the OWASP Foundation to help find vulnerabilities in web applications. It includes features like an intercepting proxy, scanners, a spider, fuzzing tools and a macro language to aid in testing applications. The tool is actively developed by a community of contributors and used by both professionals and beginners for tasks like security testing, debugging and regression testing of applications.

2014 ZAP Workshop 1: Getting StartedSimon Bennetts

This document discusses an introduction to using OWASP ZAP, an open source web application security scanning tool. It provides an overview of ZAP's capabilities and principles, including that it is free, open source, and designed to be easy to use for both beginners and professionals. The document then demonstrates several features of ZAP through practical examples, such as using the quick start feature to scan a target site, configuring the browser as a proxy, and intercepting requests and responses. It concludes with potential topics to cover in future sessions, and invites questions from the audience.

Katalon Studio - A Codeless Automation Tool.pdfKnoldus Inc.

Katalon Studio is a codeless automation testing tool that allows users to create tests visually without writing code. It uses a drag and drop interface or record and playback functionality to automate tests. Some key benefits of codeless automation with Katalon Studio include reduced test automation time, higher test coverage through increased regression test execution, cross-browser and cross-platform testing capabilities, and integration with continuous integration/continuous delivery tools. The presentation demonstrated Katalon Studio's features for web UI testing, API testing, and code-based versus codeless automation approaches.

OWASP ZAP API AutomationThivya Lakshmi

Ui Testing with Ghost InspectorHarvard Web Working Group

N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23

JavaOne 2014 Security Testing for Developers using OWASP ZAPSimon Bennetts

N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23

DAST in CI/CD pipelines using Selenium & OWASP ZAPsrini0x00

2021 ZAP Automation in CI/CDSimon Bennetts

10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev

API Testing with Frisby and MochaLyudmila Anisimova

Silent web app testing by example - BerlinSides 2011Abraham Aranguren

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23

we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav

OWASP 2013 EU Tour Amsterdam ZAP IntroSimon Bennetts

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23

The Best Postman Alternatives to Streamline API Testing.pdfronikakashyap1

Zap attack proxyArtem Vasilenko

High Performance Software Engineering TeamsLars Thorup

JoinSEC 2013 London - ZAP IntroSimon Bennetts

2014 ZAP Workshop 1: Getting StartedSimon Bennetts

Katalon Studio - A Codeless Automation Tool.pdfKnoldus Inc.

More from seleniumconf (12)

Using Selenium to Improve a Teams Development Cycleseleniumconf

Building Quality with Foundations of Mudseleniumconf

This document discusses strategies for improving test environments and test data to better match production environments. It recommends empowering developers to take full responsibility for testing from specification to deployment. Tests should run quickly and have a low tolerance for intermittent failures. Where parts of the system are difficult to test, techniques like stubs can be used to isolate those components for improved testability and reliability, while still achieving near 100% coverage of core and interface logic. Live integration tests against the full system should be kept to a minimum due to general flakiness.

More Than Automation - How Good Acceptance Tests Can Make Your Team Happierseleniumconf

The document discusses refactoring acceptance tests written in Cucumber to make the code less maintainable. It provides examples of steps like removing documentation, conflating scenarios, and inserting unnecessary details to obscure the purpose of the tests. The overall goal is to make the tests harder for others to understand so as to protect one's job as a "mortgage-driven developer" who prioritizes job security over maintainable code.

Building a Selenium Community One Meetup at a Timeseleniumconf

Introduction to selenium_grid_workshopseleniumconf

Selenium Grid allows users to maintain a cluster of Selenium nodes, configure tests for different environments, and parallelize tests. The Selenium Grid Hub manages Selenium Grid Nodes, which host browsers. Users can start the Hub and Nodes, configure them via JSON or YAML files, and view the grid state in the console. Tests are run by connecting to the Hub via a RemoteWebDriver and treating the Hub as a remote server. The grid can be extended by contributing new servlets, prioritizers, capability matchers, or remote proxies to customize the grid's behavior.

Selenium: State of the Unionseleniumconf

The document provides a year in review summary for Selenium, including key releases, downloads, contributors, and goals for the future. It notes that version 2.0 was released in July 2011, with 2.21 released in April 2012. There were over 1.5 million downloads per day for the Java library and 1.7 million downloads for the Ruby gem. The community grew to over 60 committers. Challenges mentioned include latency, user friendliness, flakiness, mobile testing, and establishing Selenium as a W3C standard. The summary looks back on the past year and looks forward to keeping Selenium improving.

Introducing Selenium Builder – the Future of Test Developmentseleniumconf

The document discusses Se Builder, an open source tool for authoring and running Selenium tests. It provides a history of the project and details its current Selenium 1 and 2 support. The document outlines plans to improve community involvement, test authoring support across browsers, and extensibility through plugins. The goal is to create a unified and modular test authoring experience that works across Selenium versions.

Self-Generating Test Artifacts for Selenium/WebDriverseleniumconf

The document discusses issues with maintaining automated tests when a website undergoes frequent changes. It proposes generating page object models on every build to account for changes as they happen. This avoids failures from id, type, or navigation path changes. Developers must fix type changes before check-in. With regeneration, tests absorb insignificant changes and the test pass rate improves from identifying issues within 24 hours without noise. The approach provides a model to generate additional tests around standards, errors, forms and security. While reported defects did not decrease, the solution allowed increased velocity and faster feature addition.

Automated Web App Performance Testing Using WebDriverseleniumconf

This document discusses techniques for using WebDriver to perform web performance testing. It recommends measuring page load performance and interactive scenarios using tools like WebPageTest.org. It also suggests "marrying" WebDriver and WebPageTest by using functional tests to measure performance while test runs. Finally, it provides tips on how to instrument pages to measure load times around WebDriver calls and browser standards for performance metrics.

Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...seleniumconf

Dan Cuellar discusses strategies for writing automated tests that are robust and maintainable in the face changing codebases and features. These include separating logical test actions from direct controller calls, centralizing site elements and logic, adding self-testing capabilities, consolidating product actions into abstracted libraries, and creating platform-agnostic test scripts. The goal is to design tests that can adapt easily without extensive rework when underlying systems evolve rapidly.

Building a Driver: Lessons Learned From Developing the Internet Explorer Driverseleniumconf

Massively Continuous Integration: From 3 days to 30 minutesseleniumconf

This document discusses how Attask transitioned from monthly software releases that took 3-5 days for acceptance testing to daily releases that can be deployed within 30-45 minutes through the use of continuous integration and deployment practices. It overviews Attask's pipeline for building, deploying, testing, and destroying code. Key aspects discussed include using Selenium for automated UI testing at a large scale across many browsers through a Selenium Grid, integrating testing into the development pipeline, leveraging tools like Jenkins and Amazon EC2 for automation, and gaining visibility, accountability, and scalability through the process.

Using Selenium to Improve a Teams Development Cycleseleniumconf

Building Quality with Foundations of Mudseleniumconf

More Than Automation - How Good Acceptance Tests Can Make Your Team Happierseleniumconf

Building a Selenium Community One Meetup at a Timeseleniumconf

Introduction to selenium_grid_workshopseleniumconf

Selenium: State of the Unionseleniumconf

Introducing Selenium Builder – the Future of Test Developmentseleniumconf

Self-Generating Test Artifacts for Selenium/WebDriverseleniumconf

Automated Web App Performance Testing Using WebDriverseleniumconf

Testing Rapidly Changing Applications With Self-Testing Object-Oriented Selen...seleniumconf

Building a Driver: Lessons Learned From Developing the Internet Explorer Driverseleniumconf

Massively Continuous Integration: From 3 days to 30 minutesseleniumconf

Recently uploaded (20)

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

This is a Quick Research Guide (QRG). QRGs include the following: - A brief, high-level overview of the QRG topic. - A milestone timeline for the QRG topic. - Links to various free online resource materials to provide a deeper dive into the QRG topic. - Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic. QRGs planned for the series: - Artificial Intelligence QRG - Quantum Computing QRG - Big Data Analytics QRG - Spacecraft Guidance, Navigation & Control QRG (coming 2026) - UK Home Computing & The Birth of ARM QRG (coming 2027) Any questions or comments? - Please contact Arthur Morgan at [email protected]. 100% human made.

Automation Dreamin': Capture User Feedback From AnywhereLynda Kane

ThousandEyes Partner Innovation Updates for May 2025ThousandEyes

"PHP and MySQL CRUD Operations for Student Management System"Jainul Musani

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Spark is a powerhouse for large datasets, but when it comes to smaller data workloads, its overhead can sometimes slow things down. What if you could achieve high performance and efficiency without the need for Spark? At S&P Global Commodity Insights, having a complete view of global energy and commodities markets enables customers to make data-driven decisions with confidence and create long-term, sustainable value. 🌍 Explore delta-rs + CDC and how these open-source innovations power lightweight, high-performance data applications beyond Spark! 🚀

Automation Dreamin' 2022: Sharing Some Gratitude with Your UsersLynda Kane

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc

Most consumers believe they’re making informed decisions about their personal data—adjusting privacy settings, blocking trackers, and opting out where they can. However, our new research reveals that while awareness is high, taking meaningful action is still lacking. On the corporate side, many organizations report strong policies for managing third-party data and consumer consent yet fall short when it comes to consistency, accountability and transparency. This session will explore the research findings from TrustArc’s Privacy Pulse Survey, examining consumer attitudes toward personal data collection and practical suggestions for corporate practices around purchasing third-party data. Attendees will learn: - Consumer awareness around data brokers and what consumers are doing to limit data collection - How businesses assess third-party vendors and their consent management operations - Where business preparedness needs improvement - What these trends mean for the future of privacy governance and public trust This discussion is essential for privacy, risk, and compliance professionals who want to ground their strategies in current data and prepare for what’s next in the privacy landscape.

Buckeye Dreamin' 2023: De-fogging Debug LogsLynda Kane

Build Your Own Copilot & Agents For DevsBrian McKeiver

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

Image processinglab image processing image processingRaghadHany

Datastucture-Unit 4-Linked List Presentation.pptxkaleeswaric3

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

"Rebranding for Growth", Anna VelykoivanenkoFwdays

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfAbi john

Learn the Basics of Agile Development: Your Step-by-Step GuideMarcel David

Procurement Insights Cost To Value Guide.pptxJon Hansen

Cyber Awareness overview for 2025 month of securityriccardosl1

Big Data Analytics Quick Research Guide by Arthur MorganArthur Morgan

Automation Dreamin': Capture User Feedback From AnywhereLynda Kane

ThousandEyes Partner Innovation Updates for May 2025ThousandEyes

"PHP and MySQL CRUD Operations for Student Management System"Jainul Musani

Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1

Automation Dreamin' 2022: Sharing Some Gratitude with Your UsersLynda Kane

TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc

Buckeye Dreamin' 2023: De-fogging Debug LogsLynda Kane

Build Your Own Copilot & Agents For DevsBrian McKeiver

Drupalcamp Finland – Measuring Front-end Energy ConsumptionExove

Image processinglab image processing image processingRaghadHany

Datastucture-Unit 4-Linked List Presentation.pptxkaleeswaric3

Semantic Cultivators : The Critical Future Role to Enable AIartmondano

Electronic_Mail_Attacks-1-35.pdf by xploitniftliyevhuseyn

Linux Professional Institute LPIC-1 Exam.pdfRHCSA Guru

"Rebranding for Growth", Anna VelykoivanenkoFwdays

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfAbi john

Learn the Basics of Agile Development: Your Step-by-Step GuideMarcel David

Procurement Insights Cost To Value Guide.pptxJon Hansen

Cyber Awareness overview for 2025 month of securityriccardosl1

Automated Security Testing

1. Automated Security Testing Alan Parkinson @alan_parkinson

2. Disclaimer! I'm NOT a Security Expert, but a developer passionate about quality

3. Why the interest in Security? ● New Project - E-commerce ● Compliance ● PCI ● Privacy ● Ethics ● No site is too small to break into ● Security Testing is expensive

4. Security Tools ● Attack Proxies: Sit between the Tester and Application ● Searches for patterns in HTTP traffic ● Help manual penetration testers ● Change values in HTTP traffic ● 3rd Party OnDemand scanning services ● Often for PCI compliance

5. Zed Attack Proxy (ZAP) ● Open Source project forked from Paros Proxy ● Released in 2010 and OWASP top level project ● Easy to use Penetration testing tool – All Skill Levels ● Features: ● Passive scanning of HTTP traffic ● Active scanning of Web Apps ● Spiders, Fuzzing, Brute force and many more....

6. Getting Started with ZAP

7. Beyond Passive Scanning ● Use on Test Environments ONLY ● Active Scanning ● Spider vs Browser ● Real life Browser tests discover RESTful services ● Automated Browser Tests can teach ZAP

8. Converting Browser Tests Using the ZAP HTTP Proxy Group test execution based on user roles

10. Integrating ZAP into the build RESTful API Ant tasks Maven Plugin Session management: New, Save and Open Tasks: Spider and Active Attack Results: Ignoring rules and Failing the build

11. False Positives/Negatives Humans are not out of a job Some types of Security Vulnerabilities require Intelligence CI: Ignoring false positives are parameters to the Ant tasks

12. Start ZAP Run Browser Manual Testing Tests Active Scan Check Save Results Session Stop ZAP

13. Build Integration – Stage 1 Nightly Build with Passive and Active Scanning. The ZAP session is saved for analysis by a human Not fast feedback, but accurate results

14. Build Integration – Stage 2 Same Nightly Build with human analysis Passive scanning in Continuous Build Fast feedback, but for simple issues only

15. Build Integration – Stage 3 Passive and Active scanning in Continuous Build Fast feedback but “Trigger Happy” on rule exclusion

16. Conclusion ● Additional ROI on your tests ● Great for catching... ● Injection based attacks: XSS and SQL ● HTTP header and Cookie issues ● URL Redirect abuse ● False Positives ● Can be large for some types of tests ● Don't get “Trigger happy” on rule exceptions

17. Automated Security Testing Alan Parkinson @alan_parkinson Demo: https://github.com/aparkinson/jenkins-webdriver ZAP: http://code.google.com/p/zaproxy/ OWASP: https://www.owasp.org Ant Demo: https://code.google.com/p/zaproxy/source/browse/trunk/build/build-api.xml

Automated Security Testing

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Automated Security Testing (20)

More from seleniumconf (12)

Recently uploaded (20)

Automated Security Testing