Book Image

Practical Security Automation and Testing

By : Tony Hsiang-Chih Hsu
Book Image

Practical Security Automation and Testing

By: Tony Hsiang-Chih Hsu

Overview of this book

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention. This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.
Table of Contents (19 chapters)

CVE vulnerability scanning

The known vulnerability scan is to identify the known CVE of the modules, libraries, source code, add-ons, services, and applications used in the infrastructure. To archive these kinds of scanning, we will introduce two main different approaches. The OWASP dependency check is a local scan of files to identify the vulnerabilities. This type of scan approach can be more accurate than a network scan. However, if the local scan of files is not feasible, we will use the network scan Nmap instead. Here is the summary of these two scan approaches:

OWASP dependency check NMAP-VulScan
Approaches

Package properties, such as libraries, filename

Network communications, such as port and protocol versions
Vulnerability database query CVE, NVD Data Feeds CVE, OSVDB, ExploitDB, and so on
Local/remote scan A local scan of files and packages Remote scan over...