Book Image

Practical Security Automation and Testing

By : Tony Hsiang-Chih Hsu

Book Image

Practical Security Automation and Testing

By: Tony Hsiang-Chih Hsu

Overview of this book

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention. This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Preface

Who this book is for

What this book covers

To get the most out of this book

Free Chapter

The Scope and Challenges of Security Automation

The Scope and Challenges of Security Automation

The purposes and myths of security automation

The required skills and suggestions for security automation

General environment setup for coming labs

Further reading

Integrating Security and Automation

Integrating Security and Automation

The domains of automation testing and security testing

Automation frameworks and techniques

Automating existing security testing

Security testing with an existing automation framework

Further reading

Secure Code Inspection

Secure Code Inspection

Case study – automating a secure code review

Secure coding patterns for inspection

Quick and simple secure code scanning tools

Case study – XXE security

Case study – deserialization security issue

Further reading

Sensitive Information and Privacy Testing

Sensitive Information and Privacy Testing

The objective of sensitive information testing

Case study – weak encryption search

Case study – searching for a private key

Case study – website privacy inspection

Further reading

Security API and Fuzz Testing

Security API and Fuzz Testing

Automated security testing for every API release

Building your security API testing framework

Further reading

Web Application Security Testing

Web Application Security Testing

Case study – online shopping site for automated security inspection

Case 1 – web security testing using the ZAP REST API

Case 2 – full automation with CURL and the ZAP daemon

Case 3 – automated security testing for the user registration flow with Selenium

Further reading

Android Security Testing

Android Security Testing

Android security review best practices

Secure source code review patterns for Android

Privacy and sensitive information review

General process of APK security analysis

Static secure code scanning with QARK

Automated security scanning with MobSF

Further reading

Infrastructure Security

Infrastructure Security

The scope of infrastructure security

Secure configuration best practices

Network security assessments with Nmap

CVE vulnerability scanning

HTTPS security check with SSLyze

Behavior-driven security automation – Gauntlt

Further reading

BDD Acceptance Security Testing

BDD Acceptance Security Testing

Security testing communication

What is BDD security testing?

Adoption of Robot Framework with sqlmap

Testing framework – Robot Framework with ZAP

Further reading

Project Background and Automation Approach

Project Background and Automation Approach

Case study – introduction and security objective

Selecting security and automation testing tools

Automated security testing frameworks

Environment and tool setup

Further reading

Automated Testing for Web Applications

Automated Testing for Web Applications

Case 1 – web security scanning with ZAP-CLI

Case 2 – web security testing with ZAP & Selenium

Case 3 – fuzz XSS and SQLi testing with JMeter

Further reading

Automated Fuzz API Security Testing

Automated Fuzz API Security Testing

Fuzz testing and data

API fuzz testing with Automation Frameworks

Further reading

Automated Infrastructure Security

Automated Infrastructure Security

Scan For known JavaScript vulnerabilities

WebGoat with OWASP dependency check

Secure communication scan with SSLScan

NMAP security scan with BDD framework

Further reading

Managing and Presenting Test Results

Managing and Presenting Test Results

Managing and presenting test results

Approach 1 – integrate the tools with RapidScan

Approach 2 – generate a professional pentest report with Serpico

Approach 3 – security findings management DefectDojo

Further reading

Summary of Automation Security Testing Tips

Summary of Automation Security Testing Tips

Automation testing framework

Secure code review

API security testing

Web security testing

Android security testing

Infrastructure security

BDD security testing by Robot Framework

List of Scripts and Tools

List of Scripts and Tools

List of sample scripts

List of installed tools in virtual image

Solutions

Chapter 1: The Scope and Challenges of Security Automation

Chapter 2: Integrating Security and Automation

Chapter 3: Secure Code Inspection

Chapter 4: Sensitive Information and Privacy Testing

Chapter 5: Security API and Fuzz Testing

Chapter 6: Web Application Security Testing

Chapter 7: Android Security Testing

Chapter 8: Infrastructure Security

Chapter 9: BDD Acceptance Security Testing

Chapter 10: Project Background and Automation Approach

Chapter 11: Automated Testing for Web Applications

Chapter 12: Automated Fuzz API Security Testing

Chapter 13: Automated Infrastructure Security

Chapter 14: Managing and Presenting Test Results

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Summary

In this chapter, we discussed the objective of security automation: to reduce repeated manual testing and increase testing coverage in an efficient manner. The OWASP Top 10 list for web application security issues and the CWE Top 25 list for secure coding issues were suggested as resources.

We also discussed some misunderstandings of security automation, such as the need for highly skilled penetration testers, the time it takes to build automation frameworks, and the perceived limitations of automation testing's effectiveness. Security automation testing can even identify serious security defects, and won't require lots of implementation efforts, so long as the right security tools and automation frameworks are integrated properly.

Last but not least, we also discussed the skills of security developers and automation testing developers. The common ground required between these two roles includes only knowledge of networking, HTTP/HTTPS protocols, an operating system, and at least one programming language. The automation test developer may focus more on automation testing frameworks such as BDD, DDT, Selenium, unit testing, and so on. On the other hand, the security tester may focus on using security tools and techniques to identify security issues. In the coming chapters, we will demonstrate how security and automation can integrate properly to identify security issues in a more effective manner.