Book Image

Practical Security Automation and Testing

By : Tony Hsiang-Chih Hsu
Book Image

Practical Security Automation and Testing

By: Tony Hsiang-Chih Hsu

Overview of this book

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention. This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Related Content you might be interested in

Current Title:

Small book image
Practical Security Automation and Testing
Tony Hsiang-Chih Hsu
Feb, 2019 | 256 pages
Small book image
Hands-On Security in DevOps
Tony HsiangChih Hsu
Jul, 2018 | 356 pages
Small book image
Security Automation with Ansible 2
Akash Mahajan | MADHU AKULA
Dec, 2017 | 364 pages
Small book image
IoT Penetration Testing Cookbook.
Aditya Gupta | Aaron Guzman
Nov, 2017 | 452 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
The Scope and Challenges of Security Automation
The Scope and Challenges of Security Automation
The purposes and myths of security automation
The required skills and suggestions for security automation
General environment setup for coming labs
Summary
Questions
Further reading
2
Integrating Security and Automation
Integrating Security and Automation
The domains of automation testing and security testing
Automation frameworks and techniques
Automating existing security testing
Security testing with an existing automation framework
Summary
Questions
Further reading
3
Secure Code Inspection
Secure Code Inspection
Case study – automating a secure code review
Secure coding patterns for inspection
Quick and simple secure code scanning tools
Case study – XXE security
Case study – deserialization security issue
Summary
Questions
Further reading
4
Sensitive Information and Privacy Testing
Sensitive Information and Privacy Testing
The objective of sensitive information testing
Case study – weak encryption search
Case study – searching for a private key
Case study – website privacy inspection
Summary
Questions
Further reading
5
Security API and Fuzz Testing
Security API and Fuzz Testing
Automated security testing for every API release
Building your security API testing framework
Summary
Questions
Further reading
6
Web Application Security Testing
Web Application Security Testing
Case study – online shopping site for automated security inspection
Case 1 – web security testing using the ZAP REST API
Case 2 – full automation with CURL and the ZAP daemon
Case 3 – automated security testing for the user registration flow with Selenium
Summary
Questions
Further reading
7
Android Security Testing
Android Security Testing
Android security review best practices
Secure source code review patterns for Android
Privacy and sensitive information review
General process of APK security analysis
Static secure code scanning with QARK
Automated security scanning with MobSF
Summary
Questions
Further reading
8
Infrastructure Security
Infrastructure Security
The scope of infrastructure security
Secure configuration best practices
Network security assessments with Nmap
CVE vulnerability scanning
HTTPS security check with SSLyze
Behavior-driven security automation – Gauntlt
Summary
Questions
Further reading
9
BDD Acceptance Security Testing
BDD Acceptance Security Testing
Security testing communication
What is BDD security testing?
Adoption of Robot Framework with sqlmap
Testing framework – Robot Framework with ZAP
Summary
Questions
Further reading
10
Project Background and Automation Approach
Project Background and Automation Approach
Case study – introduction and security objective
Selecting security and automation testing tools
Automated security testing frameworks
Environment and tool setup
Summary
Questions
Further reading
11
Automated Testing for Web Applications
Automated Testing for Web Applications
Case 1 – web security scanning with ZAP-CLI
Case 2 – web security testing with ZAP & Selenium
Case 3 – fuzz XSS and SQLi testing with JMeter
Summary
Questions
Further reading
12
Automated Fuzz API Security Testing
Automated Fuzz API Security Testing
Fuzz testing and data
API fuzz testing with Automation Frameworks
Summary
Questions
Further reading
13
Automated Infrastructure Security
Automated Infrastructure Security
Scan For known JavaScript vulnerabilities
WebGoat with OWASP dependency check
Secure communication scan with SSLScan
NMAP security scan with BDD framework
Summary
Questions
Further reading
14
Managing and Presenting Test Results
Managing and Presenting Test Results
Managing and presenting test results
Approach 1 – integrate the tools with RapidScan
Approach 2 – generate a professional pentest report with Serpico
Approach 3 – security findings management DefectDojo
Summary
Questions
Further reading
15
Summary of Automation Security Testing Tips
Summary of Automation Security Testing Tips
Automation testing framework
Secure code review
API security testing
Web security testing
Android security testing
Infrastructure security
BDD security testing by Robot Framework
Summary
16
List of Scripts and Tools
List of Scripts and Tools
List of sample scripts
List of installed tools in virtual image
17
Solutions
Solutions
Chapter 1: The Scope and Challenges of Security Automation
Chapter 2: Integrating Security and Automation
Chapter 3: Secure Code Inspection
Chapter 4: Sensitive Information and Privacy Testing
Chapter 5: Security API and Fuzz Testing
Chapter 6: Web Application Security Testing
Chapter 7: Android Security Testing
Chapter 8: Infrastructure Security
Chapter 9: BDD Acceptance Security Testing
Chapter 10: Project Background and Automation Approach
Chapter 11: Automated Testing for Web Applications
Chapter 12: Automated Fuzz API Security Testing
Chapter 13: Automated Infrastructure Security
Chapter 14: Managing and Presenting Test Results
18
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Case study – searching for a private key

Let's take another case to look at searching for the compromise of API key information. An API key being hardcoded in the source code or a password being weakly encrypted in the source code are both common security vulnerabilities. To search for a private encryption key or hardcoded password requires the calculation of entropy which is a number to represent the level of randomness. A string with a high entropy value is normally an indicator of a potential API key, hash value, or encrypted message. In the following demonstration, we will also use the vulnerable Python API project to search for vulnerable API keys in the source code. The tools we will be using are entropy.py and DumpsterDiver. To download the script, execute the following command:

$ git clone https://github.com/securing/DumpsterDiver
...
Previous Section
End of Section 4
Next Section