Chapter 1, The Scope and Challenges of Security Automation, discusses the challenges of security automation and gives an overview of security automation tools and frameworks. The required skills, security tools, and automation frameworks will be introduced. This will help you to gain the foundational knowledge required for you to build security automation measures in the coming chapters. Finally, we will also set up some sample vulnerable source code, as well as an application, for practicing security scanning in the coming chapters. This will include an illustration of dynamic security testing techniques (OWASP ZAP, Nmap, and Fuzz) and static code inspection with automation frameworks (such as Selenium, Robot Framework, JMeter, and behavior-driven development (BDD)), as well as a detailed look at mobile security testing framework integration in several hands-on case studies.
Chapter 2, Integrating Security and Automation, introduces how security and automation can be integrated. Since both security testing and automation testing require domain expertise and very particular tools, this chapter will introduce how to bake automation into existing security testing frameworks to improve testing coverage and efficiency. We will also discuss how security testing practices and tools can be integrated into your in-house automation testing framework.
Chapter 3, Secure Code Inspection, discusses white-box testing techniques for the secure reviewing of code. For an in-house software development team, it's a challenge to review all the source code for every software release. This is not only due to the pressure of release cycles, but also due to the impracticality of requiring every developer to be familiar with all the secure coding best practices for all different programming languages, such as Java, C/C++, and Python. Therefore, we will demonstrate how to build your own automated secure coding platform with open source solutions for every release.
Chapter 4, Sensitive information and Privacy Testing, discusses how to use automated scanning to prevent the disclosure of sensitive information in every software release. There are three typical scenarios where this kind of thing can be applied. The first is where sensitive information is included in the source code, such as an include key, a hardcoded password, a hidden hotkey, an email address, or an IP or URL. Secondly, sensitive information can also be stored in cookies, since cookies can collect the browsing behaviors of users. Finally, large projects handling massive amounts of data require effective ways of identifying and protecting any Personal Identifiable Information (PII) stored in the database.
Chapter 5, Security API and Fuzz Testing, explores API and fuzz testing. As cloud software releases can be on an API-level basis, there can be hundreds of APIs released at a time. The software development team will definitely need an effective way to automate security testing for every API release. In this chapter, we use an online pet store case study to see how you can build your automated API security testing framework with various tools. API security testing focuses more on data injection and abnormal payloads. Therefore, fuzz testing will also be introduced as random data input and security injection for automated API security testing.
Chapter 6, Web Application Security Testing, is where we will use an online shopping site, Hackazon, to demonstrate how to achieve automated web security testing. The key challenge in automating web application testing is walking through the UI business flow while doing security inspection. Doing so requires not only security scanning capabilities but also web UI automation. We will be using security tools such as ZAP and web UI automation frameworks such as Selenium and Robot Framework. Using these tools can effectively improve your security testing coverage. We will share some tips and tools for making web automation easier.
Chapter 7, Android Security Testing, focuses on Android. It's a common practice to do a security check before an Android application release. However, doing so when releases can be so frequent and so many can be a real challenge. The automated security testing process for an Android mobile application requires submissions for APK binaries, reversing the APK for secure source code inspection, manifest configuration checks, and generating testing results – we'll be looking at all of this in this chapter. Besides that, we will also introduce mobile security-related practices, such as OWASP mobile security testing and Android secure coding practices.
Chapter 8, Infrastructure Security, will focus on infrastructure and platform security. For a Platform-as-a-Service (PaaS) or even for Software-as-a-Service (SaaS) providers, it's vital to ensure that the infrastructure is secure. Therefore, the security operations team will need to do regular scanning of the infrastructure to ensure security configurations for security compliance. Infrastructure security includes secure configuration with web services, security of databases and OSes, secure communication protocols such as TLS v1.2, and the use of secure versions of third-party components and dependencies. We will illustrate how to set up your own automated scanning framework to run these regular secure configuration inspections.
Chapter 9, BDD Acceptance Security Testing, will discuss the challenges of cross-team communication within large software development teams. For instance, the team who executed the security testing may understand the tests carried out and their results, but other non-technical teams such as product management and marketing may not gain the same understanding just from reading the testing reports. Therefore, we will introduce BDD acceptance testing with automated security testing. We will use security testing tools on top of BDD security automation testing frameworks and hook into the testing process.
Chapter 10, Project Background and Automation Approach, will introduce a project and the security objectives necessary for proceeding with automated security in the ensuing chapters. We will also explore what considerations need to be made when it comes to automation framework selection. For instance, some tools are good for specific security testing but may have shortcomings when it comes to automation framework integration. Finally, we will set up all the necessary environmental conditions for the coming security automation practices.
Chapter 11, Automated Testing for a Web Application, will use three case studies to teach you about different security automation techniques against the vulnerable NodeGoat site. The first case study looks at automating the OWASP ZAP by using the ZAP-CLI, which will help to identify initial security issues in a website before authentication. In the second case study, we will be using Selenium to identify security issues concerning user sign-in. In the final case, we will use JMeter for sign-in with external CSV data to detect potential command injection security issues.
Chapter 12, Automated Fuzz API Security Testing, looks at API Fuzz testing, which can be one of the most effective and efficient means of security and automation testing. API fuzz testing involves generating fuzz data as data input, sending HTTP requests with fuzz data, and analyzing the HTTP response for security issues. We will demonstrate several API fuzz automation tools (including Wfuzz and 0d1n), fuzz techniques, and integration with automation testing frameworks (such as Selenium and Robot Framework data-driven testing).
Chapter 13, Automated Infrastructure Security, will demonstrate how to automate infrastructure security testing against the NodeGoat website. The infrastructure security testing will include testing for known vulnerable JavaScript libraries, insecure SSL configurations, and advanced Nmap NSE script testing techniques for web security. At the end, we will also illustrate how to apply BDD automation frameworks to SSLScan and Nmap.
Chapter 14, Managing and Presenting Testing Results, covers how we consolidate and present security testing findings as a whole to stakeholders. Executing and managing several security testing projects at a time can be a challenge. The security team, the project team, and management would like to know the security status of each project. This requires the consolidation of the results from some previously mentioned security testing tools into one portal or summary document. We will need to not only manage all the security testing tools execution results, but also present them in a security dashboard that clearly displays the overall security posture of a project. We will introduce some approaches and tools to achieve this goal.
Chapter 15, Summary of Automation Security Testing Tips, summarizes the key security automation techniques and tips from all the previous chapters. This chapter can be used as a quick reference guide or as an overall review of security automation.
Appendix A, List of Scripts and Tools, summarizes the tools and commands used throughout all the chapters.
Appendix B, Solutions, includes all the answers, to the questions provided within the chapters.