Book Image

Practical Security Automation and Testing

By : Tony Hsiang-Chih Hsu
Book Image

Practical Security Automation and Testing

By: Tony Hsiang-Chih Hsu

Overview of this book

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention. This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Related Content you might be interested in

Current Title:

Small book image
Practical Security Automation and Testing
Tony Hsiang-Chih Hsu
Feb, 2019 | 256 pages
Small book image
Hands-On Security in DevOps
Tony HsiangChih Hsu
Jul, 2018 | 356 pages
Small book image
Security Automation with Ansible 2
Akash Mahajan | MADHU AKULA
Dec, 2017 | 364 pages
Small book image
IoT Penetration Testing Cookbook.
Aditya Gupta | Aaron Guzman
Nov, 2017 | 452 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
The Scope and Challenges of Security Automation
The Scope and Challenges of Security Automation
The purposes and myths of security automation
The required skills and suggestions for security automation
General environment setup for coming labs
Summary
Questions
Further reading
2
Integrating Security and Automation
Integrating Security and Automation
The domains of automation testing and security testing
Automation frameworks and techniques
Automating existing security testing
Security testing with an existing automation framework
Summary
Questions
Further reading
3
Secure Code Inspection
Secure Code Inspection
Case study – automating a secure code review
Secure coding patterns for inspection
Quick and simple secure code scanning tools
Case study – XXE security
Case study – deserialization security issue
Summary
Questions
Further reading
4
Sensitive Information and Privacy Testing
Sensitive Information and Privacy Testing
The objective of sensitive information testing
Case study – weak encryption search
Case study – searching for a private key
Case study – website privacy inspection
Summary
Questions
Further reading
5
Security API and Fuzz Testing
Security API and Fuzz Testing
Automated security testing for every API release
Building your security API testing framework
Summary
Questions
Further reading
6
Web Application Security Testing
Web Application Security Testing
Case study – online shopping site for automated security inspection
Case 1 – web security testing using the ZAP REST API
Case 2 – full automation with CURL and the ZAP daemon
Case 3 – automated security testing for the user registration flow with Selenium
Summary
Questions
Further reading
7
Android Security Testing
Android Security Testing
Android security review best practices
Secure source code review patterns for Android
Privacy and sensitive information review
General process of APK security analysis
Static secure code scanning with QARK
Automated security scanning with MobSF
Summary
Questions
Further reading
8
Infrastructure Security
Infrastructure Security
The scope of infrastructure security
Secure configuration best practices
Network security assessments with Nmap
CVE vulnerability scanning
HTTPS security check with SSLyze
Behavior-driven security automation – Gauntlt
Summary
Questions
Further reading
9
BDD Acceptance Security Testing
BDD Acceptance Security Testing
Security testing communication
What is BDD security testing?
Adoption of Robot Framework with sqlmap
Testing framework – Robot Framework with ZAP
Summary
Questions
Further reading
10
Project Background and Automation Approach
Project Background and Automation Approach
Case study – introduction and security objective
Selecting security and automation testing tools
Automated security testing frameworks
Environment and tool setup
Summary
Questions
Further reading
11
Automated Testing for Web Applications
Automated Testing for Web Applications
Case 1 – web security scanning with ZAP-CLI
Case 2 – web security testing with ZAP & Selenium
Case 3 – fuzz XSS and SQLi testing with JMeter
Summary
Questions
Further reading
12
Automated Fuzz API Security Testing
Automated Fuzz API Security Testing
Fuzz testing and data
API fuzz testing with Automation Frameworks
Summary
Questions
Further reading
13
Automated Infrastructure Security
Automated Infrastructure Security
Scan For known JavaScript vulnerabilities
WebGoat with OWASP dependency check
Secure communication scan with SSLScan
NMAP security scan with BDD framework
Summary
Questions
Further reading
14
Managing and Presenting Test Results
Managing and Presenting Test Results
Managing and presenting test results
Approach 1 – integrate the tools with RapidScan
Approach 2 – generate a professional pentest report with Serpico
Approach 3 – security findings management DefectDojo
Summary
Questions
Further reading
15
Summary of Automation Security Testing Tips
Summary of Automation Security Testing Tips
Automation testing framework
Secure code review
API security testing
Web security testing
Android security testing
Infrastructure security
BDD security testing by Robot Framework
Summary
16
List of Scripts and Tools
List of Scripts and Tools
List of sample scripts
List of installed tools in virtual image
17
Solutions
Solutions
Chapter 1: The Scope and Challenges of Security Automation
Chapter 2: Integrating Security and Automation
Chapter 3: Secure Code Inspection
Chapter 4: Sensitive Information and Privacy Testing
Chapter 5: Security API and Fuzz Testing
Chapter 6: Web Application Security Testing
Chapter 7: Android Security Testing
Chapter 8: Infrastructure Security
Chapter 9: BDD Acceptance Security Testing
Chapter 10: Project Background and Automation Approach
Chapter 11: Automated Testing for Web Applications
Chapter 12: Automated Fuzz API Security Testing
Chapter 13: Automated Infrastructure Security
Chapter 14: Managing and Presenting Test Results
18
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

To get the most out of this book

To get the most out of this book, you will need the sample code from the Packt Publishing GitHub repository. You will also need an Ubuntu virtual image, and you'll need to download the security testing tools and frameworks mentioned in the book.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

  1. Log in or register at www.packt.com.
  2. Select the SUPPORT tab.
  3. Click on Code Downloads & Errata.
  4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

  • WinRAR/7-Zip for Windows
  • Zipeg/iZip/UnRarX for Mac
  • 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Practical-Security-Automation-and-Testing. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

A block of code is set as follows:

saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Any command-line input or output is written as follows:

$ ag   –w   md5   d:\<targetPath>

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

Warnings or important notes appear like this.
Tips and tricks appear like this.
Previous Section
Next Section