Presentation is loading. Please wait.

Presentation is loading. Please wait.

Continuous and Visible Security Testing Stephen de with BDD-Security.

Similar presentations


Presentation on theme: "Continuous and Visible Security Testing Stephen de with BDD-Security."— Presentation transcript:

1 Continuous and Visible Security Testing Stephen de with BDD-Security

2 About me CTO Continuum Security 16 years in security Specialised in application security Author of BDD-Security framework

3

4 Security testing still stuck in a waterfall world Feedback from security testing is too late Rely on outside security “experts”

5 Security is not something you add… …it’s something that’s build in, just like quality, scalability and performance

6 Everyone is responsible for Move testing closer to the code Continuous automated testing quality security ^

7 Quality testing Security testing Difference of degree, not of kind

8 Why What How Business Context Architecture App Features Threat Model Non-Functional Security Requirements Non-Functional Security Requirements Functional Security Requirements Functional Security Requirements Security Tests

9

10

11

12

13 Security Requirements Visible Testable Actionable Up-to-date Automated Security Testing > Scanning BDD-Specs (Given/When/Then) Security Requirements

14 BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security BDD-Security = JBehave + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications Selenium +

15 Examples: Infrastructure specifications

16

17

18 Security specifications for application itself Authentication: Passwords should be case sensitive Present the login form itself over an HTTPS connection Transmit authentication credentials over HTTPS When authentication credentials are sent to the server, it should respond with a 3xx status code. Disable browser auto-completion on the login form Lock the user account out after incorrect authentication attempts

19 HTTP/S Proxy Manual Application Security Testing with OWASP ZAP

20 Selenium ZAP API HTTP/S Proxy Manual Application Security Testing with OWASP ZAP Automated ^ BDD-Security

21 Configuring BDD-Security for in-depth testing -Edit config.xml with app specific values -Create Java class that defines Selenium methods for: -openLoginPage -Login -isLoggedIn -Logout

22 Demo

23 Application Security Scanning with ZAP

24

25

26

27 Testing Access Control Can Alice see Bob’s data?

28 Demo

29 Part of Continuous Integration process Ant job in Jenkins Run job after deploy to test environment Fail the build if tests fail

30 Demo

31 Summary Security testing doesn’t need special treatment: it differs from software testing in degree, not in kind Automated Security tests can be integrated into a CI/CD model Automated Security tests should include more than just scanning BDD tools provide self-verifying specification BDD-Security project to jump-start your own security specs

32 Similar tools ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriverhttps://github.com/continuumsecurity/zap-webdriver Guantlet (Ruby) Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittnhttps://github.com/F-Secure/mittn

33 Thank you I’ll be at Office Hours 13:45 Today Room:


Download ppt "Continuous and Visible Security Testing Stephen de with BDD-Security."

Similar presentations


Ads by Google