Practical Security Automation and Testing

Book Description

Your one stop guide to automating infrastructure security using DevOps and DevSecOps

Key Features

  • Secure and automate techniques to protect web, mobile or cloud services
  • Automate secure code inspection in C++, Java, Python, and JavaScript
  • Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework

Book Description

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention.

This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing.

With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects.

By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

What you will learn

  • Automate secure code inspection with open source tools and effective secure code scanning suggestions
  • Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
  • Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
  • Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
  • Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
  • Integrate various types of security testing tool results from a single project into one dashboard

Who this book is for

The book is for software developers, architects, testers and QA engineers who are looking to leverage automated security testing techniques.

Publisher Resources

Download Example Code

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Practical Security Automation and Testing
  3. About Packt
    1. Why subscribe?
    2. Packt.com
  4. Contributors
    1. About the author
    2. About the reviewers
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
  6. The Scope and Challenges of Security Automation
    1. The purposes and myths of security automation
      1. Myth 1 – doesn't security testing require highly experienced pentesters?
      2. Myth 2 – isn't it time-consuming to build an automation framework?
      3. Myth 3 – there are no automation frameworks that are really feasible for security testing
    2. The required skills and suggestions for security automation
    3. General environment setup for coming labs
    4. Summary
    5. Questions
    6. Further reading
  7. Integrating Security and Automation
    1. The domains of automation testing and security testing
    2. Automation frameworks and techniques
      1. UI functional testing for web, mobile, and windows
      2. HTTP API testing
      3. HTTP mock server
      4. White-box search with GREP-like tools
      5. Behavior-driven development testing frameworks
      6. Testing data generators
    3. Automating existing security testing
    4. Security testing with an existing automation framework
    5. Summary
    6. Questions
    7. Further reading
  8. Secure Code Inspection
    1. Case study – automating a secure code review
      1. Secure coding scanning service – SWAMP
      2. Step 1 – adding a new package
      3. Step 2 – running the assessment
      4. Step 3 – viewing the results
    2. Secure coding patterns for inspection
    3. Quick and simple secure code scanning tools
      1. Automatic secure code inspection script in Linux
        1. Step 1 – downloading the CRASS
        2. Step 2 – executing the code review audit scan
        3. Step 3 – reviewing the results
      2. Automatic secure code inspection tools for Windows
        1. Step – downloading VCG (Visual Code Grepper)
        2. Step 2: Executing VCG
        3. Step 3: Reviewing the VCG scanning results
    4. Case study – XXE security
    5. Case study – deserialization security issue
    6. Summary
    7.  Questions
    8. Further reading
  9. Sensitive Information and Privacy Testing
    1. The objective of sensitive information testing
      1. PII discovery
      2. Sensitive information discovery
      3. Privacy search tools
    2. Case study – weak encryption search
      1. Step 1 – installing The Silver Searcher
      2. Step 2 – executing the tool (using Windows as an example)
      3. Step 3 – reviewing the results (using Windows as an example)
    3. Case study – searching for a private key
      1. Step 1 – calculating the entropy
      2. Step 2 – Searching for high-entropy strings
      3. Step 3 – Reviewing the results
    4. Case study – website privacy inspection
      1. Step 1 – visiting PrivacyScore or setting it up locally
      2. Step 2 – reviewing the results
    5. Summary
    6. Questions
    7. Further reading
  10. Security API and Fuzz Testing
    1. Automated security testing for every API release
    2. Building your security API testing framework
      1. Case study 1 – basic – web service testing with ZAP CLI
        1. Step 1 – OWASP ZAP download and launch with port 8090
        2. Step 2 – install the ZAP-CLI
        3. Step 3 – execute the testing under ZAP-CLI
        4. Step 4 – review the results
      2. Case study 2 – intermediate – API testing with ZAP and JMeter
        1. Step 1 – download JMeter
        2. Step 2 – define HTTP request for the login
        3. Step 4 – execute the JMeter script
        4. Step 3 – review the results in ZAP
      3. Case study 3 – advanced – parameterized security payload with fuzz
        1. Step 1 – download the SQL injection data
        2. Step 2 – define the CSV dataset in JMeter
        3. Step 3 – apply the variable name
        4. Step 4 – specify the loop
        5. Step 5 – execute JMeter and review the security assessment results
      4. Case study 4 – security testing with ZAP Open/SOAP API
        1. Step 1 – install the OpenAPI and SOAP API add-ons
        2. Step 2 – import the API definition
        3. Step 3 – execute the active security scanning
        4. Step 4 – present the security assessments
    3. Summary
    4. Questions
    5. Further reading
  11. Web Application Security Testing
    1. Case study – online shopping site for automated security inspection
    2. Case 1 – web security testing using the ZAP REST API
      1. Step 1 – spider scanning the website
      2. Step 2 – active scanning the website
      3. Step 3 – reviewing the status of the active scan
      4. Step 4 – reviewing the security assessments
    3. Case 2 – full automation with CURL and the ZAP daemon
      1. Step 1 – executing ZAP in daemon (headless) mode
      2. Step 2 – checking the status of the ZAP daemon
      3. Step 3 – fully automating the ZAP API
    4. Case 3 – automated security testing for the user registration flow with Selenium
      1. Step 1 – installation of SeleniumBase
      2. Step 2 – launching ZAP with proxy 8090
      3. Step 3 – executing the user registration flow automation
      4. Step 4 – active scanning the identified URLs
      5. Step 5 – reviewing the security assessments
    5. Summary
    6. Questions
    7. Further reading
  12. Android Security Testing
    1. Android security review best practices
    2. Secure source code review patterns for Android
    3. Privacy and sensitive information review
      1. Privacy scanning with Androwarn
        1. Step 1 – scanning of an APK
        2. Step 2 – review the report
    4. General process of APK security analysis
      1. Step 1 – use APKTool to reverse the APK to Manifest.xml, Smali and resources
      2. Step 2 – use JADX to reverse the APK into Java source code
      3. Step 3 – use Fireline to scan all the Java source files
      4. Step 4 – review the scanning results
    5. Static secure code scanning with QARK
      1. Step 1 – install QARK
      2. Step 2 – APK scanning with QARK
      3. Step 3 – review the results
    6. Automated security scanning with MobSF
      1. Step 1 – set up the MobSF
      2. Step 2 – upload the APK by REST API
      3. Step 3 – scan the APK
      4. Step 4 – download the report
    7. Summary
    8. Questions
    9. Further reading
  13. Infrastructure Security
    1. The scope of infrastructure security
    2. Secure configuration best practices
      1. CIS (Center for Internet Security) benchmarks
      2. Security technical implementation guides (STIGs)
      3. OpenSCAP security guide
        1. Step 1 – installation of SCAP workbench
        2. Step 2 – OpenSCAP security guide
    3. Network security assessments with Nmap
      1. Nmap usage tips
    4. CVE vulnerability scanning
      1. Known vulnerable components scan by VulScan
        1. Step 1 – installation of VulScan 
        2. Step 2 – NMAP scanning with VulScan
      2. Known vulnerable components scan by OWASP dependency check
        1. Step 1 – installation of OWASP dependency check
        2. Step 2 – CVE scanning with OWASP dependency check
    5. HTTPS security check with SSLyze
    6. Behavior-driven security automation – Gauntlt
      1. Step 1 – Gauntlt installation
      2. Step 2 – BDD security testing script
      3. Step 3 – execution and results
    7. Summary
    8. Questions
    9. Further reading
  14. BDD Acceptance Security Testing
    1. Security testing communication
    2. What is BDD security testing?
    3. Adoption of Robot Framework with sqlmap
      1. Step 1 – Robot Framework setup and preparation
      2. Step 2 – sqlmap with Robot Framework 
    4. Testing framework – Robot Framework with ZAP
      1. Step 1 – environment setup and preparation
      2. Step 2 – the Robot Framework script for the ZAP spider scan
      3. Step 3 – robot script execution
    5. Summary
    6. Questions
    7. Further reading
  15. Project Background and Automation Approach
    1. Case study – introduction and security objective
    2. Selecting security and automation testing tools
    3. Automated security testing frameworks
    4. Environment and tool setup
    5. Summary
    6. Questions
    7. Further reading
  16. Automated Testing for Web Applications
    1. Case 1 – web security scanning with ZAP-CLI
      1. Step 1 – installation of ZAP-CLI
      2. Step 2 – ZAP quick scan using the ZAP-CLI 
      3. Step 3 – generate a report
    2. Case 2 – web security testing with ZAP & Selenium
      1. Step 1 – Selenium Python script
      2. Step 2 – running ZAP as a proxy
        1. Approach 1 – configure the system proxy
        2. Approach 2 – Selenium Profile
        3. Approach 3 – using SeleniumBASE
      3. Step 3 – generate ZAP report
    3. Case 3 – fuzz XSS and SQLi testing with JMeter
      1. Testing scenarios
      2. Step 1 – prepare environment 
      3. Step 2 – define the JMeter scripts
      4. Step 3 – prepare security payloads
      5. Step 4 – launch JMeter in CLI with ZAP proxy
      6. Step 5 – generate a ZAP report
    4. Summary
    5. Questions
    6. Further reading
  17. Automated Fuzz API Security Testing
    1. Fuzz testing and data
      1. Step 1 – installing Radamsa
      2. Step 2 – generating the Security Random Payloads
    2. API fuzz testing with Automation Frameworks
      1. Approach 1 – security fuzz testing with Wfuzz
        1. Step 1 – installing Wfuzz
        2. Step 2– fuzz testing with sign-in
        3. Step 3 – reviewing the Wfuzz report
      2. Approach 2 – security fuzz testing with 0d1n
        1. Step 1 – installation of 0d1n
        2. Step 2 – execution of 0d1n with OWASP ZAP
        3. Step 3 – review the ZAP report (optional)
      3. Approach 3 – Selenium DDT (data-driven testing)
        1. Step 1: Selenium script with DDT
        2. Step 2 – executing the Selenium script
        3. Step 3 – review the ZAP report
      4. Approach 4 – Robot Framework DDT testing
        1. Step 1– Robot Framework environment setup
        2. Step 3 – Robot Framework script
        3. Step 4 – review the ZAP report
    3. Summary
    4. Questions
    5. Further reading
  18. Automated Infrastructure Security
    1. Scan For known JavaScript vulnerabilities
      1. Step 1 – install RetireJS
      2. Step 2 – scan with RetireJS
      3. Step 3 – review the retireJS results
    2. WebGoat with OWASP dependency check
      1. Step 1 – prepare WebGoat environment
      2. Step 2 – dependency check scan
      3. Step 3 – review the OWASP dependency-check report
    3. Secure communication scan with SSLScan
      1. Step 1 – SSLScan setup
      2. Step 2 – SSLScan scan
      3. Step 3 – review the SSLScan results
      4. Step 4 – fix the HTTPS secure configurations
    4. NMAP security scan with BDD framework
      1. NMAP For web security testing
      2. NMAP BDD testing with Gauntlt
      3. NMAP BDD with Robot Framework
        1. Step 1 – define the Robot Framework steps
        2. Step 2 – execute and review the results
    5. Summary
    6. Questions
    7. Further reading
  19. Managing and Presenting Test Results
    1. Managing and presenting test results
    2. Approach 1 – integrate the tools with RapidScan
      1. Step 1 – get the RapidScan Python script
      2. Step 2 – review scanning results
    3. Approach 2 – generate a professional pentest report with Serpico
      1. Step 1 – installation of Serpico
      2. Step 2 – create a Report based on Templates 
      3. Step 3 – Add Finding from Templates
      4. Step 4 – generate a report
    4. Approach 3 – security findings management DefectDojo
      1. Step 1 – setup the OWASP DefectDojo
      2. Step 2 – run security tools to output XMLs
      3. Step 3 – import ZAP findings 
    5. Summary
    6. Questions
    7. Further reading
  20. Summary of Automation Security Testing Tips
    1. Automation testing framework
      1. What are the automation frameworks for UI functional testing?
      2. BDD (behavior-driven development) testing framework?
      3. What are common automation frameworks that apply to security testing?
    2. Secure code review
      1. What are common secure code review patterns and risky APIs?
      2. Suggestions with Grep-like search tool for source code or configurations search?
    3. API security testing
      1. What are API security testing approaches?
      2. What are the suggested resources for FuzzDB security payloads?
      3. What testing tools are suggested for web fuzz testing?
    4. Web security testing
      1. How can JMeter be used for the web security testing?
      2. Examples of OWASP ZAP by ZAP-CLI usages
      3. Examples of OWASP ZAP automation by RESTful API
    5. Android security testing
      1. Suggested Android security testing tools and approach
      2. Common Android security risky APIs
    6. Infrastructure security
      1. What's the scope of infrastructure security testing?
      2. Typical use of Nmap for security testing
    7. BDD security testing by Robot Framework
      1. How to do web security scan with ZAP and Robot Framework?
      2. How to achieve DDT testing in Robot Framework?
      3. How to do network scan with Nmap and Robot Framework?
      4. How to do an SQLmap scan with Robot Framework?
      5. How to do BDD security testing with Nmap and Gauntlt?
    8. Summary
  21. List of Scripts and Tools
    1. List of sample scripts
    2. List of installed tools in virtual image
  22. Solutions
    1. Chapter 1: The Scope and Challenges of Security Automation
    2. Chapter 2: Integrating Security and Automation
    3. Chapter 3: Secure Code Inspection
    4. Chapter 4: Sensitive Information and Privacy Testing
    5. Chapter 5: Security API and Fuzz Testing
    6. Chapter 6: Web Application Security Testing
    7. Chapter 7: Android Security Testing
    8. Chapter 8: Infrastructure Security
    9. Chapter 9: BDD Acceptance Security Testing
    10. Chapter 10: Project Background and Automation Approach
    11. Chapter 11: Automated Testing for Web Applications
    12. Chapter 12: Automated Fuzz API Security Testing
    13. Chapter 13: Automated Infrastructure Security
    14. Chapter 14: Managing and Presenting Test Results
  23. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product Information

  • Title: Practical Security Automation and Testing
  • Author(s): Tony Hsiang-Chih Hsu
  • Release date: February 2019
  • Publisher(s): Packt Publishing
  • ISBN: 9781789802023