Date post: | 16-Jul-2015 |
Category: |
Internet |
Upload: | stephen-de-vries |
View: | 512 times |
Download: | 1 times |
About me
• CTO Continuum Security
• 16 years in security
• Specialised in application security
• Author of BDD-Security framework
Security testing still stuck in a waterfall world
• Feedback from security testing is too late• Rely on outside security “experts”
Security is not something you add…
…it’s something that’s build in, just like quality, scalability and performance
• Everyone is responsible for
• Move testing closer to the code
• Continuous automated testing
quality
quality
security
security
^
Why
What
How
Business Context Architecture
App Features
Threat Model
Non-Functional SecurityRequirements
Functional SecurityRequirements
Security Tests
Security Requirements
Visible Testable
• Actionable• Up-to-date
• Automated• Security Testing > Scanning
BDD-Specs (Given/When/Then)
BDD-Security Testing Framework
https://github.com/continuumsecurity/bdd-security
BDD-Security = JBehave +
OWASP ZAP +
Nessus +
Internal security tools +
Pre-written baseline security specifications
Selenium +
Security specifications for application itself
Authentication:• Passwords should be case sensitive• Present the login form itself over an HTTPS connection• Transmit authentication credentials over HTTPS• When authentication credentials are sent to the server, it should
respond with a 3xx status code. • Disable browser auto-completion on the login form• Lock the user account out after <X> incorrect authentication attempts
Configuring BDD-Security for in-depth testing
- Edit config.xml with app specific values- Create Java class that defines Selenium methods for:
- openLoginPage- Login- isLoggedIn- Logout
Part of Continuous Integration process
• Ant job in Jenkins• Run job after deploy to test environment• Fail the build if tests fail
Summary
• Security testing doesn’t need special treatment: it differs from software testing in degree, not in kind
• Automated Security tests can be integrated into a CI/CD model• Automated Security tests should include more than just
scanning• BDD tools provide self-verifying specification• BDD-Security project to jump-start your own security specs
Similar tools
• ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver
• Guantlet (Ruby) http://gauntlt.org/
• Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn