Practical Security Automation and Testing电子书

Title Page

Copyright and Credits

Practical Security Automation and Testing

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

The Scope and Challenges of Security Automation

The purposes and myths of security automation

Myth 1 – doesn't security testing require highly experienced pentesters?

Myth 2 – isn't it time-consuming to build an automation framework?

Myth 3 – there are no automation frameworks that are really feasible for security testing

The required skills and suggestions for security automation

General environment setup for coming labs

Summary

Questions

Further reading

Integrating Security and Automation

The domains of automation testing and security testing

Automation frameworks and techniques

UI functional testing for web, mobile, and windows

HTTP API testing

HTTP mock server

White-box search with GREP-like tools

Behavior-driven development testing frameworks

Testing data generators

Automating existing security testing

Security testing with an existing automation framework

Summary

Questions

Further reading

Secure Code Inspection

Case study – automating a secure code review

Secure coding scanning service – SWAMP

Step 1 – adding a new package

Step 2 – running the assessment

Step 3 – viewing the results

Secure coding patterns for inspection

Quick and simple secure code scanning tools

Automatic secure code inspection script in Linux

Step 1 – downloading the CRASS

Step 2 – executing the code review audit scan

Step 3 – reviewing the results

Automatic secure code inspection tools for Windows

Step – downloading VCG (Visual Code Grepper)

Step 2: Executing VCG

Step 3: Reviewing the VCG scanning results

Case study – XXE security

Case study – deserialization security issue

Summary

Questions

Further reading

Sensitive Information and Privacy Testing

The objective of sensitive information testing

PII discovery

Sensitive information discovery

Privacy search tools

Case study – weak encryption search

Step 1 – installing The Silver Searcher

Step 2 – executing the tool (using Windows as an example)

Step 3 – reviewing the results (using Windows as an example)

Case study – searching for a private key

Step 1 – calculating the entropy

Step 2 – Searching for high-entropy strings

Step 3 – Reviewing the results

Case study – website privacy inspection

Step 1 – visiting PrivacyScore or setting it up locally

Step 2 – reviewing the results

Summary

Questions

Further reading

Security API and Fuzz Testing

Automated security testing for every API release

Building your security API testing framework

Case study 1 – basic – web service testing with ZAP CLI

Step 1 – OWASP ZAP download and launch with port 8090

Step 2 – install the ZAP-CLI

Step 3 – execute the testing under ZAP-CLI

Step 4 – review the results

Case study 2 – intermediate – API testing with ZAP and JMeter

Step 1 – download JMeter

Step 2 – define HTTP request for the login

Step 4 – execute the JMeter script

Step 3 – review the results in ZAP

Case study 3 – advanced – parameterized security payload with fuzz

Step 1 – download the SQL injection data

Step 2 – define the CSV dataset in JMeter

Step 3 – apply the variable name

Step 4 – specify the loop

Step 5 – execute JMeter and review the security assessment results

Case study 4 – security testing with ZAP Open/SOAP API

Step 1 – install the OpenAPI and SOAP API add-ons

Step 2 – import the API definition

Step 3 – execute the active security scanning

Step 4 – present the security assessments

Summary

Questions

Further reading

Web Application Security Testing

Case study – online shopping site for automated security inspection

Case 1 – web security testing using the ZAP REST API

Step 1 – spider scanning the website

Step 2 – active scanning the website

Step 3 – reviewing the status of the active scan

Step 4 – reviewing the security assessments

Case 2 – full automation with CURL and the ZAP daemon

Step 1 – executing ZAP in daemon (headless) mode

Step 2 – checking the status of the ZAP daemon

Step 3 – fully automating the ZAP API

Case 3 – automated security testing for the user registration flow with Selenium

Step 1 – installation of SeleniumBase

Step 2 – launching ZAP with proxy 8090

Step 3 – executing the user registration flow automation

Step 4 – active scanning the identified URLs

Step 5 – reviewing the security assessments

Summary

Questions

Further reading

Android Security Testing

Android security review best practices

Secure source code review patterns for Android

Privacy and sensitive information review

Privacy scanning with Androwarn

Step 1 – scanning of an APK

Step 2 – review the report

General process of APK security analysis

Step 1 – use APKTool to reverse the APK to Manifest.xml, Smali and resources

Step 2 – use JADX to reverse the APK into Java source code

Step 3 – use Fireline to scan all the Java source files

Step 4 – review the scanning results

Static secure code scanning with QARK

Step 1 – install QARK

Step 2 – APK scanning with QARK

Step 3 – review the results

Automated security scanning with MobSF

Step 1 – set up the MobSF

Step 2 – upload the APK by REST API

Step 3 – scan the APK

Step 4 – download the report

Summary

Questions

Further reading

Infrastructure Security

The scope of infrastructure security

Secure configuration best practices

CIS (Center for Internet Security) benchmarks

Security technical implementation guides (STIGs)

OpenSCAP security guide

Step 1 – installation of SCAP workbench

Step 2 – OpenSCAP security guide

Network security assessments with Nmap

Nmap usage tips

CVE vulnerability scanning

Known vulnerable components scan by VulScan

Step 1 – installation of VulScan

Step 2 – NMAP scanning with VulScan

Known vulnerable components scan by OWASP dependency check

Step 1 – installation of OWASP dependency check

Step 2 – CVE scanning with OWASP dependency check

HTTPS security check with SSLyze

Behavior-driven security automation – Gauntlt

Step 1 – Gauntlt installation

Step 2 – BDD security testing script

Step 3 – execution and results

Summary

Questions

Further reading

BDD Acceptance Security Testing

Security testing communication

What is BDD security testing?

Adoption of Robot Framework with sqlmap

Step 1 – Robot Framework setup and preparation

Step 2 – sqlmap with Robot Framework

Testing framework – Robot Framework with ZAP

Step 1 – environment setup and preparation

Step 2 – the Robot Framework script for the ZAP spider scan

Step 3 – robot script execution

Summary

Questions

Further reading

Project Background and Automation Approach

Case study – introduction and security objective

Selecting security and automation testing tools

Automated security testing frameworks

Environment and tool setup

Summary

Questions

Further reading

Automated Testing for Web Applications

Case 1 – web security scanning with ZAP-CLI

Step 1 – installation of ZAP-CLI

Step 2 – ZAP quick scan using the ZAP-CLI

Step 3 – generate a report

Case 2 – web security testing with ZAP & Selenium

Step 1 – Selenium Python script

Step 2 – running ZAP as a proxy

Approach 1 – configure the system proxy

Approach 2 – Selenium Profile

Approach 3 – using SeleniumBASE

Step 3 – generate ZAP report

Case 3 – fuzz XSS and SQLi testing with JMeter

Testing scenarios

Step 1 – prepare environment

Step 2 – define the JMeter scripts

Step 3 – prepare security payloads

Step 4 – launch JMeter in CLI with ZAP proxy

Step 5 – generate a ZAP report

Summary

Questions

Further reading

Automated Fuzz API Security Testing

Fuzz testing and data

Step 1 – installing Radamsa

Step 2 – generating the Security Random Payloads

API fuzz testing with Automation Frameworks

Approach 1 – security fuzz testing with Wfuzz

Step 1 – installing Wfuzz

Step 2– fuzz testing with sign-in

Step 3 – reviewing the Wfuzz report

Approach 2 – security fuzz testing with 0d1n

Step 1 – installation of 0d1n

Step 2 – execution of 0d1n with OWASP ZAP

Step 3 – review the ZAP report (optional)

Approach 3 – Selenium DDT (data-driven testing)

Step 1: Selenium script with DDT

Step 2 – executing the Selenium script

Step 3 – review the ZAP report

Approach 4 – Robot Framework DDT testing

Step 1– Robot Framework environment setup

Step 3 – Robot Framework script

Step 4 – review the ZAP report

Summary

Questions

Further reading

Automated Infrastructure Security

Scan For known JavaScript vulnerabilities

Step 1 – install RetireJS

Step 2 – scan with RetireJS

Step 3 – review the retireJS results

WebGoat with OWASP dependency check

Step 1 – prepare WebGoat environment

Step 2 – dependency check scan

Step 3 – review the OWASP dependency-check report

Secure communication scan with SSLScan

Step 1 – SSLScan setup

Step 2 – SSLScan scan

Step 3 – review the SSLScan results

Step 4 – fix the HTTPS secure configurations

NMAP security scan with BDD framework

NMAP For web security testing

NMAP BDD testing with Gauntlt

NMAP BDD with Robot Framework

Step 1 – define the Robot Framework steps

Step 2 – execute and review the results

Summary

Questions

Further reading

Managing and Presenting Test Results

Managing and presenting test results

Approach 1 – integrate the tools with RapidScan

Step 1 – get the RapidScan Python script

Step 2 – review scanning results

Approach 2 – generate a professional pentest report with Serpico

Step 1 – installation of Serpico

Step 2 – create a Report based on Templates

Step 3 – Add Finding from Templates

Step 4 – generate a report

Approach 3 – security findings management DefectDojo

Step 1 – setup the OWASP DefectDojo

Step 2 – run security tools to output XMLs

Step 3 – import ZAP findings

Summary

Questions

Further reading

Summary of Automation Security Testing Tips

Automation testing framework

What are the automation frameworks for UI functional testing?

BDD (behavior-driven development) testing framework?

What are common automation frameworks that apply to security testing?

Secure code review

What are common secure code review patterns and risky APIs?

Suggestions with Grep-like search tool for source code or configurations search?

API security testing

What are API security testing approaches?

What are the suggested resources for FuzzDB security payloads?

What testing tools are suggested for web fuzz testing?

Web security testing

How can JMeter be used for the web security testing?

Examples of OWASP ZAP by ZAP-CLI usages

Examples of OWASP ZAP automation by RESTful API

Android security testing

Suggested Android security testing tools and approach

Common Android security risky APIs

Infrastructure security

What's the scope of infrastructure security testing?

Typical use of Nmap for security testing

BDD security testing by Robot Framework

How to do web security scan with ZAP and Robot Framework?

How to achieve DDT testing in Robot Framework?

How to do network scan with Nmap and Robot Framework?

How to do an SQLmap scan with Robot Framework?

How to do BDD security testing with Nmap and Gauntlt?

Summary

List of Scripts and Tools

List of sample scripts

List of installed tools in virtual image

Solutions

Chapter 1: The Scope and Challenges of Security Automation

Chapter 2: Integrating Security and Automation

Chapter 3: Secure Code Inspection

Chapter 4: Sensitive Information and Privacy Testing

Chapter 5: Security API and Fuzz Testing

Chapter 6: Web Application Security Testing

Chapter 7: Android Security Testing

Chapter 8: Infrastructure Security

Chapter 9: BDD Acceptance Security Testing

Chapter 10: Project Background and Automation Approach

Chapter 11: Automated Testing for Web Applications

Chapter 12: Automated Fuzz API Security Testing

Chapter 13: Automated Infrastructure Security

Chapter 14: Managing and Presenting Test Results

Other Books You May Enjoy

Leave a review - let other readers know what you think