Stephen de Vries, profile picture
Uploaded byStephen de Vries
PPTX, PDF4,359 views

Continuous and Visible Security Testing with BDD-Security

The document discusses the integration of continuous and automated security testing within the software development lifecycle using the bdd-security framework. It emphasizes the importance of incorporating security testing early in the development process, aligning it with quality assurance, and providing actionable security requirements. The framework combines various tools and practices to enable effective testing, aiming to make security a standard consideration rather than an afterthought.

Embed presentation

Downloaded 130 times
Continuous and Visible Security Testing with BDD-Security Stephen de Vries @stephendv
About me • CTO Continuum Security • 16 years in security • Specialised in application security • Author of BDD-Security framework
Security testing still stuck in a waterfall world • Feedback from security testing is too late • Rely on outside security “experts”
Security is not something you add… …it’s something that’s build in, just like quality, scalability and performance
• Everyone is responsible for quality quality security • Move testing closer to the code security • Continuous automated testing ^
Difference of degree, not of kind Quality testing Security testing
Why What How Business Context Architecture App Features Threat Model Non-Functional Security Requirements Functional Security Requirements Security Tests
Security Requirements BDD-Specs (Given/When/Then) Visible Testable • Actionable • Up-to-date • Automated • Security Testing > Scanning
BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security BDD-Security = JBehave + Selenium + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications
Examples: Infrastructure specifications
Security specifications for application itself Authentication: • Passwords should be case sensitive • Present the login form itself over an HTTPS connection • Transmit authentication credentials over HTTPS • When authentication credentials are sent to the server, it should respond with a 3xx status code. • Disable browser auto-completion on the login form • Lock the user account out after <X> incorrect authentication attempts
Manual Application Security Testing with OWASP ZAP HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP HTTP/S Proxy ^ BDD-Security
Configuring BDD-Security for in-depth testing - Edit config.xml with app specific values - Create Java class that defines Selenium methods for: - openLoginPage - Login - isLoggedIn - Logout
Demo
Application Security Scanning with ZAP
Testing Access Control Can Alice see Bob’s data?
Demo
Part of Continuous Integration process • Ant job in Jenkins • Run job after deploy to test environment • Fail the build if tests fail
Demo
Summary • Security testing doesn’t need special treatment: it differs from software testing in degree, not in kind • Automated Security tests can be integrated into a CI/CD model • Automated Security tests should include more than just scanning • BDD tools provide self-verifying specification • BDD-Security project to jump-start your own security specs
Similar tools • ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver • Guantlet (Ruby) http://gauntlt.org/ • Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn
Thank you I’ll be at Office Hours 13:45 Today Room: 211 @stephendv

More Related Content

PPT
Selenium ppt
byPavan Kumar
 
PPTX
Lecture 01 Introduction to Software Engineering
byAchmad Solichin
 
PDF
Waterfall model
bySandeep Kumar
 
DOC
Bug tracking system(synopsis)
byhappiness09
 
DOCX
Software engineering
byMOHAMED RIYAZUDEEN
 
PPTX
software maintenance
byrajshreemuthiah
 
PDF
Web automation using selenium.ppt
byAna Sarbescu
 
PPT
Unit iii(part b - architectural design)
byBALAJI A
 
Selenium ppt
byPavan Kumar
 
Lecture 01 Introduction to Software Engineering
byAchmad Solichin
 
Waterfall model
bySandeep Kumar
 
Bug tracking system(synopsis)
byhappiness09
 
Software engineering
byMOHAMED RIYAZUDEEN
 
software maintenance
byrajshreemuthiah
 
Web automation using selenium.ppt
byAna Sarbescu
 
Unit iii(part b - architectural design)
byBALAJI A
 

What's hot

PPTX
Selenium ppt
byAneesh Rangarajan
 
PDF
Requirement analysis
byShyam Bahadur Sunari Magar
 
PDF
Software Engineering - chp4- design patterns
byLilia Sfaxi
 
PPSX
Principles of Software testing
byMd Mamunur Rashid
 
PPT
Testing strategies in Software Engineering
byMuhammadTalha436
 
DOC
School management System
byHATIM Bhagat
 
PDF
Web engineering notes unit 2
byinshu1890
 
PPT
Process Models IN software Engineering
byArid Agriculture university rawalpindi
 
PPTX
White box testing
byNeethu Tressa
 
PPT
Unit iii(part d - component level design)
byBALAJI A
 
PPT
Black box and white box testing
byAWADHESH PRATAP SINGH UNIVERSITY, REWA (M.P.)
 
PPT
Chapter 01 software engineering pressman
byRohitGoyal183
 
PPT
Software design, software engineering
byRupesh Vaishnav
 
PPTX
Quality Concept
byAnand Jat
 
PPT
Testing fundamentals
byRaviteja Chowdary Adusumalli
 
PPTX
functional testing
bybharathanche
 
ODP
Automating OWASP ZAP - DevCSecCon talk
bySimon Bennetts
 
PPTX
SQL INJECTION
byAnoop T
 
PPT
Software Testing
byMousmi Pawar
 
PDF
Security testing presentation
byConfiz
 
Selenium ppt
byAneesh Rangarajan
 
Requirement analysis
byShyam Bahadur Sunari Magar
 
Software Engineering - chp4- design patterns
byLilia Sfaxi
 
Principles of Software testing
byMd Mamunur Rashid
 
Testing strategies in Software Engineering
byMuhammadTalha436
 
School management System
byHATIM Bhagat
 
Web engineering notes unit 2
byinshu1890
 
Process Models IN software Engineering
byArid Agriculture university rawalpindi
 
White box testing
byNeethu Tressa
 
Unit iii(part d - component level design)
byBALAJI A
 
Black box and white box testing
byAWADHESH PRATAP SINGH UNIVERSITY, REWA (M.P.)
 
Chapter 01 software engineering pressman
byRohitGoyal183
 
Software design, software engineering
byRupesh Vaishnav
 
Quality Concept
byAnand Jat
 
Testing fundamentals
byRaviteja Chowdary Adusumalli
 
functional testing
bybharathanche
 
Automating OWASP ZAP - DevCSecCon talk
bySimon Bennetts
 
SQL INJECTION
byAnoop T
 
Software Testing
byMousmi Pawar
 
Security testing presentation
byConfiz
 

Viewers also liked

PPTX
Security testing ?
byMaikel Ninaber
 
PDF
we45 - Web Application Security Testing Case Study
bywe45
 
PPTX
Security testing
byRihab Chebbah
 
PDF
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
byStephan Kaps
 
PDF
Software Project Management: Testing Document
byMinhas Kamal
 
PDF
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
byKyle Lai
 
PPSX
8 Access Control
byAlfred Ouyang
 
DOCX
Audit Checklist for Information Systems
byAhmad Tariq Bhatti
 
Security testing ?
byMaikel Ninaber
 
we45 - Web Application Security Testing Case Study
bywe45
 
Security testing
byRihab Chebbah
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
byStephan Kaps
 
Software Project Management: Testing Document
byMinhas Kamal
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
byKyle Lai
 
8 Access Control
byAlfred Ouyang
 
Audit Checklist for Information Systems
byAhmad Tariq Bhatti
 

Similar to Continuous and Visible Security Testing with BDD-Security

PPTX
Continuous Security Testing in a Devops World
byStephen de Vries
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
PPTX
Automating security tests for Continuous Integration
byStephen de Vries
 
PPTX
DevSecCon Boston2018 - advanced mobile security automation with bdd
byDavide Cioccia
 
PDF
Continuous Security Testing - DevSecCon
byStephen de Vries
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
PDF
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
byChristian Schneider
 
PDF
Bridging the gap between business and technology - Behaviour Driven Developme...
bymarcin_pajdzik
 
PPTX
Gherkin for test automation in agile
byViresh Doshi
 
PPTX
Behat - human-readable automated testing
bynyccamp
 
PPTX
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
PDF
Web application penetration testing lab setup guide
bySudhanshu Chauhan
 
PPTX
BDD in Automation Testing
byScrum Breakfast Vietnam
 
PPTX
Security testautomation
byLinkesh Kanna Velu
 
PPTX
Agile methodologies based on BDD and CI by Nikolai Shevchenko
byMoldova ICT Summit
 
ODP
2014 11 20 Drupal 7 -> 8 test migratie
byhcderaad
 
PDF
Test Automation Framework for the Desktop
byDavid Harrison
 
PDF
Cucumber - use it to describe user stories and acceptance criterias
byGeison Goes
 
Continuous Security Testing in a Devops World
byStephen de Vries
 
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
Automating security tests for Continuous Integration
byStephen de Vries
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
byDavide Cioccia
 
Continuous Security Testing - DevSecCon
byStephen de Vries
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
byChristian Schneider
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
byChristian Schneider
 
Bridging the gap between business and technology - Behaviour Driven Developme...
bymarcin_pajdzik
 
Gherkin for test automation in agile
byViresh Doshi
 
Behat - human-readable automated testing
bynyccamp
 
DEF CON 23 - Hacking Web Apps @brentwdesign
bybrentwdesign
 
Web application penetration testing lab setup guide
bySudhanshu Chauhan
 
BDD in Automation Testing
byScrum Breakfast Vietnam
 
Security testautomation
byLinkesh Kanna Velu
 
Agile methodologies based on BDD and CI by Nikolai Shevchenko
byMoldova ICT Summit
 
2014 11 20 Drupal 7 -> 8 test migratie
byhcderaad
 
Test Automation Framework for the Desktop
byDavid Harrison
 
Cucumber - use it to describe user stories and acceptance criterias
byGeison Goes
 

Recently uploaded

PDF
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
PDF
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 
PDF
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
PPTX
Presentation4.pptx space it's exploration
byvarung3424
 
PDF
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
PDF
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 
PDF
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
PPTX
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
PPTX
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 
PDF
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
PDF
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
PDF
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
PDF
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
PDF
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
Presentation4.pptx space it's exploration
byvarung3424
 
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 

Continuous and Visible Security Testing with BDD-Security

  • 1.
    Continuous and VisibleSecurity Testing with BDD-Security Stephen de Vries @stephendv
  • 2.
    About me •CTO Continuum Security • 16 years in security • Specialised in application security • Author of BDD-Security framework
  • 4.
    Security testing stillstuck in a waterfall world • Feedback from security testing is too late • Rely on outside security “experts”
  • 5.
    Security is notsomething you add… …it’s something that’s build in, just like quality, scalability and performance
  • 6.
    • Everyone isresponsible for quality quality security • Move testing closer to the code security • Continuous automated testing ^
  • 7.
    Difference of degree,not of kind Quality testing Security testing
  • 8.
    Why What How Business Context Architecture App Features Threat Model Non-Functional Security Requirements Functional Security Requirements Security Tests
  • 13.
    Security Requirements BDD-Specs(Given/When/Then) Visible Testable • Actionable • Up-to-date • Automated • Security Testing > Scanning
  • 14.
    BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security BDD-Security = JBehave + Selenium + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications
  • 15.
  • 18.
    Security specifications forapplication itself Authentication: • Passwords should be case sensitive • Present the login form itself over an HTTPS connection • Transmit authentication credentials over HTTPS • When authentication credentials are sent to the server, it should respond with a 3xx status code. • Disable browser auto-completion on the login form • Lock the user account out after <X> incorrect authentication attempts
  • 19.
    Manual Application SecurityTesting with OWASP ZAP HTTP/S Proxy
  • 20.
    Manual Application SecurityTesting with OWASP ZAP HTTP/S Proxy ^ BDD-Security
  • 21.
    Configuring BDD-Security forin-depth testing - Edit config.xml with app specific values - Create Java class that defines Selenium methods for: - openLoginPage - Login - isLoggedIn - Logout
  • 22.
  • 23.
  • 27.
    Testing Access Control Can Alice see Bob’s data?
  • 28.
  • 29.
    Part of ContinuousIntegration process • Ant job in Jenkins • Run job after deploy to test environment • Fail the build if tests fail
  • 30.
  • 31.
    Summary • Securitytesting doesn’t need special treatment: it differs from software testing in degree, not in kind • Automated Security tests can be integrated into a CI/CD model • Automated Security tests should include more than just scanning • BDD tools provide self-verifying specification • BDD-Security project to jump-start your own security specs
  • 32.
    Similar tools •ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver • Guantlet (Ruby) http://gauntlt.org/ • Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn
  • 33.
    Thank you I’llbe at Office Hours 13:45 Today Room: 211 @stephendv

Editor's Notes

  • #3 I’ve spent most of my career as a penetration tester and security consultant testing web and mobile applications. And let me say that as a security specialist it’s great to be at a conferences focussed on development and operations. Can I see with a show of hands who’s primary role is in security.
  • #4 We’re not popular people. We don’t get invited to meetings because we’re the no guys, the guys who cause project delays because of our onorous security requirements. And this is particularly true for security testing which for many organisations is synonymous with penetration testing.
  • #5 There are problems with relying on pentesting as a core security activity: Which means it is a single control gate at the end of a development cycle. The biggest problems is that it’s far too late in the development cycle. and increasingly the interesting security vulnerabilities are in the business processes in the software itself.
  • #6 If we want to get security testing out of this model we don’t have to start from scratch, because we already handle other software properties in Agile and CD models with great success. None of those properties can simply be added to an application, we have to build them in from the start. And security is no different.
  • #7 And looking at how testing has evolved over time two things stand out: we’re doing more automation, and we’re doing that automated testing closer to the code. Our unit and integration tests are a key part to making continuous delivery possible. And I claim that that we can and should take the same approach with security testing: automated as much as possible, so that we can run them continuously and get feedback as quick as possible. Not to replace manual security testing, but to complement it.
  • #8 And there are really a lot of similarities in the acts of quality and security testing. the differences to security testing are of degree and not of kind. We’re both testing functional and non-functional aspects of the software, we’re both testing boundary conditions. We’re both looking for defects. And we both find those defects by testing the boundaries of the system. Where the quality test is focused on functional defects, security testing is focused on defects that can be abused by a determined attacker in order to gain some benefit for themselves. So they’re looking for software failures that fail in a special way. Although there are some differences between the two, those differences are of degree and not of kind. So instead of treating security as a special kind of activity, we can instead treat it as a specialised form of quality testing.
  • #9 Where should security tests come from? The process differs from functional requirements and tests. The central part of the process is the threat model: who is likely to attack me, what are they likely to attack and whether we care about those attacks or not? We get to the threat model by analysing the business context defines the type of data you’re dealing with and also your apettite for risk. The technical architecture of your application, web, mobile, is it internal only, deployed to cloud on hosted etc. Together with the features that you offer, e-commerce, or funds transfer or even just a simple search function in an app all contribute to defining the threat model. At the end of the threat modeling step you also perform a simple risk analysis to find out which threats matter and should be addressed, and which don’t. For this process to succeed should be visible. That is to say that the whole team, security operations and developers understand why we’re building specific features and how we’re testing that they work. If this is visible to the whole team then there’s less chance of misunderstanding requirements, or in fact ignoring security requirements.
  • #10 Here’s a quick example of how the business context can influence the functional security requirements. Consider a typical password reset function.
  • #11 This is a data leak. An attacker somewhere on the Internet could determine if a given email address is registered to the site. …and if the attacker had a database of email addresses they could automated this. But for online retailers this is not a serious risk.
  • #12 But consider if you were running a dating site for spouses to have affairs. The threat model is different, because the potential attackers are different. In their threat model they assume that spouses checking up on each other are one of their potential attackers.
  • #13 So they’re modified their password reset function accordingly. So security testing is not just about avoiding implementation bugs, we need to have a good set of security requirements and from those build our security tests which should including functional aspects of the app.
  • #14 Requirements must meet the key criteria of being visible to the developers and operations team, actionable and up to date. The preferred tool of the security practioner here is the document or spreadsheet and I know what happens to those, they get filed in a drawer and never looked at again. They must be detailed actionable requirements and not high level desires like: “Take adequate steps to secure personal data”. That’s not a requirement, that’s just a desire. We should be able to test for security architecture flaws such as functional security in the app, as well as implementation bugs, XSS, SQLi And by Using BDD style tools that use the given/when/then specifications. BDD specs are effectively automated tests written in a natural language so they do double duty as both a specification and a test. This is the biggest win because we effectively have self-verifying specifications. This forces them to be up to date, because they’re not just serving as documentation but as tests as well. GHERKIN
  • #15  ----- Meeting Notes (09/11/14 12:49) ----- 20 Narrow domain
  • #18 False positives
  • #19 Scanning the infrastructure is only part of the security story, we also want to test the functional aspects of the security of the app itself.
  • #23 From bdd spec to here = 11m
  • #24 From
  • #28 From