Revolutionizing Security Testing with BDD-Security
Explore the innovative approach of Continuous and Visible Security Testing with BDD-Security by Stephen de Vries. Gain insights into how security testing can be integrated seamlessly into modern development practices, shifting the focus from reactive to proactive measures. Learn about the importance of incorporating security from the outset, leveraging automation and collaboration to enhance overall security posture.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Continuous and Visible Security Testing with BDD-Security Stephen de Vries @stephendv
About me CTO Continuum Security 16 years in security Specialised in application security Author of BDD-Security framework
Security testing still stuck in a waterfall world Feedback from security testing is too late Rely on outside security experts
Security is not something you add it s something that s build in, just like quality, scalability and performance
quality security Everyone is responsible for Move testing closer to the code quality security Continuous automated testing ^
Difference of degree, not of kind Security testing Quality testing
Business Context Architecture App Features Why Threat Model Non-Functional Security Requirements What Functional Security Requirements Security Tests How
Security Requirements BDD-Specs (Given/When/Then) Testable Visible Actionable Up-to-date Automated Security Testing > Scanning
BDD-Security Testing Framework https://github.com/continuumsecurity/bdd-security BDD-Security = JBehave + Selenium + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications
Security specifications for application itself Authentication: Passwords should be case sensitive Present the login form itself over an HTTPS connection Transmit authentication credentials over HTTPS When authentication credentials are sent to the server, it should respond with a 3xx status code. Disable browser auto-completion on the login form Lock the user account out after <X> incorrect authentication attempts
Manual Application Security Testing with OWASP ZAP HTTP/S Proxy
Manual Application Security Testing with OWASP ZAP ^ HTTP/S Proxy BDD-Security
Configuring BDD-Security for in-depth testing - - Edit config.xml with app specific values Create Java class that defines Selenium methods for: - openLoginPage - Login - isLoggedIn - Logout
Testing Access Control Can Alice see Bob s data?
Part of Continuous Integration process Ant job in Jenkins Run job after deploy to test environment Fail the build if tests fail
Summary Security testing doesn t need special treatment: it differs from software testing in degree, not in kind Automated Security tests can be integrated into a CI/CD model Automated Security tests should include more than just scanning BDD tools provide self-verifying specification BDD-Security project to jump-start your own security specs
Similar tools ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver Guantlet (Ruby) http://gauntlt.org/ Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn
Thank you I ll be at Office Hours 13:45 Today Room: 211 @stephendv
