Practical Security Automation and Testing
eBook - ePub

Practical Security Automation and Testing

Tools and techniques for automated security scanning and testing in DevSecOps

  1. 256 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Practical Security Automation and Testing

Tools and techniques for automated security scanning and testing in DevSecOps

About this book

Your one stop guide to automating infrastructure security using DevOps and DevSecOps

Key Features

  • Secure and automate techniques to protect web, mobile or cloud services
  • Automate secure code inspection in C++, Java, Python, and JavaScript
  • Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework

Book Description

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention.

This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing.

With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects.

By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

What you will learn

  • Automate secure code inspection with open source tools and effective secure code scanning suggestions
  • Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
  • Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
  • Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
  • Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
  • Integrate various types of security testing tool results from a single project into one dashboard

Who this book is for

The book is for software developers, architects, testers and QA engineers who are looking to leverage automated security testing techniques.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Practical Security Automation and Testing by Tony Hsu in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2019
Print ISBN
9781789802023
eBook ISBN
9781789611694
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Summary of Automation Security Testing Tips

This chapter summarizes key security automation techniques and tips of all previously discussed chapters. This chapter can be used as a quick reference guide or as an overall review for the following security automation topics:
  • Automation testing framework
  • Secure code review
  • API security testing
  • Web security testing
  • Android security testing
  • Infrastructure security
  • BDD security testing by Robot Framework

Automation testing framework

We have introduced the automation framework for the functional web, mobile, and Windows UI testing. We also introduced the adoption of BDD framework with security testing. In terms of the layers of automation approaches, white-box testing, API testing, and Web UI automation are also demonstrated. We will list key questions and answers regarding tips concerning security automation techniques.

What are the automation frameworks for UI functional testing?

The following table lists common automation frameworks for Web UI functional testing:
Automation frameworks Macaca AutoIT Selenium
Appium
 Sikuli
Testing target
Mobile (iOS and Android)
Web UI
 Windows applications Web UI
Mobile
(iOS/Android)
 Visual image
Programming languages
Java, Python, NodeJS
 BASIC-like script Java, Python, C#, Ruby Java, Python Image and BASIC-like script
Record and replay UI recorder AutoIT recorder Selenium IDE Desktop inspector Yes

BDD (behavior-driven development) testing framework?

The following table lists the key usages and scenarios of BDD testing frameworks:
BDD framework Usage and scenarios
Robot Framework
It's a common keyword driven testing acceptance automation framework. The Robot Framework is programming language independent though the Robot Framework itself was built by Python.
http://robotframework.org
Behave
It's a Python BDD framework
https://github.com/behave/behave
JGiven
It's a Java BDD framework
http://jgiven.org/
Gauntlt
It's a purpose-built for security BDD framework in Ruby
http://gauntlt.org/

What are common automation frameworks that apply to security testing?

The following table lists the common automation testing tools and applied scenarios:
Automation approaches
Mapping to security testing scenarios
Example of automation tools/framework
White Box
  • Secure code inspection
  • Secure configuration inspection
  • Secure code analysis such as VCG (Visual code Grepper)
API testing
  • Web/RESTful API security testing
  • Parameterized (data-driven) with Fuzz testing
  • Robot Framework requests library
  • JMeter
  • FuzzDB
  • OWASP ZAP
Web UI automation
  • Login with different users or wrong accounts.
  • Logout users for session management testing.
  • Create a new user account.
  • Brute force user account login.
  • Robot Framework
  • Selenium
  • OWASP ZAP

Secure code review

For the source code security review, we listed common source code patterns of critical security issues and also risky APIs. Based on these security source patterns, we also introduced some open source tools to sear...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. About Packt
  4. Contributors
  5. Preface
  6. The Scope and Challenges of Security Automation
  7. Integrating Security and Automation
  8. Secure Code Inspection
  9. Sensitive Information and Privacy Testing
  10. Security API and Fuzz Testing
  11. Web Application Security Testing
  12. Android Security Testing
  13. Infrastructure Security
  14. BDD Acceptance Security Testing
  15. Project Background and Automation Approach
  16. Automated Testing for Web Applications
  17. Automated Fuzz API Security Testing
  18. Automated Infrastructure Security
  19. Managing and Presenting Test Results
  20. Summary of Automation Security Testing Tips
  21. List of Scripts and Tools
  22. Solutions
  23. Other Books You May Enjoy