Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Practical Security Automation and Testing
Practical Security Automation and Testing

Practical Security Automation and Testing: Tools and techniques for automated security scanning and testing in DevSecOps

eBook
$20.98 $29.99
Paperback
$43.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Practical Security Automation and Testing

The Scope and Challenges of Security Automation

This first chapter will discuss the challenges of security automation and take an overview of security automation tools and frameworks. The required skills, security tools, and automation frameworks will also be introduced. This will help you to gain the foundational knowledge required to build security automation measures in the coming chapters. Finally, we will also set up some sample vulnerable source code, as well as an application, for practicing security scanning in the coming chapters. This will include an illustration of dynamic security testing techniques (OWASP ZAP, NMAP, and fuzz) and static code inspection with automation frameworks (such as Selenium, Robot Framework, JMeter, and behavior-driven development (BDD)), as well as a look at mobile security testing framework integration in several hands-on case studies. In the later chapters, we will be using a project to apply all the security testing tools and automation frameworks discussed in this book.

We will explore the following topics in this chapter:

  • The purposes and myths of security automation
  • The required skills and suggestions for security automation
  • General environment setup for coming labs

The purposes and myths of security automation

The purpose of security automation is to discover all potential security defects before any software release by applying both open source security tools and automation testing frameworks. However, security automation doesn't mean to completely replace manual security testing. Security automation aims to reduce the amount of repeated manual testing and increase testing coverage in an efficient manner. Potential security flaws can exist anywhere, from the source code and third-party components to an insecure configuration or vulnerable infrastructure. As the release cycles of cloud services and software development are getting shorter, the development team needs not only functional testing but also automated security testing. If your team is planning on implementing security automation, it's suggested that you begin with the following resources:

Resource on common security issues

How it could help

OWASP (Open Web Application Security Project)

Top 10 Application Security Risks

This lists general web application security risks, such as injection, authentication, XML external entity (XXE) attacks, and misconfiguration. The OWASP also suggests related testing tools and prevention controls for each security issue.

CWE Top 25 Software Errors

This lists the most common software coding errors, such as SQL injection, Cross-site request forgery (CSRF), and buffer overflow. It can be a good checklist for a code-security review.


Security testing can be a tedious and repetitive process. The functional testing may only need to ensure the functionality, but the security testing needs to cover various kinds of the testing scenarios, such as authentication, authorization, XXE, injection, deserialization, and more (see the OWASP resource mentioned in the previous table). Therefore, a certain level of automation would be helpful, considering security testing's repetitive nature, scope, and importance. Be reminded that our goal is not to automate 100% of security testing cases, but to focus on those testing cases that are manually executed and repeated, and so can be done more efficiently by automation. By automating those repeated security testing cases, penetration testers can take time to exploit in-depth weaknesses and logic flaws or review security requirements (all of which can't be done by automation).

When it comes to security automation, there are some challenges and some myths. A lack of proper security or automation knowledge leads to some misunderstanding of security automation. Here are some general suggestions and clarification. We will explore more through the different hands-on case studies in the coming chapters.

Myth 1 – doesn't security testing require highly experienced pentesters?

Our first myth is that security testing requires highly experienced penetration testers and automation testing can't find serious issues.

If we can guide the automation properly, serious security issues can be identified. On the other hand, automated security testing can also result in false-positive issues that need further manual verification. However, there are certain kinds of security testing scenarios that would be ideal for automation; some of those are listed here:

  • Detecting the use of banned functions, risky APIs, or weak encryption algorithms. Automated systems can do a good job of scanning code for security issues if we properly define the patterns we are looking for.
  • Weak RESTful API authentication and authorization behaviors, such as bypassing authorization vulnerabilities.
  • Data input validation may require massive amounts of random testing data input. This kinds of data input testing technique is also called fuzz testing which the prepared data and payload are dynamically generated for the test subject in an attempt to make it crash.
  • Repeated UI walk-through, sign-in, sign-out, and form fill are good examples of where web UI automation is required.
  • Insecure misconfiguration of software components, databases, or web services.
  • Known third-party vulnerabilities.

Myth 2 – isn't it time-consuming to build an automation framework?

Our second myth is that it takes too much time to build an automation framework and that daily development changes may break the automation.

For a development team with mature security testing practices, the adoption of an automation framework such as BDD, data-driven testing (DDT), or Selenium can help with seamless security integration and improve security testing coverage. Adding security testing cases based on these existing automation frameworks won't necessarily take lots of effort and time, so long as the right tools and integration approaches are selected.

For security automation relating to UI flow, daily development changes may or may not break certain UI automation testing cases. It depends on how the UI components are located by the automation testing program. As a general rule of thumb, so long as the UI components are located by the automation testing framework, UI layout changes won't impact the automation.

Myth 3 – there are no automation frameworks that are really feasible for security testing

Our third myth is that there is no single automation framework that can cover the variety of security testing cases.

Now, due to the variety of security testing scenarios, it's true that there is no one single automation framework that can cover all security testing cases. Depending on the security testing scenario, however, we can plan related automation approaches with proper integration of security testing tools and an automation framework. The following table shows examples of security testing scenarios with different automation approaches:

Automation approaches

Mapping to security testing scenarios

Automation tools/frameworks

White box

  • Secure code inspection
  • Secure configuration inspection
  • Secure code analysis with Visual Code Grepper (VCG)

API testing

  • Web/RESTful API security testing
  • Data Input testing (also called parameterized testing or data-driven testing)
  • Robot Framework's requests library
  • JMeter
  • FuzzDB
  • OWASP ZAP

Web UI automation

  • Logging in with different users or wrong accounts
  • Logging users out for session management testing
  • Creating a new user account
  • Brute-forcing a user account login
  • Robot Framework
  • Selenium
  • OWASP ZAP


Automating web UI operations doesn't necessarily take lots of implementation effort or require you to be an expert in Selenium scripts. The Selenium IDE extension will help you to generate automated scripts when you operate UI flows:

  • Kantu Selenium IDE: This generates HTML-format scripts. It supports parameterized testing by CSV, takes screenshots of each step for visual review, and can be executed from the command line.
  • Katalon Recorder (Selenium IDE for Chrome/Firefox): The key advantage of Katalon is being able to generate various kinds of automation scripts, including Java, Python, Robot Framework, C#, and Ruby scripts. This makes Katalon very flexible for further integration with other tools. It can also support screenshots and DDT by importing CSV files.

The required skills and suggestions for security automation

Security team developers and automation testing developers require different skill sets. Naturally, the core skills of automation testing developers and pentesters are different. However, achieving security testing automation won't be too difficult for anyone, so long as the appropriate tools and frameworks are adopted to reduce the learning curve and ensure consistent delivery quality. For example, the adoption of web UI automation will help security testing to explore the blind side of the user flows. However, web UI automation and the adoption of the Selenium automation framework can be a big challenge for the security testing team. This issue can be solved with the help of proper automation testing tools, which will be introduced in the coming chapters.

The skills that penetration testers and automation testing developers have in common are as follows:

  • Familiar with a programming language, such as Python, PHP, Java, or C/C++
  • Familiar with Windows, Linux and TCP/IP (Transmission Control Protocol/Internet Protocol), and HTTP networking

Those were some similar skills; the following table lists some key differences:

Penetration testers

Automation testing developers

  • Ability to identify software vulnerabilities by OWASP Top 10 security issues and practices
  • Familiar with Secure Software Development Life cycle (SSLDC) and security frameworks such as Spring Security and Shiro
  • Familiar with the use of OWASP ZAP, SQLmap, Nmap, Wireshark, and SSLtest
  • Familiar with unit testing, APIs, and web UI automation testing frameworks such as Robot Framework, Selenium, WebDriver, and JMeter
  • Familiar with the defect cycle, issue tracking, and continuous integration/continuous delivery (CI/CD) frameworks
  • Familiar with BDD frameworks
  • Familiar with DDT frameworks

General environment setup for coming labs

For coming hands-on practices, it's suggested that you prepare the following tools for the system environment. Please also refer to the official website for the installation or quick start guide of every tool:

Summary

In this chapter, we discussed the objective of security automation: to reduce repeated manual testing and increase testing coverage in an efficient manner. The OWASP Top 10 list for web application security issues and the CWE Top 25 list for secure coding issues were suggested as resources.

We also discussed some misunderstandings of security automation, such as the need for highly skilled penetration testers, the time it takes to build automation frameworks, and the perceived limitations of automation testing's effectiveness. Security automation testing can even identify serious security defects, and won't require lots of implementation efforts, so long as the right security tools and automation frameworks are integrated properly.

Last but not least, we also discussed the skills of security developers and automation testing developers. The common ground required between these two roles includes only knowledge of networking, HTTP/HTTPS protocols, an operating system, and at least one programming language. The automation test developer may focus more on automation testing frameworks such as BDD, DDT, Selenium, unit testing, and so on. On the other hand, the security tester may focus on using security tools and techniques to identify security issues. In the coming chapters, we will demonstrate how security and automation can integrate properly to identify security issues in a more effective manner.

Questions

  1. Which of the following provides a list of the most common software coding errors and can be a good checklist for the team to do code-security reviews?
    1. OWASP Top 10 Application Security risks
    2. CWE Top 25 Software Errors
    3. SDL
  2. Which one of the following statements is true?
    1. Security automation testing can't identify serious security issues
    2. Elements of the UI flow, such as sign-in and sign-out, can't be done by automation security testing
    3. Web UI automation can be done by using Selenium IDE (Kantu or Katalon) to reduce implementation effort
  1. Which of the following automation frameworks does not do web UI automation?
    1. Robot Framework
    2. Selenium
    3. VCG
  2. Which of the following is not a required skill for an automation testing developer?
    1. Familiar with OWASP Top 10
    2. Familiar with Python and Java
    3. Understanding of Windows and Linux
  3. Which one of the following is not an automation testing framework?
    1. Robot Framework
    2. Selenium
    3. SQLMap
Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Secure and automate techniques to protect web, mobile or cloud services
  • Automate secure code inspection in C++, Java, Python, and JavaScript
  • Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework

Description

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention. This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Who is this book for?

The book is for software developers, architects, testers and QA engineers who are looking to leverage automated security testing techniques.

What you will learn

  • Automate secure code inspection with open source tools and effective secure code scanning suggestions
  • Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
  • Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
  • Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
  • Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
  • Integrate various types of security testing tool results from a single project into one dashboard

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Feb 04, 2019
Length: 256 pages
Edition : 1st
Language : English
ISBN-13 : 9781789611694
Category :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning

Product Details

Publication date : Feb 04, 2019
Length: 256 pages
Edition : 1st
Language : English
ISBN-13 : 9781789611694
Category :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 123.97
Practical Security Automation and Testing
$43.99
Hands-On Cybersecurity for Finance
$48.99
Cybersecurity: The Beginner's Guide
$30.99
Total $ 123.97 Stars icon

Table of Contents

18 Chapters
The Scope and Challenges of Security Automation Chevron down icon Chevron up icon
Integrating Security and Automation Chevron down icon Chevron up icon
Secure Code Inspection Chevron down icon Chevron up icon
Sensitive Information and Privacy Testing Chevron down icon Chevron up icon
Security API and Fuzz Testing Chevron down icon Chevron up icon
Web Application Security Testing Chevron down icon Chevron up icon
Android Security Testing Chevron down icon Chevron up icon
Infrastructure Security Chevron down icon Chevron up icon
BDD Acceptance Security Testing Chevron down icon Chevron up icon
Project Background and Automation Approach Chevron down icon Chevron up icon
Automated Testing for Web Applications Chevron down icon Chevron up icon
Automated Fuzz API Security Testing Chevron down icon Chevron up icon
Automated Infrastructure Security Chevron down icon Chevron up icon
Managing and Presenting Test Results Chevron down icon Chevron up icon
Summary of Automation Security Testing Tips Chevron down icon Chevron up icon
List of Scripts and Tools Chevron down icon Chevron up icon
Solutions Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(1 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Amazon Customer Aug 08, 2019
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I am suggesting this book for the person who is looking for the security automation.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.