Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Practical Security Automation and Testing
Practical Security Automation and Testing

Practical Security Automation and Testing: Tools and techniques for automated security scanning and testing in DevSecOps

eBook
$20.98 $29.99
Paperback
$43.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Practical Security Automation and Testing

The Scope and Challenges of Security Automation

This first chapter will discuss the challenges of security automation and take an overview of security automation tools and frameworks. The required skills, security tools, and automation frameworks will also be introduced. This will help you to gain the foundational knowledge required to build security automation measures in the coming chapters. Finally, we will also set up some sample vulnerable source code, as well as an application, for practicing security scanning in the coming chapters. This will include an illustration of dynamic security testing techniques (OWASP ZAP, NMAP, and fuzz) and static code inspection with automation frameworks (such as Selenium, Robot Framework, JMeter, and behavior-driven development (BDD)), as well as a look at mobile security testing framework integration in several hands-on case studies. In the later chapters, we will be using a project to apply all the security testing tools and automation frameworks discussed in this book.

We will explore the following topics in this chapter:

  • The purposes and myths of security automation
  • The required skills and suggestions for security automation
  • General environment setup for coming labs

The purposes and myths of security automation

The purpose of security automation is to discover all potential security defects before any software release by applying both open source security tools and automation testing frameworks. However, security automation doesn't mean to completely replace manual security testing. Security automation aims to reduce the amount of repeated manual testing and increase testing coverage in an efficient manner. Potential security flaws can exist anywhere, from the source code and third-party components to an insecure configuration or vulnerable infrastructure. As the release cycles of cloud services and software development are getting shorter, the development team needs not only functional testing but also automated security testing. If your team is planning on implementing security automation, it's suggested that you begin with the following resources:

Resource on common security issues

How it could help

OWASP (Open Web Application Security Project)

Top 10 Application Security Risks

This lists general web application security risks, such as injection, authentication, XML external entity (XXE) attacks, and misconfiguration. The OWASP also suggests related testing tools and prevention controls for each security issue.

CWE Top 25 Software Errors

This lists the most common software coding errors, such as SQL injection, Cross-site request forgery (CSRF), and buffer overflow. It can be a good checklist for a code-security review.


Security testing can be a tedious and repetitive process. The functional testing may only need to ensure the functionality, but the security testing needs to cover various kinds of the testing scenarios, such as authentication, authorization, XXE, injection, deserialization, and more (see the OWASP resource mentioned in the previous table). Therefore, a certain level of automation would be helpful, considering security testing's repetitive nature, scope, and importance. Be reminded that our goal is not to automate 100% of security testing cases, but to focus on those testing cases that are manually executed and repeated, and so can be done more efficiently by automation. By automating those repeated security testing cases, penetration testers can take time to exploit in-depth weaknesses and logic flaws or review security requirements (all of which can't be done by automation).

When it comes to security automation, there are some challenges and some myths. A lack of proper security or automation knowledge leads to some misunderstanding of security automation. Here are some general suggestions and clarification. We will explore more through the different hands-on case studies in the coming chapters.

Myth 1 – doesn't security testing require highly experienced pentesters?

Our first myth is that security testing requires highly experienced penetration testers and automation testing can't find serious issues.

If we can guide the automation properly, serious security issues can be identified. On the other hand, automated security testing can also result in false-positive issues that need further manual verification. However, there are certain kinds of security testing scenarios that would be ideal for automation; some of those are listed here:

  • Detecting the use of banned functions, risky APIs, or weak encryption algorithms. Automated systems can do a good job of scanning code for security issues if we properly define the patterns we are looking for.
  • Weak RESTful API authentication and authorization behaviors, such as bypassing authorization vulnerabilities.
  • Data input validation may require massive amounts of random testing data input. This kinds of data input testing technique is also called fuzz testing which the prepared data and payload are dynamically generated for the test subject in an attempt to make it crash.
  • Repeated UI walk-through, sign-in, sign-out, and form fill are good examples of where web UI automation is required.
  • Insecure misconfiguration of software components, databases, or web services.
  • Known third-party vulnerabilities.

Myth 2 – isn't it time-consuming to build an automation framework?

Our second myth is that it takes too much time to build an automation framework and that daily development changes may break the automation.

For a development team with mature security testing practices, the adoption of an automation framework such as BDD, data-driven testing (DDT), or Selenium can help with seamless security integration and improve security testing coverage. Adding security testing cases based on these existing automation frameworks won't necessarily take lots of effort and time, so long as the right tools and integration approaches are selected.

For security automation relating to UI flow, daily development changes may or may not break certain UI automation testing cases. It depends on how the UI components are located by the automation testing program. As a general rule of thumb, so long as the UI components are located by the automation testing framework, UI layout changes won't impact the automation.

Myth 3 – there are no automation frameworks that are really feasible for security testing

Our third myth is that there is no single automation framework that can cover the variety of security testing cases.

Now, due to the variety of security testing scenarios, it's true that there is no one single automation framework that can cover all security testing cases. Depending on the security testing scenario, however, we can plan related automation approaches with proper integration of security testing tools and an automation framework. The following table shows examples of security testing scenarios with different automation approaches:

Automation approaches

Mapping to security testing scenarios

Automation tools/frameworks

White box

  • Secure code inspection
  • Secure configuration inspection
  • Secure code analysis with Visual Code Grepper (VCG)

API testing

  • Web/RESTful API security testing
  • Data Input testing (also called parameterized testing or data-driven testing)
  • Robot Framework's requests library
  • JMeter
  • FuzzDB
  • OWASP ZAP

Web UI automation

  • Logging in with different users or wrong accounts
  • Logging users out for session management testing
  • Creating a new user account
  • Brute-forcing a user account login
  • Robot Framework
  • Selenium
  • OWASP ZAP


Automating web UI operations doesn't necessarily take lots of implementation effort or require you to be an expert in Selenium scripts. The Selenium IDE extension will help you to generate automated scripts when you operate UI flows:

  • Kantu Selenium IDE: This generates HTML-format scripts. It supports parameterized testing by CSV, takes screenshots of each step for visual review, and can be executed from the command line.
  • Katalon Recorder (Selenium IDE for Chrome/Firefox): The key advantage of Katalon is being able to generate various kinds of automation scripts, including Java, Python, Robot Framework, C#, and Ruby scripts. This makes Katalon very flexible for further integration with other tools. It can also support screenshots and DDT by importing CSV files.

The required skills and suggestions for security automation

Security team developers and automation testing developers require different skill sets. Naturally, the core skills of automation testing developers and pentesters are different. However, achieving security testing automation won't be too difficult for anyone, so long as the appropriate tools and frameworks are adopted to reduce the learning curve and ensure consistent delivery quality. For example, the adoption of web UI automation will help security testing to explore the blind side of the user flows. However, web UI automation and the adoption of the Selenium automation framework can be a big challenge for the security testing team. This issue can be solved with the help of proper automation testing tools, which will be introduced in the coming chapters.

The skills that penetration testers and automation testing developers have in common are as follows:

  • Familiar with a programming language, such as Python, PHP, Java, or C/C++
  • Familiar with Windows, Linux and TCP/IP (Transmission Control Protocol/Internet Protocol), and HTTP networking

Those were some similar skills; the following table lists some key differences:

Penetration testers

Automation testing developers

  • Ability to identify software vulnerabilities by OWASP Top 10 security issues and practices
  • Familiar with Secure Software Development Life cycle (SSLDC) and security frameworks such as Spring Security and Shiro
  • Familiar with the use of OWASP ZAP, SQLmap, Nmap, Wireshark, and SSLtest
  • Familiar with unit testing, APIs, and web UI automation testing frameworks such as Robot Framework, Selenium, WebDriver, and JMeter
  • Familiar with the defect cycle, issue tracking, and continuous integration/continuous delivery (CI/CD) frameworks
  • Familiar with BDD frameworks
  • Familiar with DDT frameworks

General environment setup for coming labs

For coming hands-on practices, it's suggested that you prepare the following tools for the system environment. Please also refer to the official website for the installation or quick start guide of every tool:

Summary

In this chapter, we discussed the objective of security automation: to reduce repeated manual testing and increase testing coverage in an efficient manner. The OWASP Top 10 list for web application security issues and the CWE Top 25 list for secure coding issues were suggested as resources.

We also discussed some misunderstandings of security automation, such as the need for highly skilled penetration testers, the time it takes to build automation frameworks, and the perceived limitations of automation testing's effectiveness. Security automation testing can even identify serious security defects, and won't require lots of implementation efforts, so long as the right security tools and automation frameworks are integrated properly.

Last but not least, we also discussed the skills of security developers and automation testing developers. The common ground required between these two roles includes only knowledge of networking, HTTP/HTTPS protocols, an operating system, and at least one programming language. The automation test developer may focus more on automation testing frameworks such as BDD, DDT, Selenium, unit testing, and so on. On the other hand, the security tester may focus on using security tools and techniques to identify security issues. In the coming chapters, we will demonstrate how security and automation can integrate properly to identify security issues in a more effective manner.

Questions

  1. Which of the following provides a list of the most common software coding errors and can be a good checklist for the team to do code-security reviews?
    1. OWASP Top 10 Application Security risks
    2. CWE Top 25 Software Errors
    3. SDL
  2. Which one of the following statements is true?
    1. Security automation testing can't identify serious security issues
    2. Elements of the UI flow, such as sign-in and sign-out, can't be done by automation security testing
    3. Web UI automation can be done by using Selenium IDE (Kantu or Katalon) to reduce implementation effort
  1. Which of the following automation frameworks does not do web UI automation?
    1. Robot Framework
    2. Selenium
    3. VCG
  2. Which of the following is not a required skill for an automation testing developer?
    1. Familiar with OWASP Top 10
    2. Familiar with Python and Java
    3. Understanding of Windows and Linux
  3. Which one of the following is not an automation testing framework?
    1. Robot Framework
    2. Selenium
    3. SQLMap
Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Secure and automate techniques to protect web, mobile or cloud services
  • Automate secure code inspection in C++, Java, Python, and JavaScript
  • Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework

Description

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention. This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing. With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects. By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.

Who is this book for?

The book is for software developers, architects, testers and QA engineers who are looking to leverage automated security testing techniques.

What you will learn

  • Automate secure code inspection with open source tools and effective secure code scanning suggestions
  • Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
  • Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
  • Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
  • Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
  • Integrate various types of security testing tool results from a single project into one dashboard

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Feb 04, 2019
Length: 256 pages
Edition : 1st
Language : English
ISBN-13 : 9781789802023
Category :
Languages :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Feb 04, 2019
Length: 256 pages
Edition : 1st
Language : English
ISBN-13 : 9781789802023
Category :
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 123.97
Practical Security Automation and Testing
$43.99
Hands-On Cybersecurity for Finance
$48.99
Cybersecurity: The Beginner's Guide
$30.99
Total $ 123.97 Stars icon

Table of Contents

18 Chapters
The Scope and Challenges of Security Automation Chevron down icon Chevron up icon
Integrating Security and Automation Chevron down icon Chevron up icon
Secure Code Inspection Chevron down icon Chevron up icon
Sensitive Information and Privacy Testing Chevron down icon Chevron up icon
Security API and Fuzz Testing Chevron down icon Chevron up icon
Web Application Security Testing Chevron down icon Chevron up icon
Android Security Testing Chevron down icon Chevron up icon
Infrastructure Security Chevron down icon Chevron up icon
BDD Acceptance Security Testing Chevron down icon Chevron up icon
Project Background and Automation Approach Chevron down icon Chevron up icon
Automated Testing for Web Applications Chevron down icon Chevron up icon
Automated Fuzz API Security Testing Chevron down icon Chevron up icon
Automated Infrastructure Security Chevron down icon Chevron up icon
Managing and Presenting Test Results Chevron down icon Chevron up icon
Summary of Automation Security Testing Tips Chevron down icon Chevron up icon
List of Scripts and Tools Chevron down icon Chevron up icon
Solutions Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(1 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Amazon Customer Aug 08, 2019
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I am suggesting this book for the person who is looking for the security automation.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.