Continuous and Visible Security Testing

Stephen de Vries @stephendv

with BDD-Security

About me

• CTO Continuum Security• 16 years in security• Specialised in application security• Author of BDD-Security framework

Security testing still stuck in a waterfall world

• Feedback from security testing is too late• Rely on outside security “experts”

Security is not something you add…

…it’s something that’s build in, just like quality, scalability and performance

• Everyone is responsible for

• Move testing closer to the code

• Continuous automated testing

quality

quality

security

securitysecurity

^

Quality testing Security testing

Difference of degree, not of kind

Why

What

How

Business Context Architecture

App Features

Threat Model

Non-Functional SecurityRequirements

Functional SecurityRequirements

Security Tests

Security Requirements

Visible Testable• Actionable• Up-to-date

• Automated• Security Testing > Scanning

BDD-Specs (Given/When/Then)

Security Requirements

BDD-Security Testing Frameworkhttps://github.com/continuumsecurity/bdd-security

BDD-Security = JBehave +

OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications

Selenium +

Examples: Infrastructure specifications

Security specifications for application itself

Authentication:• Passwords should be case sensitive• Present the login form itself over an HTTPS connection• Transmit authentication credentials over HTTPS• When authentication credentials are sent to the server, it should respond

with a 3xx status code. • Disable browser auto-completion on the login form• Lock the user account out after <X> incorrect authentication attempts

HTTP/S Proxy

Manual Application Security Testing with OWASP ZAP

Selenium

ZAP

API

HTTP/S Proxy

Manual Application Security Testing with OWASP ZAPAutomated

^

BDD-Security

Configuring BDD-Security for in-depth testing

- Edit config.xml with app specific values- Create Java class that defines Selenium methods for:

- openLoginPage- Login- isLoggedIn- Logout

Demo

Application Security Scanning with ZAP

Testing Access Control

Can Alice see Bob’s data?

Demo

Part of Continuous Integration process

• Ant job in Jenkins• Run job after deploy to test environment• Fail the build if tests fail

Demo

Summary

• Security testing doesn’t need special treatment: it differs from software testing in degree, not in kind

• Automated Security tests can be integrated into a CI/CD model• Automated Security tests should include more than just

scanning• BDD tools provide self-verifying specification• BDD-Security project to jump-start your own security specs

Similar tools

• ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver

• Guantlet (Ruby) http://gauntlt.org/

• Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn

Thank you

I’ll be at Office Hours13:45 TodayRoom: 211

@stephendv