Practical Security Automation and Testing
Tools and techniques for automated security scanning and testing in DevSecOps
- 출간 정보
- 2019.02.04. 전자책 출간
- 파일 정보
<Practical Security Automation and Testing> ▶Book Description
Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention.
This book will teach you to adopt security automation techniques to continuously improve your entire software development and security testing. You will learn to use open source tools and techniques to integrate security testing tools directly into your CI/CD framework. With this book, you will see how to implement security inspection at every layer, such as secure code inspection, fuzz testing, Rest API, privacy, infrastructure security, and web UI testing.
With the help of practical examples, this book will teach you to implement the combination of automation and Security in DevOps. You will learn about the integration of security testing results for an overall security status for projects.
By the end of this book, you will be confident implementing automation security in all layers of your software development stages and will be able to build your own in-house security automation platform throughout your mobile and cloud releases.
▶What You Will Learn
⦁ Automate secure code inspection with open source tools and effective secure code scanning suggestions
⦁ Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services
⦁ Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP
⦁ Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest
⦁ Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration
⦁ Integrate various types of security testing tool results from a single project into one dashboard
⦁ Secure and automate techniques to protect web, mobile or cloud services
⦁ Integrate security testing with automation frameworks like fuzz, BDD, Selenium and Robot Framework
▶Who This Book Is For
The book is for software developers, architects, testers and QA engineers who are looking to leverage automated security testing techniques.
▶What this book covers
⦁ Chapter 1, The Scope and Challenges of Security Automation, discusses the challenges of security automation and gives an overview of security automation tools and frameworks. The required skills, security tools, and automation frameworks will be introduced. This will help you to gain the foundational knowledge required for you to build security automation measures in the coming chapters. Finally, we will also set up some sample vulnerable source code, as well as an application, for practicing security scanning in the coming chapters. This will include an illustration of dynamic security testing techniques (OWASP ZAP, Nmap, and Fuzz) and static code inspection with automation frameworks (such as Selenium, Robot Framework, JMeter, and behavior-driven development (BDD)), as well as a detailed look at mobile security testing framework integration in several handson case studies.
⦁ Chapter 2, Integrating Security and Automation, introduces how security and automation can be integrated. Since both security testing and automation testing require domain expertise and very particular tools, this chapter will introduce how to bake automation into existing security testing frameworks to improve testing coverage and efficiency. We will also discuss how security testing practices and tools can be integrated into your in-house automation testing framework.
⦁ Chapter 3, Secure Code Inspection, discusses white-box testing techniques for the secure reviewing of code. For an in-house software development team, it's a challenge to review all the source code for every software release. This is not only due to the pressure of release cycles, but also due to the impracticality of requiring every developer to be familiar with all the secure coding best practices for all different programming languages, such as Java, C/C++, and Python. Therefore, we will demonstrate how to build your own automated secure coding platform with open source solutions for every release.
⦁ Chapter 4, Sensitive information and Privacy Testing, discusses how to use automated scanning to prevent the disclosure of sensitive information in every software release. There are three typical scenarios where this kind of thing can be applied. The first is where sensitive information is included in the source code, such as an include key, a hardcoded password, a hidden hotkey, an email address, or an IP or URL. Secondly, sensitive information can also be stored in cookies, since cookies can collect the browsing behaviors of users. Finally, large projects handling massive amounts of data require effective ways of identifying and protecting any Personal Identifiable Information (PII) stored in the database.
⦁ Chapter 5, Security API and Fuzz Testing, explores API and fuzz testing. As cloud software releases can be on an API-level basis, there can be hundreds of APIs released at a time. The software development team will definitely need an effective way to automate security testing for every API release. In this chapter, we use an online pet store case study to see how you can build your automated API security testing framework with various tools. API security testing focuses more on data injection and abnormal payloads. Therefore, fuzz testing will also be introduced as random data input and security injection for automated API security testing.
⦁ Chapter 6, Web Application Security Testing, is where we will use an online shopping site, Hackazon, to demonstrate how to achieve automated web security testing. The key challenge in automating web application testing is walking through the UI business flow while doing security inspection. Doing so requires not only security scanning capabilities but also web UI automation. We will be using security tools such as ZAP and web UI automation frameworks such as Selenium and Robot Framework. Using these tools can effectively improve your security testing coverage. We will share some tips and tools for making web automation easier.
⦁ Chapter 7, Android Security Testing, focuses on Android. It's a common practice to do a security check before an Android application release. However, doing so when releases can be so frequent and so many can be a real challenge. The automated security testing process for an Android mobile application requires submissions for APK binaries, reversing the APK for secure source code inspection, manifest configuration checks, and generating testing results – we'll be looking at all of this in this chapter. Besides that, we will also introduce mobile security-related practices, such as OWASP mobile security testing and Android secure coding practices.
⦁ Chapter 8, Infrastructure Security, will focus on infrastructure and platform security. For a Platform-as-a-Service (PaaS) or even for Software-as-a-Service (SaaS) providers, it's vital to ensure that the infrastructure is secure. Therefore, the security operations team will need to do regular scanning of the infrastructure to ensure security configurations for security compliance. Infrastructure security includes secure configuration with web services, security of databases and OSes, secure communication protocols such as TLS v1.2, and the use of secure versions of third-party components and dependencies. We will illustrate how to set up your own automated scanning framework to run these regular secure configuration inspections.
⦁ Chapter 9, BDD Acceptance Security Testing, will discuss the challenges of cross-team communication within large software development teams. For instance, the team who executed the security testing may understand the tests carried out and their results, but other non-technical teams such as product management and marketing may not gain the same understanding just from reading the testing reports. Therefore, we will introduce BDD acceptance testing with automated security testing. We will use security testing tools on top of BDD security automation testing frameworks and hook into the testing process.
⦁ Chapter 10, Project Background and Automation Approach, will introduce a project and the security objectives necessary for proceeding with automated security in the ensuing chapters. We will also explore what considerations need to be made when it comes to automation framework selection. For instance, some tools are good for specific security testing but may have shortcomings when it comes to automation framework integration. Finally, we will set up all the necessary environmental conditions for the coming security automation practices.
⦁ Chapter 11, Automated Testing for a Web Application, will use three case studies to teach you about different security automation techniques against the vulnerable NodeGoat site. The first case study looks at automating the OWASP ZAP by using the ZAP-CLI, which will help to identify initial security issues in a website before authentication. In the second case study, we will be using Selenium to identify security issues concerning user sign-in. In the final case, we will use JMeter for sign-in with external CSV data to detect potential command injection security issues.
⦁ Chapter 12, Automated Fuzz API Security Testing, looks at API Fuzz testing, which can be one of the most effective and efficient means of security and automation testing. API fuzz testing involves generating fuzz data as data input, sending HTTP requests with fuzz data, and analyzing the HTTP response for security issues. We will demonstrate several API fuzz automation tools (including Wfuzz and 0d1n), fuzz techniques, and integration with automation testing frameworks (such as Selenium and Robot Framework data-driven testing).
⦁ Chapter 14, Managing and Presenting Testing Results, covers how we consolidate and present security testing findings as a whole to stakeholders. Executing and managing several security testing projects at a time can be a challenge. The security team, the project team, and management would like to know the security status of each project. This requires the consolidation of the results from some previously mentioned security testing tools into one portal or summary document. We will need to not only manage all the security testing tools execution results, but also present them in a security dashboard that clearly displays the overall security posture of a project. We will introduce some approaches and tools to achieve this goal.
⦁ Chapter 15, Summary of Automation Security Testing Tips, summarizes the key security automation techniques and tips from all the previous chapters. This chapter can be used as a quick reference guide or as an overall review of security automation.
⦁ Appendix A, List of Scripts and Tools, summarizes the tools and commands used throughout all the chapters.
⦁ Appendix B, Solutions, includes all the answers, to the questions provided within the chapters.
This book is aimed at software developers, architects, testers, and QA engineers looking to build automated security testing frameworks alongside their existing Continuous Integration (CI) frameworks to achieve security quality in the software development and testing cycle.
It will teach you how to adopt security automation techniques to continuously improve your entire software development and security testing cycle. This book aims to combine security and automation to protect web and cloud services. This practical guide will teach you how to use open source tools and techniques to integrate security testing tools directly into your CI/Continuous Delivery (CD) framework. It will also show you how to implement security inspection at every layer, such as secure code inspection, fuzz testing, REST API testing, privacy testing, infrastructure security testing, and fuzz testing. With the help of practical examples, it will also teach you how to implement a combination of automation and security in DevOps. Furthermore, it will cover topics on the integration of security testing results so that you can gain an overview of the overall security status of your projects.
This book best fits those in the following roles and scenarios:
⦁ Developers who are not familiar with secure coding rules, but need effective and automated secure code inspection with existing CI/CD integration.
⦁ Development and QA teams who would like to perform security automation at different levels, such as the API, fuzz, functional, and infrastructure levels, but may have a gap to bridge in order to achieve automated security testing.
⦁ Security team members who are finding that the testing output of their various security testing tools is not easily understood by non-security testing teams. In such cases, a universally recognizable security testing report is needed so that everyone can understand the overall security status of a project. (For these cases, behavior-driven and acceptance testing frameworks will be introduced.)
By the end of this book, you will be well versed in implementing automation security at all stages of your software development cycle, and will also have learned how to build your own in-house security automation platform for your cloud releases.
⦁ Tony Hsiang-Chih Hsu
Tony Hsiang-Chih Hsu is a senior security architect, software development manager, and project manager with more than 20 years' experience in security services technology. He has extensive experience of the Secure Software Development Lifecycle (SSDLC) in relation to activities including secure architecture/design review, secure code review, threat modeling, automated security testing, and cloud service inspection. He is also an in-house SDL trainer, having offered hands-on courses totaling in more than 300 hours. He is also the author of Hands-on Security in DevOps, and a co-author of several Open Web Application Security Project (OWASP) projects, including the OWASP testing guide, a proactive control guide, deserialization, cryptographic, and the XXE prevention cheatsheet.
▶TABLE of CONTENTS
1 The Scope and Challenges of Security Automation
2 Integrating Security and Automation
3 Secure Code Inspection
4 Sensitive Information and Privacy Testing
5 Security API and Fuzz Testing
6 Web Application Security Testing
7 Android Security Testing
8 Infrastructure Security
9 BDD Acceptance Security Testing
10 Project Background and Automation Approach
11 Automated Testing for Web Applications
12 Automated Fuzz API Security Testing
13 Automated Infrastructure Security
14 Managing and Presenting Test Results
15 Summary of Automation Security Testing Tips
내가 남긴 별점 0.0
'구매자' 표시는 리디북스에서 유료도서 결제 후 다운로드 하시거나 리디셀렉트 도서를 다운로드하신 경우에만 표시됩니다.
본문 끝 최상단으로 돌아가기
사용 가능 : 개
<>부터 총 화
총 화 대여 완료했습니다.
남은 작품 : 총 화 (원)
Practical Security Automation and Testing
대여 기간 : 일
결제 금액 : 원
결제 가능한 리디캐시, 포인트가 없습니다.
리디캐시를 충전하시면 자동으로 결제됩니다.
최대 9% 리디포인트 적립 혜택도 놓치지 마세요!
이미 구매한 작품입니다.
원하는 결제 방법을 선택해주세요.
대여 기간이 만료되었습니다.