Practical Security Automation and Testing E-Book

Practical Security Automation and Testing

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor:Karan SadawanaAcquisition Editor:Heramb BhavsarContent Development Editor:Roshan KumarTechnical Editor: Shweta JadhavCopy Editor: Safis EditingProject Coordinator:Namrata SwettaProofreader: Safis EditingIndexer:Priyanka DhadkeGraphics:Alishon MendonsaProduction Coordinator:Shraddha Falebhai

First published: January 2019

Production reference: 2310119

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78980-202-3

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Tony Hsiang-Chih Hsu is a senior security architect, software development manager, and project manager with more than 20 years' experience in security services technology. He has extensive experience of the Secure Software Development Lifecycle (SSDLC) in relation to activities including secure architecture/design review, secure code review, threat modeling, automated security testing, and cloud service inspection. He is also an in-house SDL trainer, having offered hands-on courses totaling in more than 300 hours. He is also the author of Hands-on Security in DevOps, and a co-author of several Open Web Application Security Project (OWASP) projects, including the OWASP testing guide, a proactive control guide, deserialization, cryptographic, and the XXE prevention cheatsheet.

About the reviewers

Anand Tiwari is an information security professional with nearly 5 years' experience in offensive security, with expertise in mobile, web application, and infrastructure security. He has authored an open source tool called Archery, and has presented at BlackHat, DEFCON, HITB, and ITEM conferences. His research primarily focuses on Android and iOS mobile applications. In his spare time, he writes code and experiments with open source information security tools.

Lawrence Liang serves as a cybersecurity solutions lead in a large public corporation. Prior to his current role, Lawrence assumed a variety of technical and managerial roles in several Fortune 500 companies focusing on IT infrastructure and security management for global clients. Lawrence earned his MBA from the University of Calgary, Canada, and his Bachelor of Software Engineering from Jinan University, China.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Practical Security Automation and Testing

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

The Scope and Challenges of Security Automation

The purposes and myths of security automation

Myth 1 – doesn't security testing require highly experienced pentesters?

Myth 2 – isn't it time-consuming to build an automation framework?

Myth 3 – there are no automation frameworks that are really feasible for security testing

The required skills and suggestions for security automation

General environment setup for coming labs

Summary

Questions

Further reading

Integrating Security and Automation

The domains of automation testing and security testing

Automation frameworks and techniques

UI functional testing for web, mobile, and windows

HTTP API testing

HTTP mock server

White-box search with GREP-like tools

Behavior-driven development testing frameworks

Testing data generators

Automating existing security testing

Security testing with an existing automation framework

Summary

Questions

Further reading

Secure Code Inspection

Case study – automating a secure code review

Secure coding scanning service – SWAMP

Step 1 – adding a new package

Step 2 – running the assessment

Step 3 – viewing the results

Secure coding patterns for inspection

Quick and simple secure code scanning tools

Automatic secure code inspection script in Linux

Step 1 – downloading the CRASS

Step 2 – executing the code review audit scan

Step 3 – reviewing the results

Automatic secure code inspection tools for Windows

Step – downloading VCG (Visual Code Grepper)

Step 2: Executing VCG

Step 3: Reviewing the VCG scanning results

Case study – XXE security

Case study – deserialization security issue

Summary

 Questions

Further reading

Sensitive Information and Privacy Testing

The objective of sensitive information testing

PII discovery

Sensitive information discovery

Privacy search tools

Case study – weak encryption search

Step 1 – installing The Silver Searcher

Step 2 – executing the tool (using Windows as an example)

Step 3 – reviewing the results (using Windows as an example)

Case study – searching for a private key

Step 1 – calculating the entropy

Step 2 – Searching for high-entropy strings

Step 3 – Reviewing the results

Case study – website privacy inspection

Step 1 – visiting PrivacyScore or setting it up locally

Step 2 – reviewing the results

Summary

Questions

Further reading

Security API and Fuzz Testing

Automated security testing for every API release

Building your security API testing framework

Case study 1 – basic – web service testing with ZAP CLI

Step 1 – OWASP ZAP download and launch with port 8090

Step 2 – install the ZAP-CLI

Step 3 – execute the testing under ZAP-CLI

Step 4 – review the results

Case study 2 – intermediate – API testing with ZAP and JMeter

Step 1 – download JMeter

Step 2 – define HTTP request for the login

Step 4 – execute the JMeter script

Step 3 – review the results in ZAP

Case study 3 – advanced – parameterized security payload with fuzz

Step 1 – download the SQL injection data

Step 2 – define the CSV dataset in JMeter

Step 3 – apply the variable name

Step 4 – specify the loop

Step 5 – execute JMeter and review the security assessment results

Case study 4 – security testing with ZAP Open/SOAP API

Step 1 – install the OpenAPI and SOAP API add-ons

Step 2 – import the API definition

Step 3 – execute the active security scanning

Step 4 – present the security assessments

Summary

Questions

Further reading

Web Application Security Testing

Case study – online shopping site for automated security inspection

Case 1 – web security testing using the ZAP REST API

Step 1 – spider scanning the website

Step 2 – active scanning the website

Step 3 – reviewing the status of the active scan

Step 4 – reviewing the security assessments

Case 2 – full automation with CURL and the ZAP daemon

Step 1 – executing ZAP in daemon (headless) mode

Step 2 – checking the status of the ZAP daemon

Step 3 – fully automating the ZAP API

Case 3 – automated security testing for the user registration flow with Selenium

Step 1 – installation of SeleniumBase

Step 2 – launching ZAP with proxy 8090

Step 3 – executing the user registration flow automation

Step 4 – active scanning the identified URLs

Step 5 – reviewing the security assessments

Summary

Questions

Further reading

Android Security Testing

Android security review best practices

Secure source code review patterns for Android

Privacy and sensitive information review

Privacy scanning with Androwarn

Step 1 – scanning of an APK

Step 2 – review the report

General process of APK security analysis

Step 1 – use APKTool to reverse the APK to Manifest.xml, Smali and resources

Step 2 – use JADX to reverse the APK into Java source code

Step 3 – use Fireline to scan all the Java source files

Step 4 – review the scanning results

Static secure code scanning with QARK

Step 1 – install QARK

Step 2 – APK scanning with QARK

Step 3 – review the results

Automated security scanning with MobSF

Step 1 – set up the MobSF

Step 2 – upload the APK by REST API

Step 3 – scan the APK

Step 4 – download the report

Summary

Questions

Further reading

Infrastructure Security

The scope of infrastructure security

Secure configuration best practices

CIS (Center for Internet Security) benchmarks

Security technical implementation guides (STIGs)

OpenSCAP security guide

Step 1 – installation of SCAP workbench

Step 2 – OpenSCAP security guide

Network security assessments with Nmap

Nmap usage tips

CVE vulnerability scanning

Known vulnerable components scan by VulScan

Step 1 – installation of VulScan 

Step 2 – NMAP scanning with VulScan

Known vulnerable components scan by OWASP dependency check

Step 1 – installation of OWASP dependency check

Step 2 – CVE scanning with OWASP dependency check

HTTPS security check with SSLyze

Behavior-driven security automation – Gauntlt

Step 1 – Gauntlt installation

Step 2 – BDD security testing script

Step 3 – execution and results

Summary

Questions

Further reading

BDD Acceptance Security Testing

Security testing communication

What is BDD security testing?

Adoption of Robot Framework with sqlmap

Step 1 – Robot Framework setup and preparation

Step 2 – sqlmap with Robot Framework 

Testing framework – Robot Framework with ZAP

Step 1 – environment setup and preparation

Step 2 – the Robot Framework script for the ZAP spider scan

Step 3 – robot script execution

Summary

Questions

Further reading

Project Background and Automation Approach

Case study – introduction and security objective

Selecting security and automation testing tools

Automated security testing frameworks

Environment and tool setup

Summary

Questions

Further reading

Automated Testing for Web Applications

Case 1 – web security scanning with ZAP-CLI

Step 1 – installation of ZAP-CLI

Step 2 – ZAP quick scan using the ZAP-CLI 

Step 3 – generate a report

Case 2 – web security testing with ZAP & Selenium

Step 1 – Selenium Python script

Step 2 – running ZAP as a proxy

Approach 1 – configure the system proxy

Approach 2 – Selenium Profile

Approach 3 – using SeleniumBASE

Step 3 – generate ZAP report

Case 3 – fuzz XSS and SQLi testing with JMeter

Testing scenarios

Step 1 – prepare environment 

Step 2 – define the JMeter scripts

Step 3 – prepare security payloads

Step 4 – launch JMeter in CLI with ZAP proxy

Step 5 – generate a ZAP report

Summary

Questions

Further reading

Automated Fuzz API Security Testing

Fuzz testing and data

Step 1 – installing Radamsa

Step 2 – generating the Security Random Payloads

API fuzz testing with Automation Frameworks

Approach 1 – security fuzz testing with Wfuzz

Step 1 – installing Wfuzz

Step 2– fuzz testing with sign-in

Step 3 – reviewing the Wfuzz report

Approach 2 – security fuzz testing with 0d1n

Step 1 – installation of 0d1n

Step 2 – execution of 0d1n with OWASP ZAP

Step 3 – review the ZAP report (optional)

Approach 3 – Selenium DDT (data-driven testing)

Step 1: Selenium script with DDT

Step 2 – executing the Selenium script

Step 3 – review the ZAP report

Approach 4 – Robot Framework DDT testing

Step 1– Robot Framework environment setup

Step 3 – Robot Framework script

Step 4 – review the ZAP report

Summary

Questions

Further reading

Automated Infrastructure Security

Scan For known JavaScript vulnerabilities

Step 1 – install RetireJS

Step 2 – scan with RetireJS

Step 3 – review the retireJS results

WebGoat with OWASP dependency check

Step 1 – prepare WebGoat environment

Step 2 – dependency check scan

Step 3 – review the OWASP dependency-check report

Secure communication scan with SSLScan

Step 1 – SSLScan setup

Step 2 – SSLScan scan

Step 3 – review the SSLScan results

Step 4 – fix the HTTPS secure configurations

NMAP security scan with BDD framework

NMAP For web security testing

NMAP BDD testing with Gauntlt

NMAP BDD with Robot Framework

Step 1 – define the Robot Framework steps

Step 2 – execute and review the results

Summary

Questions

Further reading

Managing and Presenting Test Results

Managing and presenting test results

Approach 1 – integrate the tools with RapidScan

Step 1 – get the RapidScan Python script

Step 2 – review scanning results

Approach 2 – generate a professional pentest report with Serpico

Step 1 – installation of Serpico

Step 2 – create a Report based on Templates 

Step 3 – Add Finding from Templates

Step 4 – generate a report

Approach 3 – security findings management DefectDojo

Step 1 – setup the OWASP DefectDojo

Step 2 – run security tools to output XMLs

Step 3 – import ZAP findings 

Summary

Questions

Further reading

Summary of Automation Security Testing Tips

Automation testing framework

What are the automation frameworks for UI functional testing?

BDD (behavior-driven development) testing framework?

What are common automation frameworks that apply to security testing?

Secure code review

What are common secure code review patterns and risky APIs?

Suggestions with Grep-like search tool for source code or configurations search?

API security testing

What are API security testing approaches?

What are the suggested resources for FuzzDB security payloads?

What testing tools are suggested for web fuzz testing?

Web security testing

How can JMeter be used for the web security testing?

Examples of OWASP ZAP by ZAP-CLI usages

Examples of OWASP ZAP automation by RESTful API

Android security testing

Suggested Android security testing tools and approach

Common Android security risky APIs

Infrastructure security

What's the scope of infrastructure security testing?

Typical use of Nmap for security testing

BDD security testing by Robot Framework

How to do web security scan with ZAP and Robot Framework?

How to achieve DDT testing in Robot Framework?

How to do network scan with Nmap and Robot Framework?

How to do an SQLmap scan with Robot Framework?

How to do BDD security testing with Nmap and Gauntlt?

Summary

List of Scripts and Tools

List of sample scripts

List of installed tools in virtual image

Solutions

Chapter 1: The Scope and Challenges of Security Automation

Chapter 2: Integrating Security and Automation

Chapter 3: Secure Code Inspection

Chapter 4: Sensitive Information and Privacy Testing

Chapter 5: Security API and Fuzz Testing

Chapter 6: Web Application Security Testing

Chapter 7: Android Security Testing

Chapter 8: Infrastructure Security

Chapter 9: BDD Acceptance Security Testing

Chapter 10: Project Background and Automation Approach

Chapter 11: Automated Testing for Web Applications

Chapter 12: Automated Fuzz API Security Testing

Chapter 13: Automated Infrastructure Security

Chapter 14: Managing and Presenting Test Results

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

This book is aimed at software developers, architects, testers, and QA engineers looking to build automated security testing frameworks alongside their existing Continuous Integration (CI) frameworks to achieve security quality in the software development and testing cycle.

It will teach you how to adopt security automation techniques to continuously improve your entire software development and security testing cycle. This book aims to combine security and automation to protect web and cloud services. This practical guide will teach you how to use open source tools and techniques to integrate security testing tools directly into your CI/Continuous Delivery (CD) framework. It will also show you how to implement security inspection at every layer, such as secure code inspection, fuzz testing, REST API testing, privacy testing, infrastructure security testing, and fuzz testing. With the help of practical examples, it will also teach you how to implement a combination of automation and security in DevOps. Furthermore, it will cover topics on the integration of security testing results so that you can gain an overview of the overall security status of your projects.

This book best fits those in the following roles and scenarios:

Developers who are not familiar with secure coding rules, but need effective and automated secure code inspection with existing CI/CD integration.

Development and QA teams who would like to perform security automation at different levels, such as the API, fuzz, functional, and infrastructure levels, but may have a gap to bridge in order to achieve automated security testing.

Security team members who are finding that the testing output of their various security testing tools is not easily understood by non-security testing teams. In such cases, a universally recognizable security testing report is needed so that everyone can understand the overall security status of a project. (For these cases, behavior-driven and acceptance testing frameworks will be introduced.)

By the end of this book, you will be well versed in implementing automation security at all stages of your software development cycle, and will also have learned how to build your own in-house security automation platform for your cloud releases.

Who this book is for

 This book is for anyone in any of the following positions:

Software or operations managers who may need a security automation framework to apply to existing engineering practices

Software developers who are looking for effective security tools, for automated code inspection for C/C++, Java, Python, and JavaScript

Software testers who need security testing cases to be automated with both white-box/black-box tools such as API, fuzz, web, infrastructure and privacy security testing, with open source tools and script templates

Software operations teams who need to perform automated software security scanning and an infrastructure configuration inspection before deployment to production.

What this book covers

Chapter 1, The Scope and Challenges of Security Automation, discusses the challenges of security automation and gives an overview of security automation tools and frameworks. The required skills, security tools, and automation frameworks will be introduced. This will help you to gain the foundational knowledge required for you to build security automation measures in the coming chapters. Finally, we will also set up some sample vulnerable source code, as well as an application, for practicing security scanning in the coming chapters. This will include an illustration of dynamic security testing techniques (OWASP ZAP, Nmap, and Fuzz) and static code inspection with automation frameworks (such as Selenium, Robot Framework, JMeter, and behavior-driven development (BDD)), as well as a detailed look at mobile security testing framework integration in several hands-on case studies. 

Chapter 2, Integrating Security and Automation, introduces how security and automation can be integrated. Since both security testing and automation testing require domain expertise and very particular tools, this chapter will introduce how to bake automation into existing security testing frameworks to improve testing coverage and efficiency. We will also discuss how security testing practices and tools can be integrated into your in-house automation testing framework.

Chapter 3, Secure Code Inspection, discusses white-box testing techniques for the secure reviewing of code. For an in-house software development team, it's a challenge to review all the source code for every software release. This is not only due to the pressure of release cycles, but also due to the impracticality of requiring every developer to be familiar with all the secure coding best practices for all different programming languages, such as Java, C/C++, and Python. Therefore, we will demonstrate how to build your own automated secure coding platform with open source solutions for every release.

Chapter 4, Sensitive information and Privacy Testing, discusses how to use automated scanning to prevent the disclosure of sensitive information in every software release. There are three typical scenarios where this kind of thing can be applied. The first is where sensitive information is included in the source code, such as an include key, a hardcoded password, a hidden hotkey, an email address, or an IP or URL. Secondly, sensitive information can also be stored in cookies, since cookies can collect the browsing behaviors of users. Finally, large projects handling massive amounts of data require effective ways of identifying and protecting any Personal Identifiable Information (PII) stored in the database.

Chapter 5, Security API and Fuzz Testing, explores API and fuzz testing. As cloud software releases can be on an API-level basis, there can be hundreds of APIs released at a time. The software development team will definitely need an effective way to automate security testing for every API release. In this chapter, we use an online pet store case study to see how you can build your automated API security testing framework with various tools. API security testing focuses more on data injection and abnormal payloads. Therefore, fuzz testing will also be introduced as random data input and security injection for automated API security testing. 

Chapter 6, Web Application Security Testing, is where we will use an online shopping site, Hackazon, to demonstrate how to achieve automated web security testing. The key challenge in automating web application testing is walking through the UI business flow while doing security inspection. Doing so requires not only security scanning capabilities but also web UI automation. We will be using security tools such as ZAP and web UI automation frameworks such as Selenium and Robot Framework. Using these tools can effectively improve your security testing coverage. We will share some tips and tools for making web automation easier.

Chapter 7, Android Security Testing, focuses on Android. It's a common practice to do a security check before an Android application release. However, doing so when releases can be so frequent and so many can be a real challenge. The automated security testing process for an Android mobile application requires submissions for APK binaries, reversing the APK for secure source code inspection, manifest configuration checks, and generating testing results – we'll be looking at all of this in this chapter. Besides that, we will also introduce mobile security-related practices, such as OWASP mobile security testing and Android secure coding practices.

Chapter 8, Infrastructure Security, will focus on infrastructure and platform security. For a Platform-as-a-Service (PaaS) or even for Software-as-a-Service (SaaS) providers, it's vital to ensure that the infrastructure is secure. Therefore, the security operations team will need to do regular scanning of the infrastructure to ensure security configurations for security compliance. Infrastructure security includes secure configuration with web services, security of databases and OSes, secure communication protocols such as TLS v1.2, and the use of secure versions of third-party components and dependencies. We will illustrate how to set up your own automated scanning framework to run these regular secure configuration inspections.

Chapter 9, BDD Acceptance Security Testing, will discuss the challenges of cross-team communication within large software development teams. For instance, the team who executed the security testing may understand the tests carried out and their results, but other non-technical teams such as product management and marketing may not gain the same understanding just from reading the testing reports. Therefore, we will introduce BDD acceptance testing with automated security testing. We will use security testing tools on top of BDD security automation testing frameworks and hook into the testing process.

Chapter 10, Project Background and Automation Approach, will introduce a project and the security objectives necessary for proceeding with automated security in the ensuing chapters. We will also explore what considerations need to be made when it comes to automation framework selection. For instance, some tools are good for specific security testing but may have shortcomings when it comes to automation framework integration. Finally, we will set up all the necessary environmental conditions for the coming security automation practices.

Chapter 11, Automated Testing for a Web Application, will use three case studies to teach you about different security automation techniques against the vulnerable NodeGoat site. The first case study looks at automating the OWASP ZAP by using the ZAP-CLI, which will help to identify initial security issues in a website before authentication. In the second case study, we will be using Selenium to identify security issues concerning user sign-in. In the final case, we will use JMeter for sign-in with external CSV data to detect potential command injection security issues.

Chapter 12, Automated Fuzz API Security Testing