Robots with Pentest Recipes - schd.ws with Pentest Recipes: Democratizing Security Testing for...
Transcript of Robots with Pentest Recipes - schd.ws with Pentest Recipes: Democratizing Security Testing for...
Robots with Pentest Recipes: Democratizing Security Testing for DevOps Wins
Abhay Bhargav - CTO, we45
Yours Truly• Co-author of Secure Java For Web Application
Development
• Author of PCI Compliance: A Definitive Guide
• Speaker at OWASP Conferences worldwide
• Chief Architect of Orchestron
• Avid Pythonista and AppSec Automation Junkie
• Specialization in Web Application Security and Security Testing
• Lead Trainer - DevSecOps Workshop
Today's Session
• A Different Side of DevSecOps => Some Key Challenges
• Introducing the Robot Framework
• AppSec Testing Recipes with Robots
• Case Studies
Security in DevOps
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
Threat modeling
SAST Security - Composition
DAST IAST
Security in IaC
Security monitoring & attack detection
The Need of the Hour….
To Find and Fix Security Bugs
early and often
Security to integrate with
your Agile Development
Security to seamlessly work with
your Continuous Delivery Pipeline
Application Security is overwhelmed
• CI/CD Pipeline
• Security Reviews
• Bug Bounties
• Threat Modeling
• Security Assessments
• to name a few….
Automating AppSec - Challenging
• Multiple SAST and DAST Tools
• Their OWN API - Complexities
• Running them in a purely automated workflow gets complex
• Custom Security Flaws - Hard to weave into a fabric
Engineering - Run Security Locally
• Engineering - Run Localized Security
• Engagement with Security Teams - For High Value Added Requirements
• Make Security a “First Class Citizen”
More Effective Pentest Efforts
• Have your Pentest Teams work on finding more complex vulnerabilities
• Get them to script out complex pentest findings into Security Regression Scripts
• Get them involved in AppSec Automation
Get QA/QE Involved
• Quality Engineering - Usually develops a great deal of Test Automation
• Would be great to leverage their Test Automation For Security Testing
• Would be EVEN better to give them a single fabric for both Test Automation and Security Testing
Single Fabric => Test Automation + Security Testing
• Create Test Suites that combine capabilities of Software Test Automation and Security Testing tools
• Run a combination of tools - to provide coverage across different abstractions
• Use Pentest Results as Security Regressions
• Basically, create repeatable and reproducible recipes that work for your product
What is Robot Framework
• Generic Test Automation Framework - Acceptance Testing and Acceptance Test Driven Development
• Extend Libraries in Python and Java
• Modular Architecture
How it works…• When the test starts, Framework
parses Test Data
• Utilizes Keywords from Test Libraries to interact with system being tested
• Libraries can communicate with the system either directly or using other test tools as drivers
• Reports generated as HTML and XML
Why we like it?
• Flexible Natural Language Syntax - FTW!
• Easy to develop API for Tools
• Modular
• Comes with Reporting out of the Box
• Python and Java Support 😁
Natural Language Syntax
*** Test Cases *** Login to Healthcare App [Tags] login input text email_id [email protected] input password password cwasp click button id=submit set browser implicit wait 10 location should be ${BASE_URL}dashboard/
Popular Third Party Libraries - Robot Framework
• Android and iOS Automation - Calabash
• Selenium
• Appium
• Python Requests
• Diff Library
• SSH
Security Tool Libraries - Robot Framework
Robot Framework - OWASP ZAP Integration => RoboZAP
Robot Framework - Nmap Integration => RoboNmap
Robot Framework - BurpSuite Integration => Robo2Burp
Robot Framework - Sublist3r Integration
Robot Framework OWASP Dependency Check
Robot Framework - Arachni Integration
Adapting it for security• Empowering Engineering Teams to
Run their own Security Testing
• Engaging Functional Test Automation Teams to contribute to security
• Combining Functional Testing as an Input to DAST Tools
• Lowering the Entry Barrier for Security Testing
• Canned Recipes for Pentesters
The idea here is to reduce this…
Understand Security Testing Steps and Processes
Understanding and Using Security Testing Tools
Automating them with their API in the Pipeline + Parameterization
Pulling Results from each Scan
To This…
start zap active scan ${TARGET}
write results to DB ${DB_PATH}
Reducing Friction in the way we use and interact with Security Testing Tools
Use-Cases and Patterns
• Automate Pentest Activities - Creating an Automated Pentest Pipeline
• Parameterized Application Security Testing in the Pipeline
• Run Security Regressions in the Pipeline
Automated Pentesting Pipeline
• Automate specific Pentest Scripts in a sequential process
• Saves time - Pentesters
• Democratizes Security Testing - Including Engineering and QA
Examplenmap script scan ${TARGET}
nmap print results
…(run selenium automation script)
start zap active scan ${TARGET}
write results to DB ${DB_PATH}
Reach Us
• Twitter: @we45
• Website: www.we45.com
• Twitter: @abhaybhargav
• LinkedIn: www.linkedin.com/in/abhaybhargav