Robots with Pentest Recipes:

Transcription

1 Robots with Pentest Recipes: Democratizing Security Testing for DevOps Wins Abhay Bhargav - CTO, we45

2 Yours Truly Co-author of Secure Java For Web Application Development Author of PCI Compliance: A Definitive Guide Speaker at OWASP Conferences worldwide Chief Architect of Orchestron Avid Pythonista and AppSec Automation Junkie Specialization in Web Application Security and Security Testing Lead Trainer - DevSecOps Workshop

3 Today's Session A Different Side of DevSecOps => Some Key Challenges Introducing the Robot Framework AppSec Testing Recipes with Robots Case Studies

4 Security in DevOps Code Test Deploy Monitor Plan Build Release Operate Threat modeling SAST Security - Composition DAST IAST Security in IaC Security monitoring & attack detection

5 The Need of the Hour. To Find and Fix Security Bugs early and often Security to integrate with your Agile Development Security to seamlessly work with your Continuous Delivery Pipeline

6 Let s get real for a minute

7 We re still running into some serious issues

8 Application Security is overwhelmed CI/CD Pipeline Security Reviews Bug Bounties Threat Modeling Security Assessments to name a few.

9 Automating AppSec - Challenging Multiple SAST and DAST Tools Their OWN API - Complexities Running them in a purely automated workflow gets complex Custom Security Flaws - Hard to weave into a fabric

10 We need to continuously test for security?

11 In Short.

12 What do we need?

13 Engineering - Run Security Locally Engineering - Run Localized Security Engagement with Security Teams - For High Value Added Requirements Make Security a First Class Citizen

14 More Effective Pentest Efforts Have your Pentest Teams work on finding more complex vulnerabilities Get them to script out complex pentest findings into Security Regression Scripts Get them involved in AppSec Automation

15 Get QA/QE Involved Quality Engineering - Usually develops a great deal of Test Automation Would be great to leverage their Test Automation For Security Testing Would be EVEN better to give them a single fabric for both Test Automation and Security Testing

16 Single Fabric => Test Automation + Security Testing Create Test Suites that combine capabilities of Software Test Automation and Security Testing tools Run a combination of tools - to provide coverage across different abstractions Use Pentest Results as Security Regressions Basically, create repeatable and reproducible recipes that work for your product

17 Enter, Robot Framework

18 What is Robot Framework Generic Test Automation Framework - Acceptance Testing and Acceptance Test Driven Development Extend Libraries in Python and Java Modular Architecture

19 Single Slide Introduction to ATDD

20 How it works When the test starts, Framework parses Test Data Utilizes Keywords from Test Libraries to interact with system being tested Libraries can communicate with the system either directly or using other test tools as drivers Reports generated as HTML and XML

21 Why we like it? Flexible Natural Language Syntax - FTW! Easy to develop API for Tools Modular Comes with Reporting out of the Box Python and Java Support

22 Natural Language Syntax *** Test Cases *** Login to Healthcare App [Tags] login input text _id input password password cwasp click button id=submit set browser implicit wait 10 location should be ${BASE_URL}dashboard/

23 Popular Third Party Libraries - Robot Framework Android and ios Automation - Calabash Selenium Appium Python Requests Diff Library SSH

24 Security Tool Libraries - Robot Framework Robot Framework - OWASP ZAP Integration => RoboZAP Robot Framework - Nmap Integration => RoboNmap Robot Framework - BurpSuite Integration => Robo2Burp Robot Framework - Sublist3r Integration Robot Framework OWASP Dependency Check Robot Framework - Arachni Integration

25 Adapting it for security Empowering Engineering Teams to Run their own Security Testing Engaging Functional Test Automation Teams to contribute to security Combining Functional Testing as an Input to DAST Tools Lowering the Entry Barrier for Security Testing Canned Recipes for Pentesters

26 The idea here is to reduce this Pulling Results from each Scan Automating them with their API in the Pipeline + Parameterization Understanding and Using Security Testing Tools Understand Security Testing Steps and Processes

27 To This start zap active scan ${TARGET} write results to DB ${DB_PATH} Reducing Friction in the way we use and interact with Security Testing Tools

28 Demo Demo Gods! Please let this work

29 Use-Cases and Patterns Automate Pentest Activities - Creating an Automated Pentest Pipeline Parameterized Application Security Testing in the Pipeline Run Security Regressions in the Pipeline

30 Automated Pentesting Pipeline Automate specific Pentest Scripts in a sequential process Saves time - Pentesters Democratizes Security Testing - Including Engineering and QA

31 Example nmap script scan ${TARGET} nmap print results (run selenium automation script) start zap active scan ${TARGET} write results to DB ${DB_PATH}

32 Demo Demo Gods! Please let this work

33 Parameterized Application Security Testing Pipeline

34 Demo Demo Gods! Please let this work

35 Parameterized Application Security Testing Pipeline

36 Demo Demo Gods! Please let this work

37 Reach Us Website: LinkedIn: abhaybhargav