[WEB SECURITY] Security test case automation

Stephen de Vries stephendv at gmail.com
Thu Jan 23 01:14:59 EST 2014

On 23 Jan 2014, at 05:30, vedantam sekhar <vedantamsekhar at gmail.com> wrote:

> Need your help here. as part of QA team, we will be writing security test cases and also executing them manually using OWASP standard. However, i have been given task to see the possibility to automate these test cases. are there any tools/frameworks available for us to achieve this?

Hi Sekhar,

You could take a look at the BDD-Security framework http://www.continuumsecurity.net/bdd-intro.html  (I’m the author), it was designed to do exactly this using Selenium WebDriver, OWASP ZAP, JBehave and optionally TestNG.  
One of the core principals is to separate the security test cases from the navigation of the application under test, so it comes bundles with a number of pre-written generic security tests that can be applied to most web applications without modification.  The focus is on writing the tests in JBehave which allows them to be written in a natural language, English by default but it can be changed.  If however you prefer to work in pure Java, the same tests are also provided in TestNG, so they can be run directly from an IDE.
One of the advantages of using test cases over pure scanning is that you can do more in-depth and intelligent testing, for example, automated access control tests between users and between roles: http://www.continuumsecurity.net/2013/12/07/Automated-Access-Control-Tests.html 

The documentation is far from complete, but there are some useful bits captured in the blog posts.  Code is open source:  https://github.com/continuumsecurity/bdd-security 
Feel free to get in touch off-list if you run into any issues.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140123/37aeeb82/attachment-0003.html>

More information about the websecurity mailing list