[WEB SECURITY] Security test case automation

Ward, Allan WardA at DNB.com
Thu Jan 23 02:05:13 EST 2014

Veracode provide a service that you can run dynamic testing  and static  code analysis to test for OWASP vulnerabilities. There are other solutions that can also be used.
Do you have any spend or you looking for open source?

W use App scan, and Parasoft, but Fortify also have very good tools in this space.



Allan Ward, Internal Controls & Compliance Specialist (SOX), Global Security and Risk, D&B, Marlow International, Parkway, Marlow, SL7 1AJ, * (44) (0)1628 492709, * warda at dnb.com<mailto:warda at dnb.com>

From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Stephen de Vries
Sent: 23 January 2014 06:15
To: vedantam sekhar
Cc: Webappsec Group
Subject: Re: [WEB SECURITY] Security test case automation

On 23 Jan 2014, at 05:30, vedantam sekhar <vedantamsekhar at gmail.com<mailto:vedantamsekhar at gmail.com>> wrote:

Need your help here. as part of QA team, we will be writing security test cases and also executing them manually using OWASP standard. However, i have been given task to see the possibility to automate these test cases. are there any tools/frameworks available for us to achieve this?

Hi Sekhar,

You could take a look at the BDD-Security framework http://www.continuumsecurity.net/bdd-intro.html  (I'm the author), it was designed to do exactly this using Selenium WebDriver, OWASP ZAP, JBehave and optionally TestNG.
One of the core principals is to separate the security test cases from the navigation of the application under test, so it comes bundles with a number of pre-written generic security tests that can be applied to most web applications without modification.  The focus is on writing the tests in JBehave which allows them to be written in a natural language, English by default but it can be changed.  If however you prefer to work in pure Java, the same tests are also provided in TestNG, so they can be run directly from an IDE.
One of the advantages of using test cases over pure scanning is that you can do more in-depth and intelligent testing, for example, automated access control tests between users and between roles: http://www.continuumsecurity.net/2013/12/07/Automated-Access-Control-Tests.html

The documentation is far from complete, but there are some useful bits captured in the blog posts.  Code is open source:  https://github.com/continuumsecurity/bdd-security
Feel free to get in touch off-list if you run into any issues.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140123/af4b031a/attachment-0003.html>

More information about the websecurity mailing list