[WEB SECURITY] Security test case automation

Ward, Allan WardA at DNB.com
Thu Jan 23 05:04:00 EST 2014


SAST is best built into the code build process as an automated process, so all code submitted to the library gets static code analysis (SAST).

SAST scans code a little like a word spell checker, looking for coding errors that create vulnerabilities.
DAST runs on the running solution, can also be automated.

Manual Pen testing should be included, but if your not doing anything now, then starting with SAST is a good start, but you really do need to do all 3 activities to establish a  good SSDLC process.
SAST tests for vulnerabilities in the early lifecycle.

If you want to go one stage further, you could deploy Cigital's secure assist, or similar tool onto the developers / programmers workstation. This will then highlight exposures as they create code - Very early in the lifecycle.

Remember, the earlier you build security into your lifecycle the lower the cost to remediate, so secure requirements, and threat / attack modelling should be done before coding starts to identify the exposures, software flaws etc.
Take a look at the BSIMM for more information on building a Secure SDLC process, including testing or the OWASP CLASP model.

Allan

Allan Ward, Internal Controls & Compliance Specialist (SOX), Global Security and Risk, D&B, Marlow International, Parkway, Marlow, SL7 1AJ, * (44) (0)1628 492709, * warda at dnb.com<mailto:warda at dnb.com>

From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Stephen de Vries
Sent: 23 January 2014 09:50
To: Paul Johnston
Cc: websecurity at lists.webappsec.org
Subject: Re: [WEB SECURITY] Security test case automation


On 23 Jan 2014, at 10:44, Paul Johnston <paul.johnston at pentest.co.uk<mailto:paul.johnston at pentest.co.uk>> wrote:

What you cannot automate is the mindset of a hacker. Security is not just about checking for a known set of issues. It is about using creativity and intuition to think up new ways of attacking a particular application. So while doing your own QA using DAST/SAST is good, you should also include some manual penetration testing in your security programme.

...and once you've found vulnerabilities through a manual test you can record and automate those findings with a testing framework.  Then you can re-run those same tests on your application periodically or even continuously to ensure that code changes to the app don't introduce security regressions.

Stephen






On 23/01/2014 04:30, vedantam sekhar wrote:
Hi group,
Need your help here. as part of QA team, we will be writing security test cases and also executing them manually using OWASP standard. However, i have been given task to see the possibility to automate these test cases. are there any tools/frameworks available for us to achieve this?
Thanks and Regards,

sekhar




_______________________________________________

The Web Security Mailing List



WebSecurity RSS Feed

http://www.webappsec.org/rss/websecurity.rss



Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA



WASC on Twitter

http://twitter.com/wascupdates



websecurity at lists.webappsec.org<mailto:websecurity at lists.webappsec.org>

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--

Pentest - The Application Security Specialists

Paul Johnston - IT Security Consultant / Tiger SST
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

We're exhibiting at Infosecurity Europe!
Stand K97, Earl's Court London - 29th April - 1st May
<logos-dl-infosec-withoutdates.png>

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
Accreditations: ISO 9001 (44/100/107029) / ISO 27001 (IS 558982) / Tiger Scheme
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org<mailto:websecurity at lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20140123/270e1117/attachment-0003.html>


More information about the websecurity mailing list