Practical Security Automation and Testing : Tools and Techniques for Automated Security Scanning and Testing in DevSecOps.
Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention.
Clasificación: | Libro Electrónico |
---|---|
Autor principal: | |
Formato: | Electrónico eBook |
Idioma: | Inglés |
Publicado: |
Birmingham :
Packt Publishing Ltd,
2019.
|
Temas: | |
Acceso en línea: | Texto completo |
Tabla de Contenidos:
- Cover; Title Page; Copyright and Credits; About Packt; Contributors; Table of Contents; Preface; Chapter 1: The Scope and Challenges of Security Automation; The purposes and myths of security automation; Myth 1
- doesn't security testing require highly experienced pentesters?; Myth 2
- isn't it time-consuming to build an automation framework?; Myth 3
- there are no automation frameworks that are really feasible for security testing; The required skills and suggestions for security automation; General environment setup for coming labs; Summary; Questions; Further reading
- Chapter 2: Integrating Security and AutomationThe domains of automation testing and security testing; Automation frameworks and techniques; UI functional testing for web, mobile, and windows; HTTP API testing; HTTP mock server; White-box search with GREP-like tools; Behavior-driven development testing frameworks; Testing data generators; Automating existing security testing; Security testing with an existing automation framework; Summary; Questions; Further reading; Chapter 3: Secure Code Inspection; Case study
- automating a secure code review; Secure coding scanning service
- SWAMP
- Step 1
- adding a new packageStep 2
- running the assessment; Step 3
- viewing the results; Secure coding patterns for inspection; Quick and simple secure code scanning tools; Automatic secure code inspection script in Linux; Step 1
- downloading the CRASS; Step 2
- executing the code review audit scan; Step 3
- reviewing the results; Automatic secure code inspection tools for Windows; Step
- downloading VCG (Visual Code Grepper); Step 2: Executing VCG; Step 3: Reviewing the VCG scanning results; Case study
- XXE security; Case study
- deserialization security issue; Summary; Questions
- Further readingChapter 4: Sensitive Information and Privacy Testing; The objective of sensitive information testing; PII discovery; Sensitive information discovery; Privacy search tools; Case study
- weak encryption search; Step 1
- installing The Silver Searcher; Step 2
- executing the tool (using Windows as an example); Step 3
- reviewing the results (using Windows as an example); Case study
- searching for a private key; Step 1
- calculating the entropy; Step 2
- Searching for high-entropy strings; Step 3
- Reviewing the results; Case study
- website privacy inspection
- Step 1
- visiting PrivacyScore or setting it up locallyStep 2
- reviewing the results; Summary; Questions; Further reading; Chapter 5: Security API and Fuzz Testing; Automated security testing for every API release; Building your security API testing framework; Case study 1
- basic
- web service testing with ZAP CLI; Step 1
- OWASP ZAP download and launch with port 8090; Step 2
- install the ZAP-CLI; Step 3
- execute the testing under ZAP-CLI; Step 4
- review the results; Case study 2
- intermediate
- API testing with ZAP and JMeter; Step 1
- download JMeter
- Step 2
- define HTTP request for the login