středa 23. května 2012

Beyond Scanning: Automating Web Application Security Tests


Two new trends in web integration testing provide fresh tools to automate business logic and access control tests for web applications. These have traditionally been weak areas for web security scanning tools.
Security testing is often disconnected from the rest of the software development and testing phases. This talk will introduce the attendees to 3 key concepts that will allow security testing to be easily integrated into the development cycle.
  1. Behavioural Driven Design (BDD) and the easyb tool, provide a simple solution to defining security requirements upfront and then testing those requirements throughout the development cycle, e.g. by integrating into a continuous build environment.
  2. Page Objects, allow security tests to be separated from the web application. Traditional Selenium tests suffer from being brittle and difficult to maintain. Page Objects helps solve that problem and allow the same set of security tests to be run unmodified on almost any web application. A suite of easyb security tests will be released that can be configured and executed on most web applications.
  3. Burp Intruder is a popular web app testing tool but is mostly used during manual testing. A new plugin will be released that exposes the Burp API over HTTP/JSON which can then be used in automated test scripts.
Live code demonstrations will be used throughout to illustrate the concepts and introduce the tools.
Two new tools will be released:
  • EasybSecurity, a set of easyb specification and testing scripts that perform security testing on web applications.
  • RestyBurp, a RESTful interface over HTTP/JSON to the Burp testing tool to allow other application to easily drive and communicate with Burp.
   

Žádné komentáře:

Okomentovat