Techiexpert.com
No Result
View All Result
  • Tech
  • Startup
  • Artificial Intelligence
  • IOT
  • Big Data
  • Cloud
  • Data Analytics
  • Machine Learning
  • Blockchain
No Result
View All Result
  • Tech
  • Startup
  • Artificial Intelligence
  • IOT
  • Big Data
  • Cloud
  • Data Analytics
  • Machine Learning
  • Blockchain
No Result
View All Result
Techiexpert.com
No Result
View All Result

Learn how to set up automated security testing

Srikanth by Srikanth
April 24, 2018
in Artificial Intelligence
0
automated security testing
9
SHARES
129
VIEWS
Share on FacebookShare on Twitter

Why should we be concerned about security testing?

As our world is revolving more and more around web and technology, cyber security is increasingly becoming the biggest issue. As we know that, most of the software is complex in nature and can pose a lot of different types of security hazards. These issues could range from bad coding to wrongly configured servers and anything and everything which falls in between. Everyone in the periphery needs to be always well aware of these issues and what they are working on if an organization wants to solve these problems.

To get the software developers to think more seriously about the security issues, its principles and standards, a new movement called DevSecOps has been started.

It could seem daunting to developers even for an experienced one to test the security for web-based applications. The process of skill building seems a prolonged one as well as getting information on security testing.Learn how to set up automated security testing

However, security testing is, in fact, similar to functionality testing in more than one way. The main difference between testing your application for functionality and security is one of attitude or mind-set. During a functionality test, you as a developer try to find out which feature works for the end user best and which does not. You would probably try to prove that a particular set of applications are working as expected for an end-user and does not create any obstacle to completing the task seamlessly. In the next step, you would try to priorities accordingly, give more focus on the features that are used often and by more users and like that. On the other hand, as a security tester, you would try to visualize your end-user as an attacker who is trying break into your application to steal important information.

Now, the problem for a security tester is that it is much easier to prove the functionality of a feature than its vulnerability. Well, the starting point could be to take a similar approach of prioritising – like – testing only for the set of most popular or most likely or simplest form of attack for each feature.

Automated Vs Manual Testing

In the world of DevOps, the principal element is automation and any repeatable or routine task could be and should be automated to save time, money and human resource. We all know that automation actually ensures consistency in those routine tasks. However, till date, although about 40 percent of software testing is automated most of the security-related software testing is still done manually and often deployed late in the software development lifecycle.

The reasons for this are –

  • Perception of the companies that, manual testing cannot be replaced by automated testing. Experts in this field say that that perception may be the truth but some amount of testing could be done automatically and this will actually help manual testing to be more focused and more value extracting.
  • Another reason apart from the mindset that, automated security testing cannot be trusted, there is a general belief that deploying automated security system in the organization is very expensive which is not entirely true.
  • According to the specialists, the organization seems to feel that implementing automated security testing is an overwhelming task and they put it away on their priority list.Automated Vs Manual Testing

Deploying automated security testing in practice could reap more benefits than assumed

The organization can actually benefit in multiple ways if they decide to implement automated security testing, leave aside the speed and consistency. The organization need to remember that, security testing ought to be dealt with any other software development and delivery. Those who will incorporate automated security testing into their organizational workflow experience additional benefits consistency, effectiveness and increment in velocity.

In an automated security testing environment testing is completed with the same level of efficiency every time and without any subjective influence. This also permits communication between teams which ensures that the whole company is protected and compliant.

Automated security testing could be categorised as follows

  1. Functional Security Tests

These tests are targeted to verify the security features such as log out and authentication work in an expected fashion. Using the existing acceptance testing automation tools like Selenium / WebDriver these could be easily automated.

  1. Specific or targeted non-functional tests against known vulnerabilities

Another well-suited field for automation is the area of known weaknesses and mis-configurations like the use of weak SSL suits and Ciphers or lack of the Http only flag on session cookies etc. These could be easily tested with automated testing because they could be detected up front. These tests the non-functional aspects of the software, they need access to enter the HTTP layer which is not possible by browser automation tool. So, you need to take a hybrid approach: it should be combined with browser automation together with a proxy server and probably the best combination is WebDriver with OWASP ZAP.

  1. Scanning of the application and infrastructure

Usually, every manual penetration tests start with an automated scan using the tools like Nessus, Burp and OWASP ZAP. However, there are significant differences between these tools. Nessus would not be able to scan any content or functionality beyond login form and cannot navigate through a web wizard. ‘

On the other hand, Burp Intruder and OWASP ZAP are true application scanners because they inspect and check at the HTTP layer by inflicting attack data into parameters and evaluate the response of the application. These tools are able to provide in-depth security scanning if used in a proper way. This means if they are used to only run an automated test then there is a chance that they may not test all the content deeply.

To successfully run an automated application scanning, it is to be ensured that all the content to be scanned is navigated and populated in the scanning tool before starting to scan the application.

  1. The logic of Security Testing application

Automated security testing tools can only detect flaws in the security but flaws in the logic of an application need a human intelligence at the time of writing it. An automated scanner will find no difference between an online auction and an online banking site but from a human intelligence point of view, these are two completely different beasts with different functionality. So, a human security tester may try to test –

  • Can the HTTP request be manipulated after the bid for an item is ended?
  • Can the HTTP request be manipulated to set a higher amount and then modify it to a lower amount before the auction ends?
  • Can money be transferred to someone else’s account using a negative number value?

To find out the possibilities of the above set of queries one needs to be innovative and experienced but once the attack is defined they too can be recorded to do an automated test later on.

How can you set up before running the test?

It may seem daunting at first but it is not really necessary to deploy all the steps mentioned above. Steps 2 and 3 are the most important ones in comparison to the amount of time invested against the security value extracted and since they help to identify a lot of common security weaknesses that missed in a normal development process, implementing these two steps at the beginning will be a good start.

Secondly, the organisation could choose any testing framework to be orchestrated and run these tests but it would be always wiser to choose a framework with which development, operational and security teams are comfortable and which could be very easily integrated with the organisation’s CI/CD server. BDD framework is a good option as they use natural language to define the testing steps that means they could be understood by a large audience instantly.

When or how frequently to run the tests

Automated tests are very low cost so it is best to run them as early as possible during the development process but it is always better to run the test along with the automated acceptance tests.  

Popular this week

  • Renesas Expands IoT Footprint with Sequans Acquisition

    Renesas Expands IoT Footprint with Sequans Acquisition

    2128 shares
    Share 851 Tweet 532
  • Y2Mate.com 2023: How to Download Videos and Audios

    241 shares
    Share 96 Tweet 60
  • Top 10 Omegle Alternatives you might like

    333 shares
    Share 133 Tweet 83
  • What is windows modules installer ? How to Enable/Disable

    124 shares
    Share 50 Tweet 31
  • Top 10 YouTube to MP3 Converter Platforms for Free

    97 shares
    Share 39 Tweet 24
  • Does God Play Dice? – A Quantum Perspective

    43 shares
    Share 17 Tweet 11

Latest Stories on TechiExpert

Tamil Nadu CM MK Stalin Unveils Ambitious Startup and Innovation Policy 2023

Tamil Nadu CM MK Stalin Unveils Ambitious Startup and Innovation Policy 2023
Share4Tweet3Share1Pin1

Bengaluru Fintech Startup Converj Targets B2B Payments with Virtual Credit Cards

Bengaluru Fintech Startup Converj Targets B2B Payments with Virtual Credit Cards

Pay for goods by credit card through a smartphone in a coffee shop.

Share4Tweet3Share1Pin1

EaseMyAI raises Rs. 3 Crore in Seed Round led by IPV

EaseMyAI raises Rs. 3 Crore in Seed Round led by IPV
Share5Tweet3Share1Pin1

Veera India’s Mobile Only Internet Browser by Marquee Investors and Entrepreneurs

Veera India’s Mobile Only Internet Browser by Marquee Investors and Entrepreneurs
Share5Tweet3Share1Pin1
  • Privacy Policy
  • About Us
  • Contact us
  • Cookie Policy
  • Write For Us

© 2016-2022 All Rights Reserved

No Result
View All Result
  • Tech
  • Startup
  • Artificial Intelligence
  • IOT
  • Big Data
  • Cloud
  • Data Analytics
  • Machine Learning
  • Blockchain

© 2016-2022 All Rights Reserved

Cookie Law Notice
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
SAVE & ACCEPT
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.