Know How to Automate Your Security Test Cases
Security Analyst Consultant @Arogya.ai
Profession - To Earn
Secure Coding Trainer @SCADEMY - Secure Coding Academy
Passion - To Learn
- Winja Community Volunteer
- Speaker at conferences, including BSides, c0c0n, Nullcon, ISC2, HITB, TexasCyber, Wicked6
Hobby - To Have Fun
- Short attention span
- Exploring new things is interesting, but, repeating steps mindlessly feels dull and a waste of time
- Paperwork feels like climbing a mountain
- There are too many tools to choose from. Can we consolidate the output from different tools in the final report, automatically?
- Some tools are too restrictive or too costly
- Wish I could tell a tool exactly what to do! Tweak it easily, if I want to.
What's My Problem?!
- Use open source tools, with zero cost involved
- Dockerize the entire test environment, so that the focus can shift to improving test scenarios without worrying about environment setup
- Follow behavior-driven testing approach for easy readability and understandability
- Use an automation framework that is easy to follow, efficient and highly customizable
- Auto-generate test report
What is SecQAtion?
Security Testing Approach
Security vs. Functional Testing
- Document test scenarios
- Navigate through different URL paths
- Invoke each and every functionality
- Compare expected and actual output
- Generate test report
- Identify attack vectors
- Identify attack points
- Prepare attack payloads
- Invoke functionality, but with malicious inputs
- Confirm vulnerability
Things you need, to get started with SecQAtion:
|Patience and Passion||Within You!||Priceless|
An Example Setup
Demo: Web Crawling
- A generic open source automation framework
- Can be integrated with virtually any other tool to create powerful and flexible automation solutions
- Easy syntax, utilizing human-readable keywords
- Capabilities can be extended by libraries implemented with Python, Java, etc.
- Rich ecosystem consists of libraries and tools that are developed as separate projects
- Free to use without licensing costs
- Can be used for both, simple and complex scenarios
About Robot Framework
Define Test Cases
View and Share Test Report
Test Case Execution
So, what next?
Beyond authenticated crawling...
- While confirming a vulnerability, you might have to repeat a very specific flow with precise inputs and minor variations. Automation makes sense, but only if it itself isn't too time consuming.
- Consolidate outputs from different tools
- Generate a consolidated report automatically in a human-readable fashion
- Integrate the customized security tests into your CI/CD pipeline
- Leverage existing functional automation test cases and guarantee wider coverage
By Riddhi Shree Chaurasia