SecQAtion
Know How to Automate Your Security Test Cases
Myself: Riddhi
Security Analyst Consultant @Arogya.ai
1
Profession - To Earn
Secure Coding Trainer @SCADEMY - Secure Coding Academy
2
Passion - To Learn
- Winja Community Volunteer
- Speaker at conferences, including BSides, c0c0n, Nullcon, ISC2, HITB, TexasCyber, Wicked6
3
Hobby - To Have Fun
Twitter: @_riddhishree
LinkedIn: @riddhi-shree-001
- Short attention span
- Exploring new things is interesting, but, repeating steps mindlessly feels dull and a waste of time
- Paperwork feels like climbing a mountain
- There are too many tools to choose from. Can we consolidate the output from different tools in the final report, automatically?
- Some tools are too restrictive or too costly
- Wish I could tell a tool exactly what to do! Tweak it easily, if I want to.
What's My Problem?!
- Use open source tools, with zero cost involved
- Dockerize the entire test environment, so that the focus can shift to improving test scenarios without worrying about environment setup
- Follow behavior-driven testing approach for easy readability and understandability
- Use an automation framework that is easy to follow, efficient and highly customizable
- Auto-generate test report
The Solution
- Security Testing and Quality Assurance Automation
- Security testing happens (almost) everywhere
- Functional testing happens everywhere
- They are different, yet similar! Can we identify the common actions and automate them?
What is SecQAtion?
Security Testing Approach
- Browse
- Analyze
- Prepare
- Attack
- Confirm
- Report
Security vs. Functional Testing
- Document test scenarios
- Navigate through different URL paths
- Invoke each and every functionality
- Compare expected and actual output
- Generate test report
COMMON
DIFFERENCE
- Identify attack vectors
- Identify attack points
- Prepare attack payloads
- Invoke functionality, but with malicious inputs
- Confirm vulnerability
Things you need, to get started with SecQAtion:
| Tool/Knowledge | Link | Cost |
|---|---|---|
| Robot Framework | robotframework.org | Free |
| Docker | www.docker.com | Free |
| mitmproxy | mitmproxy.org | Free |
| GitHub | github.com | Free |
| Jenkins | www.jenkins.io | Free |
| XPath | www.toolsqa.com/selenium-webdriver/xpath-in-selenium | Free |
| Patience and Passion | Within You! | Priceless |
An Example Setup
Demo: Web Crawling
- A generic open source automation framework
- Can be integrated with virtually any other tool to create powerful and flexible automation solutions
- Easy syntax, utilizing human-readable keywords
- Capabilities can be extended by libraries implemented with Python, Java, etc.
- Rich ecosystem consists of libraries and tools that are developed as separate projects
- Free to use without licensing costs
- Can be used for both, simple and complex scenarios
About Robot Framework
Key Elements
1
Define Variables
3
Define Test Cases
5
View and Share Test Report
2
Define Keywords
4
Test Case Execution
*** Variables ***
Readymade vs. Custom Keywords
*** Keywords ***
*** Test Cases ***
Test Report
Useful Links
So, what next?
Beyond authenticated crawling...
Practical Scenarios
- While confirming a vulnerability, you might have to repeat a very specific flow with precise inputs and minor variations. Automation makes sense, but only if it itself isn't too time consuming.
- Consolidate outputs from different tools
- Generate a consolidated report automatically in a human-readable fashion
- Integrate the customized security tests into your CI/CD pipeline
- Leverage existing functional automation test cases and guarantee wider coverage