SecQAtion

Know How to Automate Your Security Test Cases

Myself: Riddhi

Security Analyst Consultant @Arogya.ai

1

Profession - To Earn

Secure Coding Trainer @SCADEMY - Secure Coding Academy

2

Passion - To Learn

  • Winja Community Volunteer
  • Speaker at conferences, including BSides, c0c0n, Nullcon, ISC2, HITB, TexasCyber, Wicked6

3

Hobby - To Have Fun

Twitter: @_riddhishree

LinkedIn: @riddhi-shree-001

  • Short attention span
  • Exploring new things is interesting, but, repeating steps mindlessly feels dull and a waste of time
  • Paperwork feels like climbing a mountain
  • There are too many tools to choose from. Can we consolidate the output from different tools in the final report, automatically?
  • Some tools are too restrictive or too costly​
  • Wish I could tell a tool exactly what to do! Tweak it easily, if I want to.

What's My Problem?!

  1. Use open source tools, with zero cost involved
  2. Dockerize the entire test environment, so that the focus can shift to improving test scenarios without worrying about environment setup
  3. Follow behavior-driven testing approach for easy readability and understandability
  4. Use an automation framework that is easy to follow, efficient and highly customizable
  5. Auto-generate test report

The Solution

  • Security Testing and Quality Assurance Automation
  • Security testing happens (almost) everywhere
  • Functional testing happens everywhere
  • They are different, yet similar! Can we identify the common actions and automate them?

What is SecQAtion?

Security Testing Approach

  1. Browse
  2. Analyze
  3. Prepare
  4. Attack
  5. Confirm
  6. Report

Security vs. Functional Testing

  • Document test scenarios
  • Navigate through different URL paths
  • Invoke each and every functionality
  • Compare expected and actual output
  • Generate test report

COMMON

DIFFERENCE

  • Identify attack vectors
  • Identify attack points
  • Prepare attack payloads
  • Invoke functionality, but with malicious inputs
  • Confirm vulnerability

Things you need, to get started with SecQAtion:

Tool/Knowledge Link Cost
Robot Framework robotframework.org Free
Docker www.docker.com Free
mitmproxy mitmproxy.org Free
GitHub github.com Free
Jenkins www.jenkins.io Free
XPath www.toolsqa.com/selenium-webdriver/xpath-in-selenium Free
Patience and Passion Within You! Priceless

An Example Setup

Demo: Web Crawling

  • A generic open source automation framework
  • Can be integrated with virtually any other tool to create powerful and flexible automation solutions
  • Easy syntax, utilizing human-readable keywords
  • Capabilities can be extended by libraries implemented with Python, Java, etc.
  • Rich ecosystem consists of libraries and tools that are developed as separate projects
  • Free to use without licensing costs
  • Can be used for both, simple and complex scenarios

About Robot Framework

Key Elements

1

Define Variables

3

Define Test Cases

5

View and Share Test Report

2

Define Keywords

4

Test Case Execution

*** Variables ***

Readymade vs. Custom Keywords

*** Keywords ***

*** Test Cases ***

Test Report

Useful Links

So, what next?

Beyond authenticated crawling...

Practical Scenarios

  1. While confirming a vulnerability, you might have to repeat a very specific flow with precise inputs and minor variations. Automation makes sense, but only if it itself isn't too time consuming.
  2. Consolidate outputs from different tools 
  3. Generate a consolidated report automatically in a human-readable fashion
  4. Integrate the customized security tests into your CI/CD pipeline
  5. Leverage existing functional automation test cases and guarantee wider coverage

Thank You!

Questions?