Детальная информация

Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention.

• Cover
• Title Page
• Copyright and Credits
• About Packt
• Contributors
• Table of Contents
• Preface
• Chapter 1: The Scope and Challenges of Security Automation
  • The purposes and myths of security automation
    • Myth 1 – doesn't security testing require highly experienced pentesters?
    • Myth 2 – isn't it time-consuming to build an automation framework?
    • Myth 3 – there are no automation frameworks that are really feasible for security testing
  • The required skills and suggestions for security automation
  • General environment setup for coming labs
  • Summary
  • Questions
  • Further reading
• Chapter 2: Integrating Security and Automation
  • The domains of automation testing and security testing
  • Automation frameworks and techniques
    • UI functional testing for web, mobile, and windows
    • HTTP API testing
    • HTTP mock server
    • White-box search with GREP-like tools
    • Behavior-driven development testing frameworks
    • Testing data generators
  • Automating existing security testing
  • Security testing with an existing automation framework
  • Summary
  • Questions
  • Further reading
• Chapter 3: Secure Code Inspection
  • Case study – automating a secure code review
    • Secure coding scanning service – SWAMP
    • Step 1 – adding a new package
    • Step 2 – running the assessment
    • Step 3 – viewing the results
  • Secure coding patterns for inspection
  • Quick and simple secure code scanning tools
    • Automatic secure code inspection script in Linux
      • Step 1 – downloading the CRASS
      • Step 2 – executing the code review audit scan
      • Step 3 – reviewing the results
    • Automatic secure code inspection tools for Windows
      • Step – downloading VCG (Visual Code Grepper)
      • Step 2: Executing VCG
      • Step 3: Reviewing the VCG scanning results
  • Case study – XXE security
  • Case study – deserialization security issue
  • Summary
  •  Questions
  • Further reading
• Chapter 4: Sensitive Information and Privacy Testing
  • The objective of sensitive information testing
    • PII discovery
    • Sensitive information discovery
    • Privacy search tools
  • Case study – weak encryption search
    • Step 1 – installing The Silver Searcher
    • Step 2 – executing the tool (using Windows as an example)
    • Step 3 – reviewing the results (using Windows as an example)
  • Case study – searching for a private key
    • Step 1 – calculating the entropy
    • Step 2 – Searching for high-entropy strings
    • Step 3 – Reviewing the results
  • Case study – website privacy inspection
    • Step 1 – visiting PrivacyScore or setting it up locally
    • Step 2 – reviewing the results
  • Summary
  • Questions
  • Further reading
• Chapter 5: Security API and Fuzz Testing
  • Automated security testing for every API release
  • Building your security API testing framework
    • Case study 1 – basic – web service testing with ZAP CLI
      • Step 1 – OWASP ZAP download and launch with port 8090
      • Step 2 – install the ZAP-CLI
      • Step 3 – execute the testing under ZAP-CLI
      • Step 4 – review the results
    • Case study 2 – intermediate – API testing with ZAP and JMeter
      • Step 1 – download JMeter
      • Step 2 – define HTTP request for the login
      • Step 4 – execute the JMeter script
      • Step 3 – review the results in ZAP
    • Case study 3 – advanced – parameterized security payload with fuzz
      • Step 1 – download the SQL injection data
      • Step 2 – define the CSV dataset in JMeter
      • Step 3 – apply the variable name
      • Step 4 – specify the loop
      • Step 5 – execute JMeter and review the security assessment results
    • Case study 4 – security testing with ZAP Open/SOAP API
      • Step 1 – install the OpenAPI and SOAP API add-ons
      • Step 2 – import the API definition
      • Step 3 – execute the active security scanning
      • Step 4 – present the security assessments
  • Summary
  • Questions
  • Further reading
• Chapter 6: Web Application Security Testing
  • Case study – online shopping site for automated security inspection
  • Case 1 – web security testing using the ZAP REST API
    • Step 1 – spider scanning the website
    • Step 2 – active scanning the website
    • Step 3 – reviewing the status of the active scan
    • Step 4 – reviewing the security assessments
  • Case 2 – full automation with CURL and the ZAP daemon
    • Step 1 – executing ZAP in daemon (headless) mode
    • Step 2 – checking the status of the ZAP daemon
    • Step 3 – fully automating the ZAP API
  • Case 3 – automated security testing for the user registration flow with Selenium
    • Step 1 – installation of SeleniumBase
    • Step 2 – launching ZAP with proxy 8090
    • Step 3 – executing the user registration flow automation
    • Step 4 – active scanning the identified URLs
    • Step 5 – reviewing the security assessments
  • Summary
  • Questions
  • Further reading
• Chapter 7: Android Security Testing
  • Android security review best practices
  • Secure source code review patterns for Android
  • Privacy and sensitive information review
    • Privacy scanning with Androwarn
      • Step 1 – scanning of an APK
      • Step 2 – review the report
  • General process of APK security analysis
    • Step 1 – use APKTool to reverse the APK to Manifest.xml, Smali and resources
    • Step 2 – use JADX to reverse the APK into Java source code
    • Step 3 – use Fireline to scan all the Java source files
    • Step 4 – review the scanning results
  • Static secure code scanning with QARK
    • Step 1 – install QARK
    • Step 2 – APK scanning with QARK
    • Step 3 – review the results
  • Automated security scanning with MobSF
    • Step 1 – set up the MobSF
    • Step 2 – upload the APK by REST API
    • Step 3 – scan the APK
    • Step 4 – download the report
  • Summary
  • Questions
  • Further reading
• Chapter 8: Infrastructure Security
  • The scope of infrastructure security
  • Secure configuration best practices
    • CIS (Center for Internet Security) benchmarks
    • Security technical implementation guides (STIGs)
    • OpenSCAP security guide
      • Step 1 – installation of SCAP workbench
      • Step 2 – OpenSCAP security guide
  • Network security assessments with Nmap
    • Nmap usage tips
  • CVE vulnerability scanning
    • Known vulnerable components scan by VulScan
      • Step 1 – installation of VulScan 
      • Step 2 – NMAP scanning with VulScan
    • Known vulnerable components scan by OWASP dependency check
      • Step 1 – installation of OWASP dependency check
      • Step 2 – CVE scanning with OWASP dependency check
  • HTTPS security check with SSLyze
  • Behavior-driven security automation – Gauntlt
    • Step 1 – Gauntlt installation
    • Step 2 – BDD security testing script
    • Step 3 – execution and results
  • Summary
  • Questions
  • Further reading
• Chapter 9: BDD Acceptance Security Testing
  • Security testing communication
  • What is BDD security testing?
  • Adoption of Robot Framework with sqlmap
    • Step 1 – Robot Framework setup and preparation
    • Step 2 – sqlmap with Robot Framework 
  • Testing framework – Robot Framework with ZAP
    • Step 1 – environment setup and preparation
    • Step 2 – the Robot Framework script for the ZAP spider scan
    • Step 3 – robot script execution
  • Summary
  • Questions
  • Further reading
• Chapter 10: Project Background and Automation Approach
  • Case study – introduction and security objective
  • Selecting security and automation testing tools
  • Automated security testing frameworks
  • Environment and tool setup
  • Summary
  • Questions
  • Further reading
• Chapter 11: Automated Testing for Web Applications
  • Case 1 – web security scanning with ZAP-CLI
    • Step 1 – installation of ZAP-CLI
    • Step 2 – ZAP quick scan using the ZAP-CLI 
    • Step 3 – generate a report
  • Case 2 – web security testing with ZAP & Selenium
    • Step 1 – Selenium Python script
    • Step 2 – running ZAP as a proxy
      • Approach 1 – configure the system proxy
      • Approach 2 – Selenium Profile
      • Approach 3 – using SeleniumBASE
    • Step 3 – generate ZAP report
  • Case 3 – fuzz XSS and SQLi testing with JMeter
    • Testing scenarios
    • Step 1 – prepare environment 
    • Step 2 – define the JMeter scripts
    • Step 3 – prepare security payloads
    • Step 4 – launch JMeter in CLI with ZAP proxy
    • Step 5 – generate a ZAP report
  • Summary
  • Questions
  • Further reading
• Chapter 12: Automated Fuzz API Security Testing
  • Fuzz testing and data
    • Step 1 – installing Radamsa
    • Step 2 – generating the Security Random Payloads
  • API fuzz testing with Automation Frameworks
    • Approach 1 – security fuzz testing with Wfuzz
      • Step 1 – installing Wfuzz
      • Step 2– fuzz testing with sign-in
      • Step 3 – reviewing the Wfuzz report
    • Approach 2 – security fuzz testing with 0d1n
      • Step 1 – installation of 0d1n
      • Step 2 – execution of 0d1n with OWASP ZAP
      • Step 3 – review the ZAP report (optional)
    • Approach 3 – Selenium DDT (data-driven testing)
      • Step 1: Selenium script with DDT
      • Step 2 – executing the Selenium script
      • Step 3 – review the ZAP report
    • Approach 4 – Robot Framework DDT testing
      • Step 1– Robot Framework environment setup
      • Step 3 – Robot Framework script
      • Step 4 – review the ZAP report
  • Summary
  • Questions
  • Further reading
• Chapter 13: Automated Infrastructure Security
  • Scan For known JavaScript vulnerabilities
    • Step 1 – install RetireJS
    • Step 2 – scan with RetireJS
    • Step 3 – review the retireJS results
  • WebGoat with OWASP dependency check
    • Step 1 – prepare WebGoat environment
    • Step 2 – dependency check scan
    • Step 3 – review the OWASP dependency-check report
  • Secure communication scan with SSLScan
    • Step 1 – SSLScan setup
    • Step 2 – SSLScan scan
    • Step 3 – review the SSLScan results
    • Step 4 – fix the HTTPS secure configurations
  • NMAP security scan with BDD framework
    • NMAP For web security testing
    • NMAP BDD testing with Gauntlt
    • NMAP BDD with Robot Framework
      • Step 1 – define the Robot Framework steps
      • Step 2 – execute and review the results
  • Summary
  • Questions
  • Further reading
• Chapter 14: Managing and Presenting Test Results
  • Managing and presenting test results
  • Approach 1 – integrate the tools with RapidScan
    • Step 1 – get the RapidScan Python script
    • Step 2 – review scanning results
  • Approach 2 – generate a professional pentest report with Serpico
    • Step 1 – installation of Serpico
    • Step 2 – create a Report based on Templates 
    • Step 3 – Add Finding from Templates
    • Step 4 – generate a report
  • Approach 3 – security findings management DefectDojo
    • Step 1 – setup the OWASP DefectDojo
    • Step 2 – run security tools to output XMLs
    • Step 3 – import ZAP findings 
  • Summary
  • Questions
  • Further reading
• Chapter 15: Summary of Automation Security Testing Tips
  • Automation testing framework
    • What are the automation frameworks for UI functional testing?
    • BDD (behavior-driven development) testing framework?
    • What are common automation frameworks that apply to security testing?
  • Secure code review
    • What are common secure code review patterns and risky APIs?
    • Suggestions with Grep-like search tool for source code or configurations search?
  • API security testing
    • What are API security testing approaches?
    • What are the suggested resources for FuzzDB security payloads?
    • What testing tools are suggested for web fuzz testing?
  • Web security testing
    • How can JMeter be used for the web security testing?
    • Examples of OWASP ZAP by ZAP-CLI usages
    • Examples of OWASP ZAP automation by RESTful API
  • Android security testing
    • Suggested Android security testing tools and approach
    • Common Android security risky APIs
  • Infrastructure security
    • What's the scope of infrastructure security testing?
    • Typical use of Nmap for security testing
  • BDD security testing by Robot Framework
    • How to do web security scan with ZAP and Robot Framework?
    • How to achieve DDT testing in Robot Framework?
    • How to do network scan with Nmap and Robot Framework?
    • How to do an SQLmap scan with Robot Framework?
    • How to do BDD security testing with Nmap and Gauntlt?
  • Summary
• Appendix A: List of Scripts and Tools
  • List of sample scripts
  • List of installed tools in virtual image
• Appendix B: Solutions
  • Chapter 1: The Scope and Challenges of Security Automation
  • Chapter 2: Integrating Security and Automation
  • Chapter 3: Secure Code Inspection
  • Chapter 4: Sensitive Information and Privacy Testing
  • Chapter 5: Security API and Fuzz Testing
  • Chapter 6: Web Application Security Testing
  • Chapter 7: Android Security Testing
  • Chapter 8: Infrastructure Security
  • Chapter 9: BDD Acceptance Security Testing
  • Chapter 10: Project Background and Automation Approach
  • Chapter 11: Automated Testing for Web Applications
  • Chapter 12: Automated Fuzz API Security Testing
  • Chapter 13: Automated Infrastructure Security
  • Chapter 14: Managing and Presenting Test Results
• Other Books You May Enjoy
• Index