Robots with Pentest Recipes: Democratizing Security Testing for DevOps Wins

Abhay Bhargav - CTO, we45

Yours Truly• Co-author of Secure Java For Web Application

Development

• Author of PCI Compliance: A Definitive Guide

• Speaker at OWASP Conferences worldwide

• Chief Architect of Orchestron

• Avid Pythonista and AppSec Automation Junkie

• Specialization in Web Application Security and Security Testing

• Lead Trainer - DevSecOps Workshop

Today's Session

• A Different Side of DevSecOps => Some Key Challenges

• Introducing the Robot Framework

• AppSec Testing Recipes with Robots

• Case Studies

Security in DevOps

Plan

Code

Build

Test

Release

Deploy

Operate

Monitor

Threat modeling

SAST Security - Composition

DAST IAST

Security in IaC

Security monitoring & attack detection

The Need of the Hour….

To Find and Fix Security Bugs

early and often

Security to integrate with

your Agile Development

Security to seamlessly work with

your Continuous Delivery Pipeline

Let’s get real for a minute

We’re still running into some serious issues

Application Security is overwhelmed

• CI/CD Pipeline

• Security Reviews

• Bug Bounties

• Threat Modeling

• Security Assessments

• to name a few….

Automating AppSec - Challenging

• Multiple SAST and DAST Tools

• Their OWN API - Complexities

• Running them in a purely automated workflow gets complex

• Custom Security Flaws - Hard to weave into a fabric

We need to continuously test for security?

In Short….

What do we need?

Engineering - Run Security Locally

• Engineering - Run Localized Security

• Engagement with Security Teams - For High Value Added Requirements

• Make Security a “First Class Citizen”

More Effective Pentest Efforts

• Have your Pentest Teams work on finding more complex vulnerabilities

• Get them to script out complex pentest findings into Security Regression Scripts

• Get them involved in AppSec Automation

Get QA/QE Involved

• Quality Engineering - Usually develops a great deal of Test Automation

• Would be great to leverage their Test Automation For Security Testing

• Would be EVEN better to give them a single fabric for both Test Automation and Security Testing

Single Fabric => Test Automation + Security Testing

• Create Test Suites that combine capabilities of Software Test Automation and Security Testing tools

• Run a combination of tools - to provide coverage across different abstractions

• Use Pentest Results as Security Regressions

• Basically, create repeatable and reproducible recipes that work for your product

Enter, Robot Framework…

What is Robot Framework

• Generic Test Automation Framework - Acceptance Testing and Acceptance Test Driven Development

• Extend Libraries in Python and Java

• Modular Architecture

Single Slide Introduction to ATDD

How it works…• When the test starts, Framework

parses Test Data

• Utilizes Keywords from Test Libraries to interact with system being tested

• Libraries can communicate with the system either directly or using other test tools as drivers

• Reports generated as HTML and XML

Why we like it?

• Flexible Natural Language Syntax - FTW!

• Easy to develop API for Tools

• Modular

• Comes with Reporting out of the Box

• Python and Java Support 😁

Natural Language Syntax

*** Test Cases *** Login to Healthcare App [Tags] login input text email_id bruce.banner@we45.com input password password cwasp click button id=submit set browser implicit wait 10 location should be ${BASE_URL}dashboard/

Popular Third Party Libraries - Robot Framework

• Android and iOS Automation - Calabash

• Selenium

• Appium

• Python Requests

• Diff Library

• SSH

Security Tool Libraries - Robot Framework

Robot Framework - OWASP ZAP Integration => RoboZAP

Robot Framework - Nmap Integration => RoboNmap

Robot Framework - BurpSuite Integration => Robo2Burp

Robot Framework - Sublist3r Integration

Robot Framework OWASP Dependency Check

Robot Framework - Arachni Integration

Adapting it for security• Empowering Engineering Teams to

Run their own Security Testing

• Engaging Functional Test Automation Teams to contribute to security

• Combining Functional Testing as an Input to DAST Tools

• Lowering the Entry Barrier for Security Testing

• Canned Recipes for Pentesters

The idea here is to reduce this…

Understand Security Testing Steps and Processes

Understanding and Using Security Testing Tools

Automating them with their API in the Pipeline + Parameterization

Pulling Results from each Scan

To This…

start zap active scan ${TARGET}

write results to DB ${DB_PATH}

Reducing Friction in the way we use and interact with Security Testing Tools

Demo

Demo Gods! Please let this work

Use-Cases and Patterns

• Automate Pentest Activities - Creating an Automated Pentest Pipeline

• Parameterized Application Security Testing in the Pipeline

• Run Security Regressions in the Pipeline

Automated Pentesting Pipeline

• Automate specific Pentest Scripts in a sequential process

• Saves time - Pentesters

• Democratizes Security Testing - Including Engineering and QA

Examplenmap script scan ${TARGET}

nmap print results

…(run selenium automation script)

start zap active scan ${TARGET}

write results to DB ${DB_PATH}

Demo

Demo Gods! Please let this work

Parameterized Application Security Testing Pipeline

Demo

Demo Gods! Please let this work

Parameterized Application Security Testing Pipeline

Demo

Demo Gods! Please let this work

Reach Us

• Twitter: @we45

• Website: www.we45.com

• Twitter: @abhaybhargav

• LinkedIn: www.linkedin.com/in/abhaybhargav