Explore continuous security testing in a DevOps environment through this 45-minute conference talk from AppSecEU 2014. Delve into the challenges of integrating security processes into fast-paced, automated software deployment cycles. Learn about an open-source security testing framework that leverages Behavior Driven Development (BDD) to bridge communication gaps between security, development, and testing teams. Discover how to define security requirements in natural language while maintaining executable automated tests. Examine the BDD-Security framework, which utilizes Selenium and OWASP ZAP to mimic human security testing, including complex authentication and access control tests. Gain insights into configuring the framework and integrating it with Jenkins CI server for continuous, in-depth security testing. Understand how this approach creates an automated process from code commit to security testing, with results comprehensible to all stakeholders.
Continuous Security Testing in DevOps Environments
Overview
Syllabus
Intro
DevOps and Development Practices
Continuous Delivery Pipeline
Application Security
Security Testing
Security Test 1
BDD Security Framework
Demo
Page Flow
Scanning
False positives
Config file
Navigation class
Selenium IDE
Zap
SQL Injection
Wrapping a Scanner
Functional Security
Is logged in
How to logout
Results
Functional Security Requirements
Verification vs Tests
Access Control
Profile
OnlyBob
Application Framework
Access Control Scenario
Jenkins
Deployment
Headless
Test Results
Jenkins Integration
Limitations
Test Maintenance
Test Failure
Self Verifying Requirements
Additional Tools
Questions
Taught by
OWASP Foundation
Related Courses
-
Continuous Security Testing in a DevOps World
-
Robots with Pentest Recipes - Automating Security Testing in DevOps
-
Security DevOps - Staying Secure in Agile Projects
-
How to Apply DevSecOps Shift-Left Security with OWASP ZAP
-
Application Security Testing and SDLC for Developers
-
Monitoring Attack Surface and Integrating Security into DevOps Pipelines
