Abstract :
Application Security (AppSec) Teams are usually short-staffed. While this is no surprise in itself. Now there’s the added impetus of continuous delivery of security solutions for the continuous delivery pipelines of myriad engineering teams within an organization. While some teams have leveraged SAST, DAST and IAST as part of the continuous delivery pipeline, AppSec teams could definitely use a helping hand from other teams including QA, Engineering and Infrastructure (Security) Teams. However, this presents a problem, largely because the tools used by AppSec Teams (and security teams in general) are not easily understood or known by Engineering and QA teams. In addition, there are a diverse set of tools ranging from Application Vulnerability Scanners to Recon Tools, etc that are used by Security Teams, Pentest Teams and so on that are typically not meshed together in a common fabric. What if there were a way were we could create security testing recipes and run a battery of security tests right from baseline application security testing, to pre-deployment infrastructure vulnerability assessments, across various environments, and what’s better, UNDER A COMMON FABRIC!! For one, security testing would become much easier to create and execute, with various teams being able to author security testing pipelines themselves with limited involvement from an already-stretched appsec team. That’s what this talk is all about….

Over the last few months, my team and I have leveraged the all-powerful Robot Framework to integrate various security testing tools, including OWASP ZAP, Nmap, Nessus. Robot Framework is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It provides a very extensible test-driven syntax that extend test libraries implemented in Python or Java. We have developed Open Source libraries for popular tools like OWASP ZAP, Nmap, Nessus and some recon tools, which can be invoked with existing libraries like Selenium, etc to perform completely automated, parameterized, security tests across the continuous delivery pipeline with easy-to-write, almost trivial test syntax like

`run nmap scan` OR `start zap active scan`

thereby making it easier for engineering teams to be able to create “recipes” of security tests that they want to run, integrate with functional test automation to run anything from a baseline scan to a complete parameterized security test of the application on various environments. In fact, we have used these libraries to run a “mostly automated pentest as a recipe” replete with recon, mapping, vulnerability discovery phases with evidences and reporting built-in.

Ill be making most of the code available on GitHub for the community to use.

Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development” and “PCI Compliance: A Definitive Guide”. Abhay is a builder and breaker of applications, and has authored multiple applications in Django and NodeJS. He is a passionate Pythonista and loves the idea of automation in security. This passion prompted him to author the world’s first hands-on Security in DevOps workshop that has been delivered in multiple locations, and recently as a highly successful workshop at the OWASP AppSecUSA 2016, OWASP AppSecEU2017 and OWASP AppSecUSA 2017, as well as DEFCON 25. In addition , Abhay speaks regularly at industry events including OWASP, ISACA, Oracle OpenWorld, JavaOne, and others.


Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...