A new framework to automate MSTG and MASVS in your CI/CD pipeline - AppSecUSA 2018
In the era of Agile, DevOps and CI/CD, enterprises are constantly facing security challenges, especially in mobile where security is still underestimating. One of the main issues is speed and repeatability of security tests for each release/build. Being Agile means, being fast, flexible, being able to go to production continuously through continuous integration and deployment pipeline (CI/CD). This all applies especially to the development of mobile apps, where no common approach for automated security testing is defined yet.
As mobile development teams become more mature in terms of security, they have the need to release often and this requires changes in the traditional way of how security was handled. In order to reach the needed speed of deployment a new approach of how security fits into the process, automation and evidence of security tests become a valid option to facilitate this.
In the security maturity model, this maps to the DevSecOps teams and their capability to release faster. So, as security engineers, we have a few challenges to tackle:
- provide security at DevSecOps speed,
- detect vulnerabilities in early stages of development,
- have developers understand security,
- follow SDLC and
- have penetration testers focus on more sophisticated attack patterns against iOS and Android apps.
So, how do we get there? Let's look at the challenges:
1. Mobile security testing is complex if we consider the number of technologies, OS, security controls and libraries, and a different way of testing. Manual security testing alone is not an option anymore and automation frameworks must be adopted. OWASP Mobile AppSec Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG), are becoming more and more the de facto standard for mobile application security testing but one of the biggest challenges of adopting MASVS is how to make the test automated, repeatable and scalable at the DevOps speed throughout the whole SDLC.
2. Mobile developers already test their apps using UI mobile automation frameworks such us Calaba.sh, Appium, Espresso and so on. In order to make their tests understandable by multiple profiles in the company (from the testers itself to the upper management), DevOps introduced BDD testing (Behaviour Driven Development) using Cucumber and the famous Gherkin language.
So, with this in mind what is the solution that would fit best the needs of stakeholders, developers and security experts? The developers already have UI testing in place. Even though this doesn't relate directly to security, at the end of the day it is just another way of testing where maybe security can fit. Imagine combining some of the features of the frameworks used by developers and adding a new set of security tests.
This talk introduces a new process and practical solution that achieves this รข€" automation of mobile security tests. We are using a combination of existing penetration testing frameworks (Drozer and Needle), UI automation, underlying system commands available in the mobile OS for execution of tests and describe (write) tests in BDD fashion. In this way, you can cover all kind of security tests, such as testing for not encrypted PII, input validation, cryptography, network security, SQL injection and so on! Basically, the goal is to translate MASVS (and its sister project MSTG) into automated BDD security tests and give pentesters more time to focus on "crazy stuff"
After the talk, the audience will understand how to create security tests using different mobile UI automation frameworks and different languages (Java, Ruby). We will also show practical examples on how to write, execute and integrate these tests into a CI/CD pipeline, retrieve results of tests and kick-off automatic tests when a flaw is discovered in a manual penetration test. A GitHub repo will be available after the Open Summit in London and will be shared during the talk, in order to initiate a community effort, so people can contribute to this automation framework for the MASVS by sharing their automation scripts.
Speaker
Davide Cioccia
Security Engineer, ING
Being in love with everything around computers, Davide Cioccia joined the cyber security scene few years back in 2009 when Stuxnet hit the nuclear plants of Iran. He developed a framework to understand how "diversity" in the assets in the plants
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...