Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bulletproof Your Software: The Magic of Securit...

Bulletproof Your Software: The Magic of Security Autotests

How to automate the validation of vulnerabilities after they've been fixed by developers. Create security autotests in just a few clicks.

iskand3rov

March 25, 2024
Tweet

Other Decks in Programming

Transcript

  1. $ whoami - Elmir Iskanderov linkedin.com/in/iskanderov; - 4 years in

    cybersecurity; - Application Security Engineer at Cossack Labs; - Specialized in WEB, API, Infrastructure and Cloud penetration testing; - Automatization enjoyer. Cossack Labs - UK/Ukraine data security solutions company. Practical data security and software security in industries where security is a hard requirement.
  2. Agenda 1. The Problems We Faced 2. Security Autotest 3.

    Use Cases 4. Creation Autotests In a Few Clicks 5. Important to Remember 6. Q&A
  3. The Problems We Faced - A lot of reported vulnerabilities

    that we should validate as fixed; - Detect duplicate previously found vulnerabilities; - Spending too much time on validation.
  4. Security Autotests - Saving time; - Automated validation of vulnerabilities;

    - Integration into the CI/CD pipeline; - Tracking previous vulnerabilities; - Creation in a few clicks.
  5. Use Cases - Validating HTTP security headers; - Input validation;

    - Misconfigurations (open files, secrets in code, etc.); - Rate limits.
  6. Creation Autotests In a Few Clicks Burp Suite + ‘Copy

    as Python-Requests’ extension + + your templates
  7. Pay attention to - Do not trust verifications for high/critical

    vulnerabilities; - Do not spend too much time on creation (if there are no reasons to automate all); - Use templates for most common issues; - Create a flow for logging in and retrieving session cookies/tokens; - Software is developing, and some automated tests are becoming outdated.