Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bulletproof Your Software: The Magic of Security Autotests

iskand3rov
March 25, 2024
Programming
0
20

Bulletproof Your Software: The Magic of Security Autotests

How to automate the validation of vulnerabilities after they've been fixed by developers. Create security autotests in just a few clicks.

iskand3rov

March 25, 2024
Tweet

Other Decks in Programming

See All in Programming
WebGLで始める コンピュータグラフィックス入門
heller77
0
150
Anthropic Cookbook のおすすめレシピ
schroneko
7
1.2k
Let's learn code review
riofujimon
2
580
"config" ってなんだ? / What is "config"?
okashoi
0
320
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.5k
雑に思考を整理する技術と効能
konifar
63
30k
Deep Dive into React Stream/Serialize
mugi_uno
3
680
PostmanでAPIの動作確認が楽になった話
h455h1
0
180
2 週間で Twitter Bot を作ってみた
contour_gara
0
770
GitLab CI/CD で C#/WPFアプリケーションのテストとインストーラーのビルド・デプロイを自動化する
hacarus
0
310
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
9
4.2k

Featured

See All Featured
Embracing the Ebb and Flow
colly
80
4.2k
Designing Experiences People Love
moore
136
23k
A designer walks into a library…
pauljervisheath
201
23k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Automating Front-end Workflow
addyosmani
1357
200k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
65
14k
Clear Off the Table
cherdarchuk
85
310k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
[RailsConf 2023] Rails as a piece of cake
palkan
27
4k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
4 Signs Your Business is Dying
shpigford
176
21k

Transcript

  1. Bulletproof Your Software The Magic of Security Autotests Elmir Iskanderov

  2. $ whoami - Elmir Iskanderov linkedin.com/in/iskanderov; - 4 years in

    cybersecurity; - Application Security Engineer at Cossack Labs; - Specialized in WEB, API, Infrastructure and Cloud penetration testing; - Automatization enjoyer. Cossack Labs - UK/Ukraine data security solutions company. Practical data security and software security in industries where security is a hard requirement.

  3. Agenda 1. The Problems We Faced 2. Security Autotest 3.

    Use Cases 4. Creation Autotests In a Few Clicks 5. Important to Remember 6. Q&A

  4. The Problems We Faced - A lot of reported vulnerabilities

    that we should validate as fixed; - Detect duplicate previously found vulnerabilities; - Spending too much time on validation.

  5. Solution

  6. Security Autotests - Saving time; - Automated validation of vulnerabilities;

    - Integration into the CI/CD pipeline; - Tracking previous vulnerabilities; - Creation in a few clicks.

  7. Use Cases - Validating HTTP security headers; - Input validation;

    - Misconfigurations (open files, secrets in code, etc.); - Rate limits.

  8. Validating HTTP headers

  9. Session Token Revocation

  10. Wait wait wait…

  11. Real Size of Security Autotests

  12. Use templates!!!

  13. Template

  14. Creation Autotests In a Few Clicks Burp Suite + ‘Copy

    as Python-Requests’ extension + + your templates

  15. Copy As Python-Requests Installation https://github.com/portswigger/copy-as-python-requests

  16. Copy As Python-Requests Usage

  17. Copy As Python-Requests Usage 2

  18. Creation of Security Autotest

  19. Creation of security autotest 2

  20. Output

  21. Pay attention to - Do not trust verifications for high/critical

    vulnerabilities; - Do not spend too much time on creation (if there are no reasons to automate all); - Use templates for most common issues; - Create a flow for logging in and retrieving session cookies/tokens; - Software is developing, and some automated tests are becoming outdated.

  22. QA Q&A