Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bulletproof Your Software: The Magic of Securit...

iskand3rov
March 25, 2024
Programming
0
50

Bulletproof Your Software: The Magic of Security Autotests

How to automate the validation of vulnerabilities after they've been fixed by developers. Create security autotests in just a few clicks.

iskand3rov

March 25, 2024
Tweet

Other Decks in Programming

See All in Programming
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
WebフロントエンドにおけるGraphQL(あるいはバックエンドのAPI)との向き合い方 / #241106_plk_frontend
izumin5210
4
1.4k
Jakarta EE meets AI
ivargrimstad
0
580
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
910
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220
C++でシェーダを書く
fadis
6
4.1k
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
Quine, Polyglot, 良いコード
qnighy
4
640
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
110
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.7k

Featured

See All Featured
Navigating Team Friction
lara
183
14k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Facilitating Awesome Meetings
lara
50
6.1k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Building Your Own Lightsaber
phodgson
103
6.1k
RailsConf 2023
tenderlove
29
900
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
What's in a price? How to price your products and services
michaelherold
243
12k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Making the Leap to Tech Lead
cromwellryan
133
8.9k

Transcript

  1. Bulletproof Your Software The Magic of Security Autotests Elmir Iskanderov

  2. $ whoami - Elmir Iskanderov linkedin.com/in/iskanderov; - 4 years in

    cybersecurity; - Application Security Engineer at Cossack Labs; - Specialized in WEB, API, Infrastructure and Cloud penetration testing; - Automatization enjoyer. Cossack Labs - UK/Ukraine data security solutions company. Practical data security and software security in industries where security is a hard requirement.

  3. Agenda 1. The Problems We Faced 2. Security Autotest 3.

    Use Cases 4. Creation Autotests In a Few Clicks 5. Important to Remember 6. Q&A

  4. The Problems We Faced - A lot of reported vulnerabilities

    that we should validate as fixed; - Detect duplicate previously found vulnerabilities; - Spending too much time on validation.

  5. Solution

  6. Security Autotests - Saving time; - Automated validation of vulnerabilities;

    - Integration into the CI/CD pipeline; - Tracking previous vulnerabilities; - Creation in a few clicks.

  7. Use Cases - Validating HTTP security headers; - Input validation;

    - Misconfigurations (open files, secrets in code, etc.); - Rate limits.

  8. Validating HTTP headers

  9. Session Token Revocation

  10. Wait wait wait…

  11. Real Size of Security Autotests

  12. Use templates!!!

  13. Template

  14. Creation Autotests In a Few Clicks Burp Suite + ‘Copy

    as Python-Requests’ extension + + your templates

  15. Copy As Python-Requests Installation https://github.com/portswigger/copy-as-python-requests

  16. Copy As Python-Requests Usage

  17. Copy As Python-Requests Usage 2

  18. Creation of Security Autotest

  19. Creation of security autotest 2

  20. Output

  21. Pay attention to - Do not trust verifications for high/critical

    vulnerabilities; - Do not spend too much time on creation (if there are no reasons to automate all); - Use templates for most common issues; - Create a flow for logging in and retrieving session cookies/tokens; - Software is developing, and some automated tests are becoming outdated.

  22. QA Q&A