Bulletproof Your Software The Magic of Security Autotests Elmir Iskanderov 

$ whoami - Elmir Iskanderov linkedin.com/in/iskanderov; - 4 years in cybersecurity; - Application Security Engineer at Cossack Labs; - Specialized in WEB, API, Infrastructure and Cloud penetration testing; - Automatization enjoyer. Cossack Labs - UK/Ukraine data security solutions company. Practical data security and software security in industries where security is a hard requirement. 

Agenda 1. The Problems We Faced 2. Security Autotest 3. Use Cases 4. Creation Autotests In a Few Clicks 5. Important to Remember 6. Q&A 

The Problems We Faced - A lot of reported vulnerabilities that we should validate as fixed; - Detect duplicate previously found vulnerabilities; - Spending too much time on validation. 

Solution 

Security Autotests - Saving time; - Automated validation of vulnerabilities; - Integration into the CI/CD pipeline; - Tracking previous vulnerabilities; - Creation in a few clicks. 

Use Cases - Validating HTTP security headers; - Input validation; - Misconfigurations (open files, secrets in code, etc.); - Rate limits. 

Validating HTTP headers 

Session Token Revocation 

Wait wait wait… 

Real Size of Security Autotests 

Use templates!!! 

Template 

Creation Autotests In a Few Clicks Burp Suite + ‘Copy as Python-Requests’ extension + + your templates 

Copy As Python-Requests Installation https://github.com/portswigger/copy-as-python-requests 

Copy As Python-Requests Usage 

Copy As Python-Requests Usage 2 

Creation of Security Autotest 

Creation of security autotest 2 

Output 

Pay attention to - Do not trust verifications for high/critical vulnerabilities; - Do not spend too much time on creation (if there are no reasons to automate all); - Use templates for most common issues; - Create a flow for logging in and retrieving session cookies/tokens; - Software is developing, and some automated tests are becoming outdated. 

QA Q&A