Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.
BDD-Security (OWASP Poland edition)
Transcript of BDD-Security (OWASP Poland edition)
Automated security testing based on BDD techniques
Prepared by: Krystian Piwowarczyk
Submitted on: 25.05.2014
Software Engineer in
I use reverted emoticons (-;
„A system is secure if and only if it starts in a secure state and cannot enter an insecure state.”
„Minion is a security testing framework built by Mozilla to bridge the gap between developers and security testers. To do so, it enables developers to scan their projects using a friendly interface.”
Package of wrappers for: OWASP ZAP, Skipfish, nmap and so on
… but that is a different story (-;
BDD-Security is a way to prepare well organized and automated security tests. Scenarios are very descriptive and the underlying implementation is hidden
Domain Specific Language aims at bridging the communication gap between domain experts and developers by binding business readable behavior specifications and examples to the underlying implementation.
If Domain Specific Language is good enough to let "business" creates functional requirements then it's also good enough to let security experts describe security requirements.
BDD-Security usage examples
EVIL User Stories
Based on jBehave framework
Developed by Stephen de Vriesa
Developed since early 2012 – most recent commit - April 2014. So, project is alive.
Current version: 0.7
Uses Firefox and Chrome to run tests
Can BDD-Security become popular?
Simple idea: let's take jBehave, let's add possibility to analyze raw HTTP communication, let's add integration with ZAP, let's use it to produce security testing scenarios.
HTTP level access
OWASP ZAP integration
pretty easy to put into existing CI process
comes with bunch of predefined scenarios
scenarios are easy to reuse in different projects
has educational value
uses Page Object Pattern
not widely used yet (for software hipsters)
no support for lightweight clients (phantomjs?)
poor agitation (-;
not widely used yet (for software non-hipsters)
it took some effort to prepare good scenarios - time is money
You are here (-:
JDK >= 1.6
Apache Ant >= 1.6
OWASP ZAP - latest
* Michal Zalewski "The Tangled Web" (based on classic Bell LaPadula "Secure Computer System: Unified Exposition and Multics Interpretation" )
Old days (ancient):
The waterfall model is a sequential design process, often used in software development processes.
Old (but alive):
Agile software development is a group of software development methods based on iterative and incremental development
Normal Agile with more frequent deployments. Sometimes monthly, sometimes weekly and sometimes daily!
Continuous Integration - unit tests, integration tests, performance tests and functional tests. Automation, automation, and even more automation...
Living with Change