Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

BDD-Security (OWASP Poland edition)

No description
by

Krystian Piwowarczyk

on 29 June 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of BDD-Security (OWASP Poland edition)

Software Development
Life Cycle
Automated security testing based on BDD techniques
BDD-Security
Prepared by: Krystian Piwowarczyk
Submitted on: 25.05.2014
Version: 1.1
$ whoami
Krystian Piwowarczyk
Software Engineer in
Rule Financial

I use reverted emoticons (-;

„A system is secure if and only if it starts in a secure state and cannot enter an insecure state.”

Q&A
„Minion is a security testing framework built by Mozilla to bridge the gap between developers and security testers. To do so, it enables developers to scan their projects using a friendly interface.”

Package of wrappers for: OWASP ZAP, Skipfish, nmap and so on

… but that is a different story (-;
BDD-Security is a way to prepare well organized and automated security tests. Scenarios are very descriptive and the underlying implementation is hidden

BDD-Security
summary
BDD-Security
theory
Domain Specific Language aims at bridging the communication gap between domain experts and developers by binding business readable behavior specifications and examples to the underlying implementation.

If Domain Specific Language is good enough to let "business" creates functional requirements then it's also good enough to let security experts describe security requirements.
BDD-Security usage examples
EVIL User Stories
Based on jBehave framework
BDD-Security facts:
Developed by Stephen de Vriesa
Developed since early 2012 – most recent commit - April 2014. So, project is alive.
Current version: 0.7
Uses Firefox and Chrome to run tests
BDD-Security requirements:
Can BDD-Security become popular?
Simple idea: let's take jBehave, let's add possibility to analyze raw HTTP communication, let's add integration with ZAP, let's use it to produce security testing scenarios.
Advantages:
HTTP level access
OWASP ZAP integration
pretty easy to put into existing CI process
comes with bunch of predefined scenarios
scenarios are easy to reuse in different projects
has educational value
uses Page Object Pattern
not widely used yet (for software hipsters)
open source
Disadvantages:
no support for lightweight clients (phantomjs?)
poor agitation (-;
not widely used yet (for software non-hipsters)
open source
it took some effort to prepare good scenarios - time is money
You are here (-:
JDK >= 1.6

Apache Ant >= 1.6
OWASP ZAP - latest
* Michal Zalewski "The Tangled Web" (based on classic Bell LaPadula "Secure Computer System: Unified Exposition and Multics Interpretation" )
Old days (ancient):
The waterfall model is a sequential design process, often used in software development processes.
Waterfall
source: http://blog.hydro4ge.com/waterfall-to-boehm/
Old (but alive):
Agile software development is a group of software development methods based on iterative and incremental development
Clean Agile
source: http://en.wikipedia.org/wiki/Iterative_and_incremental_development
Hottest:
Normal Agile with more frequent deployments. Sometimes monthly, sometimes weekly and sometimes daily!
Rapid Agile
source: http://en.wikipedia.org/wiki/Iterative_and_incremental_development
Continuous Integration - unit tests, integration tests, performance tests and functional tests. Automation, automation, and even more automation...
Living with Change
source: http://blog.jki.net/news/niweek-2012-fire-and-forget-bulletproof-builds-using-continuous-integration-with-labview-video-slides-now-available/
source: http://www.turbosquid.com/3d-models/3d-model-old-muskets-v3/633226
BDD-Security update:
Nessus support
Heartbleed test
flexible
Full transcript