The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Back To Schedule
Tuesday, January 30 • 11:45am - 12:35pm
Robots with Pentest Recipes - Democratizing Security Testing Pipelines for DevOps Wins

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Abstract :
Application Security (AppSec) Teams are usually short-staffed. While this is no surprise in itself. Now there’s the added impetus of continuous delivery of security solutions for the continuous delivery pipelines of myriad engineering teams within an organization. While some teams have leveraged SAST, DAST and IAST as part of the continuous delivery pipeline, AppSec teams could definitely use a helping hand from other teams including QA, Engineering and Infrastructure (Security) Teams. However, this presents a problem, largely because the tools used by AppSec Teams (and security teams in general) are not easily understood or known by Engineering and QA teams. In addition, there are a diverse set of tools ranging from Application Vulnerability Scanners to Recon Tools, etc that are used by Security Teams, Pentest Teams and so on that are typically not meshed together in a common fabric. What if there were a way were we could create security testing recipes and run a battery of security tests right from baseline application security testing, to pre-deployment infrastructure vulnerability assessments, across various environments, and what’s better, UNDER A COMMON FABRIC!! For one, security testing would become much easier to create and execute, with various teams being able to author security testing pipelines themselves with limited involvement from an already-stretched appsec team. That’s what this talk is all about….

Over the last few months, my team and I have leveraged the all-powerful Robot Framework to integrate various security testing tools, including OWASP ZAP, Nmap, Nessus. Robot Framework is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It provides a very extensible test-driven syntax that extend test libraries implemented in Python or Java. We have developed Open Source libraries for popular tools like OWASP ZAP, Nmap, Nessus and some recon tools, which can be invoked with existing libraries like Selenium, etc to perform completely automated, parameterized, security tests across the continuous delivery pipeline with easy-to-write, almost trivial test syntax like

`run nmap scan` OR `start zap active scan`

thereby making it easier for engineering teams to be able to create “recipes” of security tests that they want to run, integrate with functional test automation to run anything from a baseline scan to a complete parameterized security test of the application on various environments. In fact, we have used these libraries to run a “mostly automated pentest as a recipe” replete with recon, mapping, vulnerability discovery phases with evidences and reporting built-in.

Ill be making most of the code available on GitHub for the community to use.

avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →

Tuesday January 30, 2018 11:45am - 12:35pm PST
Terrace Lounge