Hackers of India

Pentesting without Pentesters - Automating Security Testing with Functional Testing Test Cases

By  Ankita Gupta   Lavakumar Kuppan  on 14 Feb 2014 @ Nullcon

Presentation Material

Abstract

Many software development companies don’t have penetration testing teams but they mostly have functional testing teams or the development teams perform functional testing. An important part of Function Testing is the automated test cases written for Selenium, Sahi, Silk Test or any other functional testing platform. These test cases cover almost all the features of the application and all the work flows. In this talk I will explain how a new scanning technology makes it possible to use the existing functional test cases and produce security findings in a language that developers can understand and work on. This technology will be implemented in the open source web security scanner - IronWASP and we will be releasing companion libraries that enable using this technology from your test cases, irrespective of the language it is written in.

If you are a startup or a SME who does not have the budget for a dedicated security team or if you are big company that wants to find its security bugs earlier in the development cycle then don’t miss this talk. If you are a penetration tester and want to find out how the future of web security testing will look then come with an open mind, you will learn a lot.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker discusses an open-source solution for identifying and fixing vulnerabilities in software development. The system uses free and open-source tools, , which does not add to the company’s budget. The focus is on providing actionable steps to developers, CTOs managers, for fixing issues rather than just highlighting problems.

Traditional penetration testing reports often provide lengthy descriptions of vulnerabilities and their impacts, but these are not useful to developers who need specific instructions to fix the problem. The proposed system provides a concise report with step-by-step actions for developers to take, making it easier for them to fix bugs.

The system has already been tested in a live environment at PinkStripe, where it was successful. The reporting component is currently being developed and should be available soon. The plan is to present this solution to developers at conferences and encourage its adoption to make code safer.