Loading…
Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Regency Ballroom 2 [clear filter]
Thursday, October 11
 

3:30pm

Mobile BDD security tests on steroids: A new framework to automate MSTG and MASVS in your CI/CD pipeline
In the era of Agile, DevOps and CI/CD, enterprises are constantly facing security challenges, especially in mobile where security is still underestimating. One of the main issues is speed and repeatability of security tests for each release/build. Being Agile means, being fast, flexible, being able to go to production continuously through continuous integration and deployment pipeline (CI/CD). This all applies especially to the development of mobile apps, where no common approach for automated security testing is defined yet.

As mobile development teams become more mature in terms of security, they have the need to release often and this requires changes in the traditional way of how security was handled. In order to reach the needed speed of deployment a new approach of how security fits into the process, automation and evidence of security tests become a valid option to facilitate this.

In the security maturity model, this maps to the DevSecOps teams and their capability to release faster. So, as security engineers, we have a few challenges to tackle:

- provide security at DevSecOps speed,

- detect vulnerabilities in early stages of development,

- have developers understand security,

- follow SDLC and

- have penetration testers focus on more sophisticated attack patterns against iOS and Android apps.
So, how do we get there? Let's look at the challenges:

1. Mobile security testing is complex if we consider the number of technologies, OS, security controls and libraries, and a different way of testing. Manual security testing alone is not an option anymore and automation frameworks must be adopted. OWASP Mobile AppSec Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG), are becoming more and more the de facto standard for mobile application security testing but one of the biggest challenges of adopting MASVS is how to make the test automated, repeatable and scalable at the DevOps speed throughout the whole SDLC.

2. Mobile developers already test their apps using UI mobile automation frameworks such us Calaba.sh, Appium, Espresso and so on. In order to make their tests understandable by multiple profiles in the company (from the testers itself to the upper management), DevOps introduced BDD testing (Behaviour Driven Development) using Cucumber and the famous Gherkin language.


So, with this in mind what is the solution that would fit best the needs of stakeholders, developers and security experts? The developers already have UI testing in place. Even though this doesn't relate directly to security, at the end of the day it is just another way of testing where maybe security can fit. Imagine combining some of the features of the frameworks used by developers and adding a new set of security tests.

This talk introduces a new process and practical solution that achieves this – automation of mobile security tests. We are using a combination of existing penetration testing frameworks (Drozer and Needle), UI automation, underlying system commands available in the mobile OS for execution of tests and describe (write) tests in BDD fashion. In this way, you can cover all kind of security tests, such as testing for not encrypted PII, input validation, cryptography, network security, SQL injection and so on! Basically, the goal is to translate MASVS (and its sister project MSTG) into automated BDD security tests and give pentesters more time to focus on "crazy stuff"

After the talk, the audience will understand how to create security tests using different mobile UI automation frameworks and different languages (Java, Ruby). We will also show practical examples on how to write, execute and integrate these tests into a CI/CD pipeline, retrieve results of tests and kick-off automatic tests when a flaw is discovered in a manual penetration test. A GitHub repo will be available after the Open Summit in London and will be shared during the talk, in order to initiate a community effort, so people can contribute to this automation framework for the MASVS by sharing their automation scripts.

Speakers
avatar for Davide Cioccia

Davide Cioccia

Security Engineer, ING
Being in love with everything around computers, Davide Cioccia joined the cyber security scene few years back in 2009 when Stuxnet hit the nuclear plants of Iran. He developed a framework to understand how "diversity" in the assets in the plants, could stop the malware to reach its... Read More →


Thursday October 11, 2018 3:30pm - 4:05pm
Regency 2
  • NEW FIELD 1 Track 2
 
Friday, October 12
 

2:15pm

Single Page Applications: Is your design secure?
In the current landscape of web development, Single Page Applications (SPA) have been utilized more frequently due to its versatile capabilities. Also, popularity of frameworks such as Angular and React have enabled fast paced development of SPAs. For that reason, even more traditional web applications have migrated to SPAs without considering the security implications this new paradigm introduces. In this presentation we will describe some of the security pitfalls that affect SPA applications and how to mitigate them.

Speakers
avatar for Rafael Dreher

Rafael Dreher

Security Software Engineer, Microsoft
Rafael Dreher is a Security Engineer at Microsoft and co-founder of OWASP Porto Alegre chapter. He is interested in ways to improve and scale static code analysis in large enterprises. Rafael spends most of his time digging into code of web applications to find interesting patterns... Read More →
avatar for Murali Vadakke Puthanveetil

Murali Vadakke Puthanveetil

Security Software Engineer, Microsoft
Murali Vadakke Puthanveetil works as a Security Engineer at Microsoft and a previous speaker at AppSec USA. He is particularly interested in figuring out authentication and authorization logic used by web applications. Murali spends most of his time digging into code of web applications... Read More →


Friday October 12, 2018 2:15pm - 2:50pm
Regency 2
  • NEW FIELD 1 Track 2