Three key devops principles are the merging of skills in previously separate teams, extensive process automation and faster delivery through more frequent software deploys.
These present some interesting challenges to application security such as:
How to effectively communicate and manage security requirements in such a dynamic environment?
How to perform rigorous security testing when software is deployed multiple times per day?
- How to integrate security processes into the existing continuous integration/deployment environments?
In this talk I will explore these questions and present an open source security testing framework that aims to address them through the use of Behaviour Driven Development (BDD).
A key concept from agile software development is that the software tests are the documentation. While this approach works well when all the stakeholders are developers, it can break down when neither the ops nor the security team are proficient in a programming language.
BDD offers a communication bridge between security, development and testing so that security requirements can be defined in a natural language; and yet still be executable as automated software tests.
The BDD-Security framework was created in order to provide a set of pre- defined security requirements that can be executed against most web applications with minimal changes. It uses Selenium and OWASP ZAP in order to mimic the testing that a human security tester would perform including authentication and access control tests that were previously difficult to automate and beyond the capabilities of scanners. Since the framework is based on JBehave, which provides JUnit wrappers, it fits into existing automated deployment and continuous integration pipelines.
The talk will demonstrate how to configure the BDD-Security framework and how to integrate it with the Jenkins CI server in order to provide continuous and in-depth security testing that includes both functional and non-functional testing.
The result is an automated process from code commit, to build, deploy and security testing where the results of the tests are understandable by all stakeholders.