Continuous Security Testing

Continuous Security Testing
Acceptance Test Driven Approach
Sunday, 15 December, 13

Who am I?
•Agile, TDD Coaching, Ugly Code
Cleaning Dude
•I love coding - Java, C#, Javascript, C/
C++, PHP, Perl, and some weird ones
•I speak English, Cantonese, and
Mandarin
2
Odd-e Pte. Ltd.
Steven Mak 麥天志
Agile Coach
Hong Kong
Email: steven@odd-e.com
Web: www.odd-e.com
Twitter: stevenmak

Do you automate your tests?
3

Is that what you feel?
4
Script Unreadable?
Keep Changing?
Time consuming
to write?

Technical
Activity
Workflow
Specification pyramid
5
RuleClarity
Stability
Specification
Users can
understand
Automation
Technical

Use Examples
6
With 3 judges giving
scores 4, 20, and 18,
the displayed score
should be 42.
When the first 2
judges have given
their scores, e.g. 10
and 5, the
intermediate score of
15 should be displayed
already.
No scores displayed as
a dash (–), not zero.
Maximum score from
a judge is 20 points!

Examples, Tests, and Spec
7
Examples Tests
Requirements
can become
elaborate
verify

More ideas from
• Threat Modelling
• Session-Based Test Management / Exploratory Testing
• Product Requirement
• Experts
8

Avoid handoff
9

Avoid imperative
• login
• enter username
• enter password
• enter homepage
• click category
• choose product
• put it on shopping cart
• click generate order
• .....
10

Avoid imperative
• login
• enter username
• enter password
• enter homepage
• click category
• choose product
• .....
11
Given I selected a doll in shopping cart
When I generate order
Then the order should contain doll
and the price is 83.55

Avoid imperative
• login
• enter username
• enter password
• enter homepage
• click category
• choose product
• .....
12
Given I selected a doll in shopping cart
When I generate order
Then the order should contain doll
and the price is 83.55
This “Given When Then” is a
common pattern called Gherkin

Good ones
• Focus on business, not software design
• Not coupled with code
• Not coupled with UI
• Concise
• Use domain languages
13
Getting us towards Living Documentation
and can be executed against existing
system

Robot Framework
www.robotframework.org
14

Test Tools
Robot Architecture
15
Test Data (Tables)
Robot Framework
Test Libraries
System Under Test
Test Library API
application interfaces
Robot comes with a number of built-in test libraries and
you can (should!) add your own.
Test libraries can use any test tool necessary to interact
with the system under test.

It's all in the tables
16

Test Cases are composed of
keyword-driven actions
17
!"#$%&'()*+%),'-./()0

17
!"#$%&'()*+%),'-./()0
this is the name of a test case

17
!"#$%&'()*+%),'-./()0
these keywords form the test case

17
!"#$%&'()*+%),'-./()0
keywords receive arguments

2 types of keywords
18

2 types of keywords
18
We can import keyword libraries for a test case

2 types of keywords
18
...and libraries may be conﬁgured, too.

2 types of keywords
18
This keyword comes from the imported library.

2 types of keywords
18
This keyword comes from the imported library.
This is a user keyword, implemented in table format.
(Think macros composed of other macros.)

19
Data-driven test cases
keywords receive arguments

20
using Template
*** Test Cases ***
Email Delivered Acceptance Rule
[Template] Confirm Email Delivered Workflow
sender@mail.com user@example.com 3asyp3asy 1
sender@nonexist.com user@example.com 3asyp3asy 0
*** Keywords ***
Confirm Email Delivered Workflow
[Arguments] ${sender} ${recipient} ${password} ${number_of_emails_expected}
Open Mail Box ${MAIL_SERVER} ${recipient} ${password}
Count Mail Received ${sender} ${number_of_emails_expected}
Keyword used as template
test data feed as arguments

Given-when-then (BDD)
21
*** Test Cases ***
Addition
Given calculator has been cleared
When user types "1 + 1"
and user pushes equals
Then result is "2"
*** Keywords ***
Calculator has been cleared
Push button C
User types "${expression}"
Push buttons ${expression}
User pushes equals
Push button =
Result is "${result}"
Result should be ${result}

Variables
22
!"#$"%&'(
)#*+,-*++"./,&$.'0

Other choices
• Cucumber
• Fitnesse
23

24
An Example

25
*** Settings ***
Resource resource.txt
*** Test Cases ***
Checking Opened Ports [Template] Only these ports are opened
22 25 80 135 139 445
*** Keywords ***
Only these ports are opened [Arguments] @{expected_ports}
@{actual_ports_opened}= Scan with Fast Mode ${HOST}
List Should Contain Sub List ${actual_ports_opened} ${expected_ports}
*** Settings ***
Library nmapLibrary
Library Collections
*** Variables ***
${HOST} www.scrumprimer.org
import nmap
class nmapLibrary:
def scan_with_fast_mode(self, host):
nm = nmap.PortScanner()
nm.scan(str(host), arguments="-F")
return [str(port) for port in nm[str(nm.all_hosts()[0].encode())].all_tcp()]
resource.txt
port_scanning.txt
nmapLibrary.py (with python-nmap)

26
pybot -d output nmap.txt
==============================================================================
Port Scaning
==============================================================================
Checking Openned Ports | PASS |
------------------------------------------------------------------------------
Nmap | PASS |
1 critical test, 1 passed, 0 failed
1 test total, 1 passed, 0 failed
==============================================================================
Output: /Users/stevenmak/Work/robotframework/securityTests/2013.12.14VXCon/output/output.xml
Log: /Users/stevenmak/Work/robotframework/securityTests/2013.12.14VXCon/output/log.html
Report: /Users/stevenmak/Work/robotframework/securityTests/2013.12.14VXCon/output/report.html
run the test:
report:
(also available in xml format for Jenkins integration)

More to wrap & integrate
• w3af
• garmr
• arachni
• dirb
• sslyze
• sqlmap
28

Acceptance Test Driven
Development
29
Discuss
in workshop
Develop
in concurrence
Deliver
for acceptance

30
Discuss
in workshop
Develop
in concurrence
Deliver
for acceptance
Focus on customer
collaboration and user
engagement. Try to get as
many of these people attend
as you can.
Product Owner
Dev Team
Users
IT operations
Help Desk
Tech Writers
?

31
Discuss
in workshop
Develop
in concurrence
Deliver
for acceptance
the displayed score
should be 42.
When the first 2
judges have given
and 5, the
already.
Maximum score from

31
Discuss
in workshop
Develop
in concurrence
Deliver
for acceptance
the displayed score
should be 42.
When the first 2
judges have given
and 5, the
already.
Maximum score from
Robot tests are written in tables
so that computers can read them

32
Deliver
for acceptance
Discuss
in workshop
Develop
in concurrence

Collaboration is key
33
team gets
feedback
earlier
scope of work
is clear and
understood by
all
team
understands
what they're
implementing
shared
language and
vocabulary is
built
team
collaborates
closely with
product owner

CITCON Hong Kong
34
• When: Apr 11 & 12, 2014
• Cost: Free
• Registration: contact me
• Sponsorship Welcome!
http://citconf.com/hongkong2014/

Thank you for spending time with me this evening.
More feedback can be sent to:
35
Odd-e Hong Kong Ltd.
Steven Mak 麥天志
Agile Coach
Hong Kong
Email: steven@odd-e.com
Web: www.odd-e.com
Twitter: stevenmak

Continuous Security Testing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (11)

Similar to Continuous Security Testing

Similar to Continuous Security Testing (20)

More from Steven Mak

More from Steven Mak (9)

Recently uploaded

Recently uploaded (20)

Continuous Security Testing