Advanced Mobile Security automation in your SDLC through BDD tests
In the era of Agile, DevOps and CI/CD, enterprises are constantly facing security challenges, expecially in mobile where security is still underestimated. One of the main issues is speed and repeatability of security tests for each release/build. This all applies especially to the development of mobile apps, where no common approach for automated security testing is defined yet. In order to reach the needed speed of deployment a new approach of how security fits into the process, automation and evidence of security tests become a valid option to facilitate this. In the security maturity model, this maps to the DevSecOps teams and their capability to release faster. So, as security engineers, we have few challenges to tackle:
- provide security at DevSecOps speed,
- detect vulnerabilities in early stages of development,
- have developers understand security,
- have penetration testers focus on more sophisticated attack patterns against iOS and Android apps.
So, how do we get there? Let’s look at the challenges:
1. Mobile security testing is complex if we consider the number of technologies, OS, security controls and libraries, and different way of testing. Manual security testing alone is not an option anymore and automation frameworks must be adopted. OWASP Mobile AppSec Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG), are becoming more and more the de facto standard for mobile application security testing but one of the biggest challenges of adopting MASVS is how to make the test automated, repeatable and scalable at the DevOps speed throughout the whole SDLC.
2. Mobile developers already test their apps using UI mobile automation frameworks such us Calaba.sh, Appium, Espresso and so on. In order to make their tests understandable by multiple profiles in the company (from the testers itself to the upper management), DevOps introduced BDD testing (Behaviour Driven Development) using Cucumber and the famous Gherkin language.
This workshop introduces a new way and practical solution of automating mobile security tests and will introduce:
- automate usage a combination of existing penetration testing frameworks (Drozer and Needle) – automate UI
- automate underlying system commands available in the mobile OS – write tests in BDD fashion using Gherkin and Cucumber.
After the workshop, the audience will understand how to create security tests using different mobile UI automation frameworks and different languages (Java, Ruby). Going through practical examples on how to write, we will execute and integrate these tests into a CI/CD pipeline using Docker containers, retrieve results of tests and kick-off automatic tests when a flaw is discovered in a manual penetration test. A GitHub repo will be available after the Open Summit in London. In practice we will teach how to automate OWASP MASVS writing BDD tests.Get ticket