We may identify secure code vulnerabilities by using the keywords, secure code patterns and risky APIs listed in the table in the previous section. This can be a simple and quick solution to apply to any partial source code. However, the biggest problem of this approach is the false-positive rate, which needs to be optimized by defining proper secure code regular expression match patterns. We will introduce two tools that can do a quick scan of the source code, based on key secure code patterns.
Quick and simple secure code scanning tools
by Tony Hsiang-Chih Hsu
Practical Security Automation and Testing
- Title Page
- Copyright and Credits
- About Packt
- Contributors
- Preface
- The Scope and Challenges of Security Automation
- Integrating Security and Automation
- Secure Code Inspection
- Case study – automating a secure code review
- Secure coding patterns for inspection
- Quick and simple secure code scanning tools
- Case study – XXE security
- Case study – deserialization security issue
- Summary
-  Questions
- Further reading
- Sensitive Information and Privacy Testing
- Security API and Fuzz Testing
- Automated security testing for every API release
- Building your security API testing framework
- Summary
- Questions
- Further reading
- Web Application Security Testing
- Case study – online shopping site for automated security inspection
- Case 1 – web security testing using the ZAP REST API
- Case 2 – full automation with CURL and the ZAP daemon
- Case 3 – automated security testing for the user registration flow with Selenium
- Summary
- Questions
- Further reading
- Android Security Testing
- Infrastructure Security
- The scope of infrastructure security
- Secure configuration best practices
- Network security assessments with Nmap
- CVE vulnerability scanning
- HTTPS security check with SSLyze
- Behavior-driven security automation – Gauntlt
- Summary
- Questions
- Further reading
- BDD Acceptance Security Testing
- Project Background and Automation Approach
- Automated Testing for Web Applications
- Automated Fuzz API Security Testing
- Fuzz testing and data
- API fuzz testing with Automation Frameworks
- Summary
- Questions
- Further reading
- Automated Infrastructure Security
- Managing and Presenting Test Results
- Summary of Automation Security Testing Tips
- List of Scripts and Tools
- Solutions
- Chapter 1: The Scope and Challenges of Security Automation
- Chapter 2: Integrating Security and Automation
- Chapter 3: Secure Code Inspection
- Chapter 4: Sensitive Information and Privacy Testing
- Chapter 5: Security API and Fuzz Testing
- Chapter 6: Web Application Security Testing
- Chapter 7: Android Security Testing
- Chapter 8: Infrastructure Security
- Chapter 9: BDD Acceptance Security Testing
- Chapter 10: Project Background and Automation Approach
- Chapter 11: Automated Testing for Web Applications
- Chapter 12: Automated Fuzz API Security Testing
- Chapter 13: Automated Infrastructure Security
- Chapter 14: Managing and Presenting Test Results
- Other Books You May Enjoy
Quick and simple secure code scanning tools
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.