Reputation: 1702
I am wondering out of OWASP top 10 (A1-A10) which all can be automated. Is it possible to automate their testing using Selenium, if not which tool can be used to automate them ? Also are there any documents or guidelines or any examples that can be followed or referred.
Thanks in advance.
Upvotes: 0
Views: 613
Reputation: 4173
There are a lot of tools that do this automated.
If you are asking this you either don't have enough experience in security or you don't have enough experience in automation.
Is one thing to know security and another to write some effective automated scenarios. What you could do is to automate some specific scenarios resulted as regression.
For security purpose please use existing tools to scan for vulnerabilities + manual testing and analysis.
As a conclusion: Yes, as @psiinon said, you can automate, and is better to have an automated scan, but in terms of implementing manually it will require a lot of efforts to do this in an efficient way with a good coverage.
Make sure you are understanding completely what you are trying to automate, make a plan and investigate further more to see what are the options. Also check if you have any related security libraries to use based on the used programming language.
Upvotes: 2
Reputation: 6234
I'd say:
Finding security vulnerabilities is hard, automation should be seen as a way to cut down the time and effort spent doing manual testing rather than replacing it. One of the advantages of automated testing is that you can do it at any time (eg as part of CI/CD) rather than waiting until near the end and getting the pentesters in.
In all cases manual verification of any potential vulnerabilities found using automation is important.
Have a look at https://www.owasp.org/index.php/ZAPpingTheTop10 which is focused on ZAP. Automation is definitely a focus for ZAP (and one of the key ways we use it in Mozilla) and not surprisingly its something I'd recommend using (I'm the ZAP project lead;)
Upvotes: 2