Nullcon Sep Online Training 2021

Trainer Name: Riddhi Shree

Title: SecQAtion: Tools and Techniques for Security Tests Automation

Duration: 4 Days

Dates: Sept. 27, 2021 To Sept. 30, 2021

Time: 12:30 p.m. To 4:30 p.m.

Training objective:

In this hands-on training, apart from getting a quick understanding of common security vulnerabilities found in web applications, you will also learn how to utilize freely available tools and techniques to write beginner and business-friendly automation test cases and to maximize your efficiency as an application pentester. Some of the useful tools that you will learn how to use to your advantage include Robot Framework, Selenium, Burp Suite, Docker, etc. The focus would be mostly on how to leverage the Robot Framework in local and Dockerized environments.
Training level: Intermediate; Basic

Training outline:

DAY-1: General Understanding of Security Testing Approach

  • A walkthrough of OWASP top 10 vulnerabilities
  • A brief discussion about flaws/inconveniences with the usual security testing approach
  • Introduction to the robot framework
  • Understanding how to leverage robot framework
  • Practice tasks

DAY-2: All About Robot Framework

  • Configuring PyCharm
  • Defining file and folder structure for managing test automation
  • Defining efficient test keywords
  • Running tests locally and viewing test report
  • Running parallel test cases
  • Intercepting API requests and responses
  • Analyzing the captured requests and responses using the Burp Suite proxy tool
  • Practice tasks

DAY-3: Leveraging Docker and Selenium

  • Understanding basics of Docker and docker-compose
  • Learning how to Dockerize the selenium test automation environment
  • Modifying automation scripts to execute in headless mode
  • Triggering test automation execution from a build pipeline
  • Serving test reports via S3 and Cloudfront
  • Practice tasks

DAY-4: Customizations & Extensions

  • Understanding the basics of Python programming
  • Adding custom robot framework keywords using Python
  • Exploring features of Burp Suite proxy tool
  • Understanding the benefits of everything learned so far vs. the manual approach
  • Practice tasks

What to bring:

  • VirtualBox 6.1.22
  • Good Internet connection
  • A laptop that supports Docker
  • Check if you are able to import Ubuntu virtual machine (OVA file) into VirtualBox without any errors

Training prerequisites:

* Should not be scared of Linux, Docker, Selenium, Burp Suite, Python, and/or Robot Framework
* Should have an open mind and a willingness to learn new things
Who should attend?:

  • Security Analysts/Pentesters
  • Quality Testing Engineers
  • Developers

What to expect?:

  • You are expected to try out the examples explained to you during the training and ask doubts if any.
  • As this is intended to be hands-on training, you are expected to be patient while others are trying out an example on their systems. Feel free to use this time to ask your doubts from the trainer.

What attendees will get:

  • An Ubuntu Virtual Machine that should be imported into VirtualBox
  • Documentation containing hands-on steps
  • Knowledge from personal experience

What not to expect?:

Do not expect this training to be all about finding security vulnerabilities alone. This training is about learning techniques that could be used during security assessments to improve your overall test efficiency and coverage. 

About the Trainer

Riddhi Shree is a Security Analyst Consultant with experience in Web and mobile app security testing, test automation, functional testing, network pen testing, website development, mobile app development, and agile project management. She is a passionate learner. She enjoys creating CTF challenges and hosting CTF events. She is an active leader of the Winja community (an open community for security enthusiasts). She has developed an intentionally vulnerable cloud-based Android application, called "VyAPI". She has given multiple technical talks and training in various security conferences including Nullcon, c0c0n, Hack-In-The-Box (HITB), ISC2, BSides.