SELENIUM FRAMEWORK FOR WEB AUTOMATION TESTING: A SYSTEMATIC LITERATURE REVIEW

Software Testing plays a crucial role in making high-quality products. The process of manual testing is often inaccurate, unreliable, and needed more than automation testing. One of these tools, Selenium, is an open-source framework that used along with different programming languages: (python, ruby, java, PHP, c#, etc.) to automate the test cases of web applications. The purpose of this study is to summarize the research in the area of selenium automation testing to benefit the readers in designing and delivering automated software testing with Selenium. We conducted the standard systematic literature review method employing a manual search of 2408 papers, and applying a set of inclusion/exclusion criteria the final literature included 16 papers published between 2009 and 2020. The result is using Selenium as a UI for web automation, not only all of the app functionality that has been tested, But also it can be applied with added some method or other algorithms like data mining, artificial intelligence, and machine learning. Furthermore, it can be implemented for security testing. In the future research for selenium framework automation testing, the implementation should more focus on finding effective and maintainability on the application of Selenium in other methodologies and is applied with the better improvement that can be matched for web automation testing

Term-based composition of security protocols

In the context of security protocol parallel composition, where messages belonging to different protocols can intersect each other, we introduce a new paradigm: term-based composition (i.e. the composition of message components also known as terms). First, we create a protocol specification model by extending the original strand spaces. Then, we provide a term composition algorithm based on which new terms can be constructed. To ensure that security properties are maintained, we introduce the concept of term connections to express the existing connections between terms and encryption contexts. We illustrate the proposed composition process by using two existing protocols.Comment: 2008 IEEE International Conference on Automation, Quality and Testing, Robotics, Cluj-Napoca, Romania, May 2008, pp. 233-238, ISBN 978-1-4244-2576-

AndroShield:automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution

Infrastructure as Code for Security Automation and Network Infrastructure Monitoring

The Corona Virus (COVID-19) pandemic that has spread throughout the world has created a new work culture, namely working remotely by utilizing existing technology. This has the effect of increasing crime and cyber attacks as more and more devices are connected to the internet for work. Therefore, the priority on security and monitoring of network infrastructure should be increased. The security and monitoring of this infrastructure requires an administrator in its management and configuration. One administrator can manage multiple infrastructures, making the task more difficult and time-consuming. This research implements infrastructure as code for security automation and network infrastructure monitoring including IDS, honeypot, and SIEM. Automation is done using ansible tools to create virtual machines to security configuration and monitoring of network infrastructure automatically. The results obtained are automation processes and blackbox testing is carried out and validation is carried out using a User Acceptance Test to the computer apparatus of the IT Poltek SSN Unit to prove the ease of the automation carried out. Based on the results of the UAT, a score of 154 was obtained in the Agree area with an acceptance rate of 81.05% for the implementation of infrastructure as code for the automation carried ou

Continuous Security Testing:A Case Study on Integrating Dynamic Security Testing Tools in CI/CD Pipelines

Continuous Integration (CI) and Continuous Delivery (CD) have become a well-known practice in DevOps to ensure fast delivery of new features. This is achieved by automatically testing and releasing new software versions, e.g. multiple times per day. However, classical security management techniques cannot keep up with this quick Software Development Life Cycle (SDLC). Nonetheless, guaranteeing high security quality of software systems has become increasingly important. The new trend of DevSecOps aims to integrate security techniques into existing DevOps practices. Especially, the automation of security testing is an important area of research in this trend. Although plenty of literature discusses security testing and CI/CD practices, only a few deal with both topics together. Additionally, most of the existing works cover only static code analysis and neglect dynamic testing methods. In this paper, we present an approach to integrate three automated dynamic testing techniques into a CI/CD pipeline and provide an empirical analysis of the introduced overhead. We then go on to identify unique research/technology challenges the DevSecOps communities will face and propose preliminary solutions to these challenges. Our findings will enable informed decisions when employing DevSecOps practices in agile enterprise applications engineering processes and enterprise security

A Novel VAPT Algorithm: Enhancing Web Application Security Trough OWASP top 10 Optimization

This research study is built upon cybersecurity audits and investigates the optimization of an Open Web Application Security Project (OWASP) Top 10 algorithm for Web Applications (WA) security audits using Vulnerability Assessment and Penetration Testing (VAPT) processes. The study places particular emphasis on enhancing the VAPT process by optimizing the OWASP algorithm. To achieve this, the research utilizes desk documents to gain knowledge of WA cybersecurity audits and their associated tools. It also delves into archives to explore VAPT processes and identify techniques, methods, and tools for VAPT automation. Furthermore, the research proposes a prototype optimization that streamlines the two steps of VAPT using the OWASP Top 10 algorithm through an experimental procedure. The results are obtained within a virtual environment, which employs black box testing methods as the primary means of data acquisition and analysis. In this experimental setting, the OWASP algorithm demonstrates an impressive level of precision, achieving a precision rate exceeding 90%. It effectively covers all researched vulnerabilities, thus justifying its optimization. This research contributes significantly to the enhancement of the OWASP algorithm and benefits the offensive security community. It plays a crucial role in ensuring compliance processes for professionals and analysts in the security and software development fields.Comment: 2nd International Conference on Software Engineering and Automation (SEAU 2023), November 11 ~ 12, 2023, Dubai, UA

Automated Man-in-the-Middle Attack Against Wi‑Fi Networks

Currently used wireless communication technologies suffer security weaknesses that can be exploited allowing to eavesdrop or to spoof network communication. In this paper, we present a practical tool that can automate the attack on wireless security. The developed package called wifimitm provides functionality for the automation of MitM attacks in the wireless environment. The package combines several existing tools and attack strategies to bypass the wireless security mechanisms, such as WEP, WPA, and WPS. The presented tool can be integrated into a solution for automated penetration testing. Also, a popularization of the fact that such attacks can be easily automated should raise public awareness about the state of wireless security

An anti-malware product test orchestration solution for multiple pluggable environments

The term automation gets thrown around a lot these days in the software industry. However, the recent change in test automation in the software engineering process is driven by multiple factors such as environmental factors, both external and internal as well as industry-driven factors. Simply, what we all understand about automation is - the use of some technologies to operate a task. The choice of the right tools, be it in-house or any third-party software, can increase effectiveness, efficiency and coverage of the security product testing. Often, test environments are maintained at various stages in the testing process. Developer’s test, dedicated test, integration test and pre-production or business readiness test are some common phrases in software testing. On the other hand, abstraction is often included between different architectural layers, ever-changing providers of virtualization platforms such as VMWare, OpenStack, AWS as test execution environments and many others with a different state of maintainability. As there is an obvious mismatch in configuration between development, testing and production environment; software testing process is often slow and tedious for many organizations due to the lack of collaboration between IT Operations and Software Development teams. Because of this, identifying and addressing test environmentrelated compatibility becomes a major concern for QA teams. In this context, this thesis presents a DevOps approach and implementation method of an automated test execution solution named OneTA that can interact with multiple test environments including isolated malware test environments. The study was performed to identify a common way of preparing test environments in in-house and publicly available virtualization platforms where distributed tests can run on a regular basis. The current solution allows security product testing in multiple pluggable environments in a single setup utilizing the modern DevOps practice to result minimum efforts. This thesis project was carried out in collaboration with F-Secure, a leading cyber security company in Finland. The project deals with the company’s internal environments for test execution. It explores the available infrastructures so that software development team can use this solution as a test execution tool