DSC Germany | Shift-Left-Security with the Security Test Pyramid
Questions? Join the conversation on Slack https://snyk.co/DSC-Slack-Invite channel #devseccon-germany
The test pyramid by Mike Cohn should be familiar to most developers and is often used in projects practicing test-driven development.
But does your test pyramid also include verification of application security?
In the context of agile development and continuous delivery, it is essential to continuously assess application security. The current pattern of conducting penetration tests just a few days before going live no longer scales. Instead, concrete security requirements must be specified in each sprint and those requirements have to be verified by corresponding (preferably automated) tests. This is the only way to achieve an effective shift-left for security.
In this talk, we will look at the well-known test pyramid from a security perspective. We will look at how to add effective security tests at each level of the pyramid. This way, a large part of the OWASP top 10 security categories can actually be covered by automated testing. This will be practically illustrated using live demos based on a Spring Boot Java application with automated tests for authentication, authorization, input validation, and SQL injection prevention, among others.
Speaker: Andreas Falk, Managing Consultant and Practice Lead Agile Security at NovaTec Consulting GmbH
Andreas Falk has been working on enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting, located in Germany. In various projects, he has since been around as an architect, coach, and developer. His focus is on the agile development of cloud-native enterprise Java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well. Andreas is also a frequent speaker at conferences.