Integrated security testing: finding security vulnerabilities with your existing test framework
Having a dedicated suite of a continuously run security tests seems out of reach for all but the most mature security programs. Scanners only scratch the surface or your application. Yet, many companies already have a large set of integration tests that snake their way deeply into the application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests.
Using Selenium, ZAP, and PostMan, we will repurpose integration tests into security tests to search for common web application flaws such as XSS, XXE, and SQLi with more context than a scanner. These security tests will traverse the web application the same way a real user would. We will then extend these tests to find subtle security bugs in authorization, authentication, and business logic.
This session is ideal for testers and developers interested in making security testing part of their continuous integration pipeline.
If you are planning to attend, please go to
https://github.com/distrustCaution/integrated-security-example
and follow the install steps before hand the workshop.