Integrated security testing: Turn your QAs into hackers by leveraging your existing test framework

Presented at ToorCon San Diego 20 (2018), Sept. 15, 2018, 5 p.m. (50 minutes)

Having a scalable suite of continuously run security tests seems out of reach for all but the most mature security programs. Yet, many companies already have integration tests that snake their way deeply into their web application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests to find subtle security bugs in authorization and business logic along side the standard web application bugs like XSS and SQLi. Having a dedicated suite of continuously run security tests seems out of reach for all but the most mature security programs. Scanners only scratch the surface of your application. Many companies already have integration tests that snake their way deeply into their web application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests. Using Selenium and ZAP we will repurpose integration tests into security tests to search for common web application flaws such as XSS and SQLi with more context than a scanner. These security tests will traverse the web application the same way a real user would. We will then extend these tests to find subtle security bugs in authorization and business logic. This session is ideal for testers and developers interested in making security testing part of their continuous integration pipeline.

Presenters:

  • hackimedes
    Morgan Roman works on the application security team at DocuSign. He started his career writing integration tests for web applications and APIs as a software development engineer in test. He is passionate about finding ways to automate security testing and make it part of the deployment process.

Links:

Similar Presentations: