Integrated security testing Turn your QAs into hackers by leveraging your existing test framework presented at toorcon2018SanDiego 2018

by Hackimedes ,

Summary : Having a scalable suite of continuously run security tests seems out of reach for all but the most mature security programs. Yet, many companies already have integration tests that snake their way deeply into their web application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests to find subtle security bugs in authorization and business logic along side the standard web application bugs like XSS and SQLi.Having a dedicated suite of continuously run security tests seems out of reach for all but the most mature security programs. Scanners only scratch the surface of your application. Many companies already have integration tests that snake their way deeply into their web application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests. Using Selenium and ZAP we will repurpose integration tests into security tests to search for common web application flaws such as XSS and SQLi with more context than a scanner. These security tests will traverse the web application the same way a real user would. We will then extend these tests to find subtle security bugs in authorization and business logic. This session is ideal for testers and developers interested in making security testing part of their continuous integration pipeline.