Workshop: Security Testing Automation with Gauntlt and BDD-Security

Testing is a key part of development lifecycle, from checking your functional requirements actually work to constraining development to keep code focused and concise (TDD). Security testing however is often not conducted inside our lifecycle. We often wait until development is completed and ask third party penetration testing firms to find our issues for us.

This is a particularly bad idea in fast paced development teams.

Bugs are often missed or are found too late to remediate. Cost of remediation escalates and our systems become tightly coupled and increasingly fragile as a result.

Why would we want to finish engineering before finding fundamental security issues? Shouldn't we try to find these as early and often as possible? Shouldn't we take every opportunity to identify security flaws in our applications?

SafeStack helps teams weave security testing into their own testing lifecycle and tool chains without compromising agility or innovation.

This course is aligned with the Open Web Application Security Project (OWASP) top 10 application security vulnerabilities as well as providing solid grounding in how to bring security into their testing toolsets and working practices. This includes:

  • Security test cases, stories and what to test
  • Manual security testing key skills (parameter tampering, proxying and other basics)
  • Introduction to security testing frameworks
  • Automated security testing
  • Introduction to vulnerability scanning
  • Automated vulnerability scanning as part of development tool chains

This course is designed to be hands on and interactive. Lecture material is combined with a range of custom built labs and exercises to test students and let them experiment with the security in action.

Who should attend
Software testers engaged in or curious about automation.

Some knowledge of the OWASP top 10 vulnerabilities would be useful but not essential.

Computer setup
Delegates will need to bring a laptop with the ability to run a virtual machine (to be provided).