The "Plants vs. Zombies" game is used as an analogy to frame automated tests as a protective measure against security threats.
The OWASP Top 10 project is introduced, focusing on broken access control, cryptographic failures, and injection as key vulnerabilities to test for.
Practical code examples demonstrate how to write automated tests to detect cross-site scripting (XSS), CSRF, and SQL injection vulnerabilities.
Configure Cypress to check for the presence and correctness of Content Security Policy (CSP) headers to prevent certain types of injection attacks.
Cover authentication flows with dedicated tests, including negative test cases for invalid credentials, to prevent unauthorized access.
Cypress automatically fails tests on non-HTTPS sites, providing a built-in check for basic cryptographic failures like missing SSL/TLS certificates.
Beyond writing test cases, use tools for static analysis (SAST), dynamic analysis (DAST), and dependency scanning to find vulnerabilities you might not know about.
Adopt a repeatable process that involves learning your app's vulnerabilities, creating a test plan, writing targeted tests, and integrating them into your CI/CD pipeline.
Test automation is a powerful complement to other security measures, simple test cases are highly effective, and all testing types can be utilized.
Frame security tests as a "messenger" that automates vigilance, saving developers cognitive load and protecting user trust by catching issues early.
24:09Ramona Schwering
24:09
43:07Golo Roden
28:12Luise Freese
25:38Ramona Schwering
28:41Alexander Pirker
44:59Ramona Schwering
26:20Augustin Gottlieb
.png?w=240&auto=compress,format)
Jobs that call for the skills explored in this talk.
Saby New Compy
Karlsruhe, Germany
Think-cell
Foster City, United States of America
PVS eSolutions GmbH
PVS eSolutions GmbH