Penetration Testing in the Release Pipeline

Teams should take security seriously with today’s online threats and follow secure coding and security testing practices. They should use web and native application scanning tools both statically and dynamically where-ever possible and required. These tools can be time-consuming in a release pipeline which is where you want to target your testing to real security requirements for fast feedback. Using a framework like BDD-Security you can utilize a collection of provided scenarios or write your own specific security tests. Potential vulnerabilities within a build candidate may be functional and driven using Selenium WebDriver in the form of a traditional penetration test or API based. SSL vulnerabilities can be checked and verified using SSLyze and scans utilizing the OWASP Zed Attack Proxy can be run. Example scenarios will be presented along with an example implementation of a release pipeline running against AWS, built from Team City using Ansible and executing vulnerability tests against both pre-production and production environments.

Video producer: https://www.agileonthebeach.co.uk/