JS Do It.....Accurate Security Testing Automation for Developers

Rate this content
Bookmark

NeuraLegion's developer friendly security scanner enables development teams to run dead accurate security tests on every build as part of their pipeline. False alerts and periodic infrequent scanning results in technical and security debt, as well as insecure product. But what is developer first DAST, when and how should you be integrating it into your pipelines and what should you be looking for when enhancing your security testing automation? Join this talk to get up to date.

This talk has been presented at TestJS Summit 2021, check out the latest edition of this JavaScript Conference.

FAQ

Neuralegions is a dynamic application security testing scanner designed for developers, offering tools to automate security testing in continuous integration and continuous deployment (CI-CD) environments. It focuses on testing apps, APIs, and ensuring trusted security processes.

Neuralegions integrates seamlessly into CI-CD pipelines by allowing developers to build the scan surface from the first unit tests, running tests on every build or pull request, and configuring scans via CLI or YAML files, without generating false positives.

Neuralegions supports a wide range of applications and services including web apps, internal apps, RESTful APIs, SOAP APIs, GraphQL APIs, microservices, and single-page applications. It can scan both local and production URLs.

Yes, Neuralegions supports authenticated scans to maximize coverage. It accommodates various authentication methods including formal authentication, header authentication, NTLM, and custom multitask authentication.

Neuralegions aims to eliminate false positives by automatically validating every finding with a full proof of concept. This feature ensures that the results are accurate and developers don't spend time on manual validation.

Neuralegions can detect a comprehensive range of security vulnerabilities, including the OWASP Top Ten, OWASP API Top Ten, and the MITRE25. It also tests for business logic vulnerabilities by understanding application server responses to bypass logic or validation mechanisms.

Yes, Neuralegions can leverage existing functional testing scripts like Selenium or Cypress. Developers and QA teams can use these scripts to initiate security scans, treating security bugs similarly to functional bugs without needing deep cybersecurity knowledge.

Neuralegions offers developer-friendly remediation guidelines along with detailed insights into recurring or new issues. It provides all requests, responses, headers, and allows issues to be copied as a curl for debugging, including a retest feature to facilitate quick and easy remediation.

Oliver Moradov
Oliver Moradov
10 min
18 Nov, 2021

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Neuralegions is a dynamic application security testing scanner designed for developers. It allows you to build the scan surface from the first unit tests, seamlessly integrating into your pipelines. With no false positives, you can trust the output to quickly detect and fix security vulnerabilities. Eurolegion provides comprehensive coverage, supporting web apps, internal apps, and APIs. It can handle client-side dynamic content and integrates with existing functional scripts. Scans are fast and can test for business logic vulnerabilities. Authenticated scans are fully supported. The biggest issue with security scanners is accuracy. Developers want to know real issues, not hyperbole. Neuralegion focuses on removing false positives automatically. It validates every finding with a full proof of concept, eliminating the need for manual validation. Full visibility of recurring and new issues is provided, along with developer-friendly remediation guidelines. Neuralegion seamlessly integrates into your pipeline, allowing developers to shift left and scan every commit or pull request.

1. Introduction to Neuralegions and Eurolegion

Short description:

Neuralegions is a dynamic application security testing scanner designed for developers. It allows you to build the scan surface from the first unit tests, seamlessly integrating into your pipelines. With no false positives, you can trust the output to quickly detect and fix security vulnerabilities. Eurolegion provides comprehensive coverage, supporting web apps, internal apps, and APIs. It can handle client-side dynamic content and integrates with existing functional scripts. Scans are fast and can test for business logic vulnerabilities. Authenticated scans are fully supported.

♪ Hey, TestJS. I'm Oli, VP here at Neuralegions Developer Focused Security Testing Scanner. Thanks for joining as we discuss accurate security testing automation for developers in the CI-CD.

Now a quick intro into Neuralegions. We're a global team of security experts and researchers creating the best dynamic application security testing scanner built to be loved by developers to test your apps, your APIs, but more importantly to also be trusted by your security.

You're releasing software faster than ever and security needs to keep up and this process needs to be owned by you, developers. We enable you to build the scan surface from the very first unit tests, running tests on every build or every pull request. This is seamlessly integrated into your pipelines, but more importantly with no false positives, so you can trust the output to make detecting and fixing security vulnerabilities really, really quick and really, really simple.

Let's take a look at what's under the hood. So sure, you know, we have a nice UI for security folk to play around with and configure scans manually. But we're built for developers to own the security testing process, as I mentioned, and if you sign up for our free account, you'll see this very, very nice UI. But you'll also immediately notice that you can run scans via the CLI repeater, installed by Docker Compose, NPM, Win, and can actually configure your scans as code. With a global YAML configuration-based files integrated into your CICD. For more info, you can obviously go and see our docs for a full command list. So you can actually stay in your terminal to manage these scans.

So how can you start automating your security testing today? Well, in terms of coverage, we've got you. With Eurolegion, you can start scanning every build for security vulnerabilities as part of your CI, whether that's against your web apps, your internal apps, or indeed against your APIs, whether that's REST, SOAP, or indeed GraphQL. Microservices and single-page applications are fully supported, whether pointing our scanner to a local or, indeed, a production URL, whether we are ingesting your API schemas or, indeed, Postman collections, or whether you're uploading your HTTP archive files, your HA files, into our engine.

This means you can really define the scope of the security test, perhaps against a single entry point or a single end point, or against a specific new feature that you've just made. These discovery methods can be run separately or, indeed, concurrently, meaning you can handle client-side dynamic content, JavaScript, and more. Are you using Selenium or, indeed, Cypress, for example? Well, you can start leveraging those existing functional scripts and get scanning with these half-files. This means your developers and QA can now start working together, treating security bugs like your functional ones without the need to be a cybersecurity expert.

Either way, scans are fast, running in minutes or hours, not days, maintaining your DevOps speed. The more you can find and fix, though, the better. We have a comprehensive list of testing categories, covering the OS top ten, the OS API top ten, the MITRE25, and indeed more. Additionally, our engine understands the context, understands the responses that we're getting back from the application server. And we can actually use this to test for business logic vulnerabilities. Not just your trivial injections, but how can our engine bypass the logic or the validation mechanisms in your applications and APIs, removing even more manual security testing and truly putting security testing into the hands of developers. Authenticated scans are fully supported to maximize coverage, whether using formal authentication or header authentication, NTLM, or indeed custom multitask authentication amongst others. We've got you covered in that respect.

2. Accuracy and Remediation with Neuralegion

Short description:

The biggest issue with security scanners is accuracy. Developers want to know real issues, not hyperbole. New Religion focuses on removing false positives automatically. Neural Edge and Scanner validate every finding with a full proof of concept, eliminating the need for manual validation. Full visibility of recurring and new issues is provided, along with developer-friendly remediation guidelines. All issues can be copied as a curl for debugging, and teams can be assigned to specific projects for scanning and global visibility. Neuralegion seamlessly integrates into your pipeline, allowing developers to shift left and scan every commit or pull request.

But I think the biggest issue with security scanners, though, is accuracy, right? Hands up if you love false alerts. Nah, I didn't think so. How much time do you spend validating issues or fixing issues from six months or a year ago? DevOps and CICD equals automation, correct? How can you do that without accuracy? Developers want to know real issues, not hyperbole.

People always talk about reducing false positives. Well, here at New Religion, we like to talk about removing false positives altogether for you automatically. Whether you're in a startup or a small organization, probably without a dedicated security team, or you might be a large enterprise organization where developers outweigh security by 50 or indeed 100 to 1. Either way, you're developing and releasing at breakneck speed with multiple builds a day, but also introducing security issues into production at the same speed too. The last thing you want to do is start introducing a bunch of false positives to your workload that needs validation, let alone not being able to actually validate your risk.

Results just get ignored, and pretty much the tool will be disabled. False positives in this manual validation of results is crippling your rapid release cycles and adds to your technical debt. Neural Edge and Scanner automatically validates every finding with a full proof of concept. With no manual validation required, your builds aren't going to be failing for no reason. This example on the right has an automatically generated screenshot of this reflective cross-site scripting security issue, which causes this pop up executable created perhaps by a malicious user. We automatically look for this reflection as part of our validation process and present it to you, confirming the issue and making sure you're not chasing your tail.

But now you know what's being reported as real. How do you fix the issues? Well, we give you full visibility of what's happening. Understand where your recurring issues are or new issues being detected. Again, fully validated automatically by the engine so you don't have to do it. Developer-friendly remediation guidelines are provided with additional resources to help you understand the issues and, more importantly, how to fix them. All requests, responses, headers are provided and all issues can be copied as a curl for debugging with a cool retest feature to execute the same attack or the same payload, making remediation quicker and easier for you, the developer. Assigning engineering teams or assets to specific projects allows you to segregate scanning and get global visibility whether that's of your scans or, indeed, your risk posture which means teams are creating the same issues then training can be provided. Look at it as secure training on the go. And all of this seamlessly integrated into your pipeline. With CICD and DevOps, we talk about shifting left. Dask has traditionally been carried out in stages 4 and 5 run by security professionals. Tools have been built for security professionals. You can start shifting left, putting Dask into the hands of developers with Neuralegion. Scan every commit or pull request, get immediate feedback of the issues, no false positives to start fixing now. We have integrations with all your common tools or better still use our API and integrate. Juror tickets can be opened, messages sent to relevant colleagues in Slack, collaboration is seamless, easy, and accurate. So, what are you waiting for? Sign up for a free account and you can be up and scanning in minutes. Connect with us, see our docs for more info.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Network Requests with Cypress
TestJS Summit 2021TestJS Summit 2021
33 min
Network Requests with Cypress
Top Content
Cecilia Martinez, a technical account manager at Cypress, discusses network requests in Cypress and demonstrates commands like cydot request and SCI.INTERCEPT. She also explains dynamic matching and aliasing, network stubbing, and the pros and cons of using real server responses versus stubbing. The talk covers logging request responses, testing front-end and backend API, handling list length and DOM traversal, lazy loading, and provides resources for beginners to learn Cypress.
Testing Pyramid Makes Little Sense, What We Can Use Instead
TestJS Summit 2021TestJS Summit 2021
38 min
Testing Pyramid Makes Little Sense, What We Can Use Instead
Top Content
Featured Video
Gleb Bahmutov
Roman Sandler
2 authors
The testing pyramid - the canonical shape of tests that defined what types of tests we need to write to make sure the app works - is ... obsolete. In this presentation, Roman Sandler and Gleb Bahmutov argue what the testing shape works better for today's web applications.
Full-Circle Testing With Cypress
TestJS Summit 2022TestJS Summit 2022
27 min
Full-Circle Testing With Cypress
Top Content
Cypress is a powerful tool for end-to-end testing and API testing. It provides instant feedback on test errors and allows tests to be run inside the browser. Cypress enables testing at both the application and network layers, making it easier to reach different edge cases. With features like AppActions and component testing, Cypress allows for comprehensive testing of individual components and the entire application. Join the workshops to learn more about full circle testing with Cypress.
Test Effective Development
TestJS Summit 2021TestJS Summit 2021
31 min
Test Effective Development
Top Content
This Talk introduces Test Effective Development, a new approach to testing that aims to make companies more cost-effective. The speaker shares their personal journey of improving code quality and reducing bugs through smarter testing strategies. They discuss the importance of finding a balance between testing confidence and efficiency and introduce the concepts of isolated and integrated testing. The speaker also suggests different testing strategies based on the size of the application and emphasizes the need to choose cost-effective testing approaches based on the specific project requirements.
Playwright Test Runner
TestJS Summit 2021TestJS Summit 2021
25 min
Playwright Test Runner
Top Content
The Playwright Test Runner is a cross-browser web testing framework that allows you to write tests using just a few lines of code. It supports features like parallel test execution, device emulation, and different reporters for customized output. Code-Gen is a new feature that generates code to interact with web pages. Playwright Tracing provides a powerful tool for debugging and analyzing test actions, with the ability to explore trace files using TraceViewer. Overall, Playwright Test offers installation, test authoring, debugging, and post-mortem debugging capabilities.
Everyone Can Easily Write Tests
TestJS Summit 2023TestJS Summit 2023
21 min
Everyone Can Easily Write Tests
Playwright is a reliable end-to-end testing tool for modern web apps that provides one API, full isolation, fast execution, and supports multiple languages. It offers features like auto-weighting, retrying assertions, seamless testing of iframes and shadow DOM, test isolation, parallelism, and scalability. Playwright provides tools like VS Code extension, UiMode, and Trace Viewer for writing, debugging, and running tests. Effective tests prioritize user-facing attributes, use playwright locators and assertions, and avoid testing third-party dependencies. Playwright simplifies testing by generating tests, providing code generation and UI mode, and allows for easy running and debugging of tests. It helps in fixing failed tests and analyzing DOM changes, fixing locator mismatches, and scaling tests. Playwright is open source, free, and continuously growing.

Workshops on related topic

Designing Effective Tests With React Testing Library
React Summit 2023React Summit 2023
151 min
Designing Effective Tests With React Testing Library
Top Content
Featured Workshop
Josh Justice
Josh Justice
React Testing Library is a great framework for React component tests because there are a lot of questions it answers for you, so you don’t need to worry about those questions. But that doesn’t mean testing is easy. There are still a lot of questions you have to figure out for yourself: How many component tests should you write vs end-to-end tests or lower-level unit tests? How can you test a certain line of code that is tricky to test? And what in the world are you supposed to do about that persistent act() warning?
In this three-hour workshop we’ll introduce React Testing Library along with a mental model for how to think about designing your component tests. This mental model will help you see how to test each bit of logic, whether or not to mock dependencies, and will help improve the design of your components. You’ll walk away with the tools, techniques, and principles you need to implement low-cost, high-value component tests.
Table of contents- The different kinds of React application tests, and where component tests fit in- A mental model for thinking about the inputs and outputs of the components you test- Options for selecting DOM elements to verify and interact with them- The value of mocks and why they shouldn’t be avoided- The challenges with asynchrony in RTL tests and how to handle them
Prerequisites- Familiarity with building applications with React- Basic experience writing automated tests with Jest or another unit testing framework- You do not need any experience with React Testing Library- Machine setup: Node LTS, Yarn
How to Start With Cypress
TestJS Summit 2022TestJS Summit 2022
146 min
How to Start With Cypress
Featured WorkshopFree
Filip Hric
Filip Hric
The web has evolved. Finally, testing has also. Cypress is a modern testing tool that answers the testing needs of modern web applications. It has been gaining a lot of traction in the last couple of years, gaining worldwide popularity. If you have been waiting to learn Cypress, wait no more! Filip Hric will guide you through the first steps on how to start using Cypress and set up a project on your own. The good news is, learning Cypress is incredibly easy. You'll write your first test in no time, and then you'll discover how to write a full end-to-end test for a modern web application. You'll learn the core concepts like retry-ability. Discover how to work and interact with your application and learn how to combine API and UI tests. Throughout this whole workshop, we will write code and do practical exercises. You will leave with a hands-on experience that you can translate to your own project.
Detox 101: How to write stable end-to-end tests for your React Native application
React Summit 2022React Summit 2022
117 min
Detox 101: How to write stable end-to-end tests for your React Native application
Top Content
WorkshopFree
Yevheniia Hlovatska
Yevheniia Hlovatska
Compared to unit testing, end-to-end testing aims to interact with your application just like a real user. And as we all know it can be pretty challenging. Especially when we talk about Mobile applications.
Tests rely on many conditions and are considered to be slow and flaky. On the other hand - end-to-end tests can give the greatest confidence that your app is working. And if done right - can become an amazing tool for boosting developer velocity.
Detox is a gray-box end-to-end testing framework for mobile apps. Developed by Wix to solve the problem of slowness and flakiness and used by React Native itself as its E2E testing tool.
Join me on this workshop to learn how to make your mobile end-to-end tests with Detox rock.
Prerequisites- iOS/Android: MacOS Catalina or newer- Android only: Linux- Install before the workshop
API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
Monitoring 101 for React Developers
React Summit US 2023React Summit US 2023
107 min
Monitoring 101 for React Developers
Top Content
WorkshopFree
Lazar Nikolov
Sarah Guthals
2 authors
If finding errors in your frontend project is like searching for a needle in a code haystack, then Sentry error monitoring can be your metal detector. Learn the basics of error monitoring with Sentry. Whether you are running a React, Angular, Vue, or just “vanilla” JavaScript, see how Sentry can help you find the who, what, when and where behind errors in your frontend project. 
Workshop level: Intermediate
Testing Web Applications Using Cypress
TestJS Summit - January, 2021TestJS Summit - January, 2021
173 min
Testing Web Applications Using Cypress
WorkshopFree
Gleb Bahmutov
Gleb Bahmutov
This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.