JS Security Testing Automation for Developers on Every Build

Rate this content
Bookmark
The video discusses a hands-on workshop on security testing automation for developers, focusing on Neuralegion's Developer First DAST. It explains the importance of security testing due to the vulnerability of applications and the growing attack surface. The workshop covers various topics, including creating an account, setting up the Neuralegion Repeater, and running a scan on a vulnerable environment called Broken Crystals. The video emphasizes the benefits of shifting left in security testing, integrating security tests earlier in the development process. It also highlights Neuralegion's ability to automatically validate findings, thus eliminating false positives. The workshop provides continuous support through Discord and encourages interaction and questions from participants.

From Author:

As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing blocks your automation, creates bottlenecks and just delays releases...but it doesn't have to...

NeuraLegion's developer-first Dynamic Application Security Testing (DAST) scanner enables developers to detect, prioritise and remediate security issues EARLY, on every commit, with NO false positives/alerts, without slowing you down.

Join this workshop to learn different ways developers can access Nexploit & start scanning without leaving the terminal!

We will be going through the set up end-to-end, whilst setting up a pipeline, running security tests and looking at the results.

Table of contents:
- What developer-first DAST (Dynamic Application Security Testing) actually is and how it works
- See where and how a modern, accurate dev-first DAST fits in the CI/CD
- Integrate NeuraLegion's Nexploit scanner with GitHub Actions
- Understand how modern applications, APIs and authentication mechanisms can be tested
- Fork a repo, set up a pipeline, run security tests and look at the results

This workshop has been presented at TestJS Summit 2021, check out the latest edition of this JavaScript Conference.

FAQ

The workshop is a hands-on session focused on security testing automation for developers on every build. It aims to be interactive, fun, and laid-back while providing continuous support through Discord.

Security testing is crucial because applications are often the weakest link in terms of security. It helps surface vulnerabilities that malicious users might exploit, especially with the growing use of APIs, leading to a larger attack surface.

Neuralegion's Developer First DAST (Dynamic Application Security Testing) is a tool built from the ground up to enable developers to carry out security testing on web apps, internal apps, APIs (REST, SOAP, GraphQL), and server-side mobile applications. It integrates seamlessly into development pipelines and automatically validates findings to eliminate false positives.

Neuralegion's DAST tool automatically validates every finding, removing the noise of false positives. This ensures that developers receive actionable, accurate results without the need for manual validation.

Types of security testing that can be integrated include Software Composition Analysis (SCA) for dependencies and libraries, Static Application Security Testing (SAST) for code vulnerabilities, and Dynamic Application Security Testing (DAST) for live application vulnerabilities.

Neuralegion's DAST tool supports API security testing for REST, SOAP, and GraphQL APIs. It can consume API schemas like OpenAPI documentation and Postman collections to build the attack surface and run scoped security tests.

Shifting left in security testing means integrating security tests earlier in the development process, ideally into the hands of developers. This approach helps identify and fix vulnerabilities early, matching the rapid release cycles of modern development practices.

The Neuralegion Repeater is an open-source proxy that allows scanning of non-public-facing applications and internal environments. It helps integrate Neuralegion's DAST tool into local development setups and CI/CD pipelines.

Neuralegion's DAST tool can detect a wide range of vulnerabilities, including SQL injection, cross-site scripting, business logic vulnerabilities, open S3 buckets, and more. It also supports testing for various authentication mechanisms and multi-step authentication.

Neuralegion's DAST tool integrates seamlessly with CI/CD pipelines through various plugins and APIs. It supports popular CI/CD tools like GitHub Actions, Jenkins, CircleCI, GitLab, and others, allowing automated security tests on every build or commit.

Oliver Moradov
Oliver Moradov
Bar Hofesh
Bar Hofesh
111 min
15 Nov, 2021

Comments

Sign in or register to post your comment.

Video Transcription

1. Introduction to Security Testing Workshop

Short description:

This is a hands-on workshop on security testing automation for developers. We encourage interaction and questions in the Discord. We will provide continued support beyond the workshop. The agenda includes an introduction to security testing, an overview of New Religion and our DAST technology. We will then proceed with the workshop, covering forking the repo, running a scan, analyzing the results, and testing authentication mechanisms. All the necessary assets are available in the chat and Discord.

This very hands-on workshop on security testing automation for developers on every build. Again, it's going to be very hands-on. I think you will very quickly realize that we want this to be as fun, laid back and chilled as possible. But also we want you to be as interactive with us as possible.

So any questions, any issues, any jokes, whatever it is that you might want to throw out there, do so in the Discord ideally, because that way we can build up continuous conversation. You'll also find a lot of information on there. And like I mentioned, continued support beyond this workshop for any issues that you have. We do monitor it with our support engineers and basically the whole company to ensure that you're successful in your security testing.

So a brief agenda for today. I don't know if you're all at work, at home, whatever it might be, but we're going to go through a very brief introduction into security testing, why it's so important, a bit of an intro about New Religion, about our DAST just so you can understand it in a bit more detail. And I'm going to go straight into the workshop. So if you haven't already done so, I can already see a number of familiar names that have already signed up, which is great. But we're going to fork repo. We've got the example actions there if you haven't seen it already, we're going to run a scan together, we're going to look at the results, understand the results and go through authentication mechanisms, how you can test APIs, basically how you can, by the end of this one hour, 40 minutes, I'll try and give you 20 minutes back of your time. You'll see just how quick and easy it is, that actually you can now start to go away and start automating your security testing with our DAST technology. And so what you'll need, it is on the chat, it is in the discord server, perhaps if you're watching this at a later time, these are all the assets that you'll need to play along with us. If you weren't able to do it live, but again, they're all in the chat and they're all in the Discord if you haven't seen it already.

2. Introduction to Neuralegion's Developer First DAST

Short description:

Neuralegion is a developer-focused dynamic application security testing tool. It allows developers to build the scan surface from unit tests, schedule scans, and call scans as code. The tool automatically validates findings and provides developer-friendly remediation guidelines. Application security testing is crucial due to the vulnerability of applications and the growing attack surface. Static analysis tools have limitations and often produce false positives. Dynamic Application Security Testing (DAST) tools like Neurolegion's Developer First DAST provide a comprehensive security scan by looking at the built application from the outside in. DAST tools can identify real-world vulnerabilities and conduct penetration tests.

So a quick about Neuralegion, if you haven't already done your homework, which I hope most of you have, we're founded in 2018. We are a global team of developers, security researchers, ethical hackers, I suppose this is something that we are also, very, very passionate about, Barz laughing because he spearheads that side, but very, very passionate about application security testing, but more importantly, application security testing for developers. And we really do feel that we are changing the way that AppSec is being carried out, typically done by security professionals as well as security team, but actually we've been built from the ground up to really provide a developer focused dynamic application security testing tool to test your web apps, your internal apps, your APIs, whether that's REST, SOAP, or indeed GraphQL, server-side mobile applications, and of course their corresponding APIs. And we really are about giving you, the developer, the ability of building the scan surface from your very first unit tests, staying within your environment. Carrying out, scheduling scans, calling scans, as code, with the Command List as part of the CLI, seamlessly integrated into your development pipelines. And one thing that we'll get onto, and I'm sure you're all putting your hands in the air and saying, finally, a tool that actually automatically validates every finding, so no false positives, and actually gives you, the developer, developer-friendly remediation guidelines, actionable results, removing the noise, so that actually you can start to fix security bugs early, and often as part of your pipeline. I haven't even introduced myself. Oli here, VP at Neo Religion, and we're joined today by Bar Hoffesch, our CTO and co-founder. Bar, say hello. Hi everyone, nice to meet you. Just want to make sure you can hear me and your microphone is working. And it's also good to know that actually, I haven't just been speaking for three minutes and no one can hear me. What? No, just kidding. Very good. So if we could all just, you know, just want to make sure everyone can hear. If you can put a hi in the Discord, ideally, if not in the chat, let us know where you're from. And again, any questions, queries... Favorite meme, favorite emoji, whatever. Whatever it might be. We're all here to have a nice relaxing hour and a half. And hopefully we're going to learn something. Which Discord channel James? It is the TestJS one. So under Events, and then TestJS, and you should see it there. So let's... Oh, yeah. And a little bit of gloating. You can see here's a sort of selection of customers that are using our innovative technology, and they range from government, defense, insurance, financial services, anything from startups with a team of two to eight developers, all the way up to teams with 500 plus developers, but actually are moving away from their legacy tools and actually moving to new religion. And we'll go through very, very quickly the differences and how we feel that we're changing the security testing space and making it very easy for developers to adopt that.

So first of all, just why is application security testing so important? Very, very few, a quick sort of quotes here that were taken from Forreter's, the state of application security. Applications are and continue to be, they always have been, and they probably always will be the weakest link in terms of security testing. A large proportion of the attack surface, so it's hard to surface the malicious users hackers are going to be trying to exploit is gonna be on the application layer. We're seeing a massive rise in the use of APIs, and actually that translates into a very, very different threat model at an exponentially growing attack surface. And we really need to make sure that our products are intrinsically secure by design. And I'm sure many of you hate that time of the year perhaps when you get clobbered with a pen test report with issues that need to be fixed on things perhaps that you worked on three months ago, six months ago, or a year ago. You're not stopping. You're developing new features, new products at breakneck speed. And actually security testing is something that needs to keep up. And that's why we talk about shift left. Okay, so shifting security testing left earlier in the process, ideally into your hands, into the developers' hands so that security testing can match your rapid release cycles, right? Integrate it into your pipeline, picking you up on issues early, fix them at the most efficient time as possible, and hopefully the more often that you're going to be picked up on issues, the less time you're going to be making these mistakes. No one wants to produce insecure software, but it's really about being secure by design, finding issues as early as possible.

Now, let's have a look at some of the different types of security testing that you may already be familiar with, that you may be including in your pipelines already. And in fact, for those that are on the Discord or put it in the chat, which of these tools are you already using in your pipeline? Are you using SCA, Software Composition Analysis, looking at your dependencies, looking at your libraries, Snyk, White Source, JFrog amongst many others which are really leading the way with this type of security testing. Pablo uses Sona. Okay, Jalena is using Snyk, great tool as well. Really, really good to look at the libraries and dependencies as I mentioned that you're already looking for, White Source, check marks, wow! Okay, great. All the Israeli ones. They are actually Israeli. That's very, very true. But I noticed that no one yet has actually mentioned any DAST tools, which is quite interesting. If you're holding that back, because I haven't asked for it, please put those in there as well. It would be good to try and understand what you're looking at and perhaps we can look at the differences or try and understand the issues and pain points that you've been experiencing so far and how our technology might be able to deal with that. We then have your static analysis like Susanna uses check marks, for example. Sonocube is another one that's just been mentioned in the Discord. But these are tools that are looking at your code base, looking for vulnerabilities, almost like a spell check, but looks at things in a sort of one-dimensional space. When you're looking at microservices, when you look at single page applications, you know, the use of APIs, et cetera, actually while static analysis is a great tool to find things, there are two or three problems with that. Number one, they're plagued with false positives. Developers are often running around chasing their tale, chasing ghosts or chasing the tail of a ghost. I don't know how you might want to say it. You know, great, but actually it misses a lot of vulnerabilities, a lot of issues because when you look at the compiled application, the built application, actually it's running very, very differently. All the different microservices working together needs to be looked at in a very different, dynamic way of, you know, in the compiled or built application, and this is where DAS, or Dynamic Application Security Testing, and SIGCOMM comes into play like Neurolegion's Developer First DAST. So we look at the, the built compiled application, looking at it from the outside in, looking at it like a malicious user or like a hacker is interacting with your application to try and find real world, live vulnerabilities within your target applications. And this is how you can really do a very, very complete comprehensive security scan. This is what your penetration tests will be conducting, either using automated tools like Neurolegion's or indeed doing things in a manual way or perhaps in a manual way using other tools for that they use for pentesting. So really looking at it in a three dimensional way, looking at authentication mechanisms, being able to understand true logic based attacks for example. And Bar, I don't know if I've missed anything or you want to add anything to that? No, I think it was pretty, pretty comprehensive. Basically the differences between looking at the code and looking at the actual product. Once we compile, once we start running, you know, all of those microservices over all of those interactions between the different parts of the system become real, which means that things like database connection to or from your application is something that's a sust can actually verify, right? Because when it's still code, it's just, you know, words, strings and text. There is no functionality there yet, so running a DAST actually means all right, that's real, that's something which is there and we can verify it and give you actual answers. Yeah, I noticed that no one yet has mentioned which DAST they're using. Are you trying to keep us on our toes, everybody? Well, you're not using DAST.

Watch more workshops on topic

Designing Effective Tests With React Testing Library
React Summit 2023React Summit 2023
151 min
Designing Effective Tests With React Testing Library
Top Content
Featured Workshop
Josh Justice
Josh Justice
React Testing Library is a great framework for React component tests because there are a lot of questions it answers for you, so you don’t need to worry about those questions. But that doesn’t mean testing is easy. There are still a lot of questions you have to figure out for yourself: How many component tests should you write vs end-to-end tests or lower-level unit tests? How can you test a certain line of code that is tricky to test? And what in the world are you supposed to do about that persistent act() warning?
In this three-hour workshop we’ll introduce React Testing Library along with a mental model for how to think about designing your component tests. This mental model will help you see how to test each bit of logic, whether or not to mock dependencies, and will help improve the design of your components. You’ll walk away with the tools, techniques, and principles you need to implement low-cost, high-value component tests.
Table of contents- The different kinds of React application tests, and where component tests fit in- A mental model for thinking about the inputs and outputs of the components you test- Options for selecting DOM elements to verify and interact with them- The value of mocks and why they shouldn’t be avoided- The challenges with asynchrony in RTL tests and how to handle them
Prerequisites- Familiarity with building applications with React- Basic experience writing automated tests with Jest or another unit testing framework- You do not need any experience with React Testing Library- Machine setup: Node LTS, Yarn
How to Start With Cypress
TestJS Summit 2022TestJS Summit 2022
146 min
How to Start With Cypress
Featured WorkshopFree
Filip Hric
Filip Hric
The web has evolved. Finally, testing has also. Cypress is a modern testing tool that answers the testing needs of modern web applications. It has been gaining a lot of traction in the last couple of years, gaining worldwide popularity. If you have been waiting to learn Cypress, wait no more! Filip Hric will guide you through the first steps on how to start using Cypress and set up a project on your own. The good news is, learning Cypress is incredibly easy. You'll write your first test in no time, and then you'll discover how to write a full end-to-end test for a modern web application. You'll learn the core concepts like retry-ability. Discover how to work and interact with your application and learn how to combine API and UI tests. Throughout this whole workshop, we will write code and do practical exercises. You will leave with a hands-on experience that you can translate to your own project.
Detox 101: How to write stable end-to-end tests for your React Native application
React Summit 2022React Summit 2022
117 min
Detox 101: How to write stable end-to-end tests for your React Native application
Top Content
WorkshopFree
Yevheniia Hlovatska
Yevheniia Hlovatska
Compared to unit testing, end-to-end testing aims to interact with your application just like a real user. And as we all know it can be pretty challenging. Especially when we talk about Mobile applications.
Tests rely on many conditions and are considered to be slow and flaky. On the other hand - end-to-end tests can give the greatest confidence that your app is working. And if done right - can become an amazing tool for boosting developer velocity.
Detox is a gray-box end-to-end testing framework for mobile apps. Developed by Wix to solve the problem of slowness and flakiness and used by React Native itself as its E2E testing tool.
Join me on this workshop to learn how to make your mobile end-to-end tests with Detox rock.
Prerequisites- iOS/Android: MacOS Catalina or newer- Android only: Linux- Install before the workshop
API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
Monitoring 101 for React Developers
React Summit US 2023React Summit US 2023
107 min
Monitoring 101 for React Developers
Top Content
WorkshopFree
Lazar Nikolov
Sarah Guthals
2 authors
If finding errors in your frontend project is like searching for a needle in a code haystack, then Sentry error monitoring can be your metal detector. Learn the basics of error monitoring with Sentry. Whether you are running a React, Angular, Vue, or just “vanilla” JavaScript, see how Sentry can help you find the who, what, when and where behind errors in your frontend project. 
Workshop level: Intermediate
Testing Web Applications Using Cypress
TestJS Summit - January, 2021TestJS Summit - January, 2021
173 min
Testing Web Applications Using Cypress
WorkshopFree
Gleb Bahmutov
Gleb Bahmutov
This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Network Requests with Cypress
TestJS Summit 2021TestJS Summit 2021
33 min
Network Requests with Cypress
Top Content
Cecilia Martinez, a technical account manager at Cypress, discusses network requests in Cypress and demonstrates commands like cydot request and SCI.INTERCEPT. She also explains dynamic matching and aliasing, network stubbing, and the pros and cons of using real server responses versus stubbing. The talk covers logging request responses, testing front-end and backend API, handling list length and DOM traversal, lazy loading, and provides resources for beginners to learn Cypress.
Testing Pyramid Makes Little Sense, What We Can Use Instead
TestJS Summit 2021TestJS Summit 2021
38 min
Testing Pyramid Makes Little Sense, What We Can Use Instead
Top Content
Featured Video
Gleb Bahmutov
Roman Sandler
2 authors
The testing pyramid - the canonical shape of tests that defined what types of tests we need to write to make sure the app works - is ... obsolete. In this presentation, Roman Sandler and Gleb Bahmutov argue what the testing shape works better for today's web applications.
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
Full-Circle Testing With Cypress
TestJS Summit 2022TestJS Summit 2022
27 min
Full-Circle Testing With Cypress
Top Content
Cypress is a powerful tool for end-to-end testing and API testing. It provides instant feedback on test errors and allows tests to be run inside the browser. Cypress enables testing at both the application and network layers, making it easier to reach different edge cases. With features like AppActions and component testing, Cypress allows for comprehensive testing of individual components and the entire application. Join the workshops to learn more about full circle testing with Cypress.
Test Effective Development
TestJS Summit 2021TestJS Summit 2021
31 min
Test Effective Development
Top Content
This Talk introduces Test Effective Development, a new approach to testing that aims to make companies more cost-effective. The speaker shares their personal journey of improving code quality and reducing bugs through smarter testing strategies. They discuss the importance of finding a balance between testing confidence and efficiency and introduce the concepts of isolated and integrated testing. The speaker also suggests different testing strategies based on the size of the application and emphasizes the need to choose cost-effective testing approaches based on the specific project requirements.
Playwright Test Runner
TestJS Summit 2021TestJS Summit 2021
25 min
Playwright Test Runner
Top Content
The Playwright Test Runner is a cross-browser web testing framework that allows you to write tests using just a few lines of code. It supports features like parallel test execution, device emulation, and different reporters for customized output. Code-Gen is a new feature that generates code to interact with web pages. Playwright Tracing provides a powerful tool for debugging and analyzing test actions, with the ability to explore trace files using TraceViewer. Overall, Playwright Test offers installation, test authoring, debugging, and post-mortem debugging capabilities.