JSNation US

JSNation US 2024

Introduction to Pan Testing. Today we'll focus on web apps and web APIs. Set up and configure necessary tools for pan testing. Use Kali Linux with Docker for testing purposes. Learn how to use Bob Sweet as a proxy in Kali Linux. Use Postman with the Bob Sweet proxy. Utilize the scope feature in Bob Sweet Proxy for comprehensive testing. Learn about scanning and enumeration in ethical hacking. Understand broken object and function level authorization. Analyze communication and system usage in pan testing. Decouple your backend and use DTOs. Crack and manipulate JWT tokens. Use HTTPS and implement backend authentication for security.

In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs

Gregor Biswanger

Vue.js Live Conference

Vue.js Live 2024

This Talk introduces authentication in Vue.js and emphasizes that it is not as difficult as it may seem. The speaker explains the concept of authentication and its importance. A code example is used to demonstrate how to implement authentication in Vue.js, including separate UI parts for login, home, and dashboard views. The Talk also covers handling authentication in the Vue.js router, including defining routes, accessing user credentials, and making requests to the backend.

In the ever-evolving landscape of modern single-page applications, VueJS stands out but also presents us with challenges. Among them, authentication is crucial: ensuring the user's identity and securing their journey within your application. Fear not; we're here to guide you through these exciting frontiers. In my session, I'll unravel the secrets of authentication in VueJS applications, making it a delightful learning journey for everyone while keeping the focus on the most critical parts. I'll provide an overview of an authentication flow, break down each step, and demystify the role of JWT tokens in the process.  Whether you're a seasoned VueJS developer or just getting started, you're welcome. A dash of prior experience with user authentication certainly doesn't hurt, but it's optional.  Target audience: Web Developers of all levels who want to learn about security topics and best practices. Key learnings:- Giving a small introduction to the most essential terms and concepts of Authentication;- VueJS is used as an example, but the concepts will be agnostic.

Who Are Vue? Authn In Vue, The Important Parts

Ramona Schwering

TestJS Summit

TestJS Summit 2023

Today's Workshop covered topics such as optimizing the CI/CD pipeline, scaling and trust in CI/CD, TDD and trust in testing, setting up Nightwatch for mobile testing, exploring Nightwatch and configuring environments, unit testing with Nightwatch and JavaScript styles, API testing and mocking with Nightwatch, managing complexity in software design, modularity and composition in software design, complexity of browsers and component testing, component testing and UI complexity, visual and accessibility testing in Nightwatch, best practices for visual regression and end-to-end testing, and the challenges of testability in front-end frameworks.

We're all taught to follow the Testing Pyramid but the reality is that we build out the Testing Christmas Tree. In this workshop, David will talk you through how to break down projects and put the tests where they need to be. By the end of the workshop you will be able to update your projects so that anyone and everyone can start contributing and truly living up to "Quality is everyone job". He will walk you through:<ul><li>- Component Testing</li><li>- API Testing</li><li>- Visual Regression Testing</li><li>- A11Y testing</li></ul> He will also talk you through how to get these all setup in your CI/CD pipeline so that you can get shorter and faster feedback loops.

Building out a meaningful test suite that's not all E2E

David Burns

This workshop on API testing with Postman covers a wide range of topics, including creating workspaces and collections, working with variables and dynamic data, testing syntax and methods, building workflows, automating testing with Postman CLI and Postbot, and advanced testing techniques. Postman provides extensive documentation, resources, and tools like Postbot for generating tests and documentation. The workshop also highlights the versatility of Postman in supporting various protocols and types of testing, such as contract testing, performance testing, and regression testing.

In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman. 1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.

API Testing with Postman Workshop

Pooja Mistry

GraphQL Galaxy

GraphQL Galaxy 2022

DAST helps prioritize fixing application security issues by identifying discoverable and exploitable vulnerabilities. StackHawk runs active security tests against APIs to ensure safe handling of user input and output. It also implements OWASP top 10 API best practices. The tool can be used locally and in CI/CD pipelines.

With StackHawk, engineering teams can run security tests against GraphQL APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder and Chief Security Officer Scott Gerlach for a quick overview of GraphQL security testing with StackHawk.

Modern GraphQL API Security Testing 

Scott Gerlach

TestJS Summit 2022

Welcome to the Test.js and DevSecOps workshops, where we automate web app security testing using Java, React, and StackHawk's DAST utility. We cover setting up GitHub Actions, scanning dependencies with Dependabot, using CodeQL for static analysis, and running StackHawk's DaaST scanner for runtime vulnerability testing. The workshops provide step-by-step instructions for setting up workflows, configuring security testing tools, and reviewing scan results to identify and fix vulnerabilities in the codebase.

Software development has changed - Frequent deployments, APIs, GraphQL, Cloud Architecture and CI/CD Automation are the norm. So why is security testing the same way it was a decade ago? Leading teams are realizing that periodical penetration testing and security audits is not enough when code is being shipped daily. Instead, these teams are using developer-centric tools to run automated security testing in a CI/CD pipeline. Join Zachary Conger as he walks through how to automate application JS security testing using GitHub actions.

Automate WebApp Security Testing using GitHub Actions (from StackHawk team)

Zachary Conger

JS Nation

JSNation 2022

Today's Workshop focuses on automating build and security tests for a Node.js application using tools like Stackhawk, Dependabot, CodeQL, and GitHub Actions. GitHub Actions is a powerful CI platform with a marketplace of Actions and built-in secrets management. CodeQL is a SAST utility that scans code for vulnerabilities, while Stackhawk is a dynamic application security testing tool. The Workshop covers enabling code security and analysis, configuring StackHawk, and running scans locally. Overall, the Workshop provides practical guidance for integrating security into software development pipelines.

This workshop will focus on automating software composition analysis, static application security testing and dynamic application security testing using GitHub Actions. After a brief introduction covering the different types of application security and the importance of finding security vulnerabilities before they hit production, we'll dive into a hands-on session where users will add three different security testing tool to their build pipelines.

JS Security Testing in GitHub Actions

React Summit

React Summit 2022

StackHawk is a dynamic application security testing tool that helps developers find and fix security issues. The scan identified a SQL injection issue and a cross site scripting issue. The StackHawk YAML is used to configure the scanner with important information such as the application's location, environment, and ID. The scanner can also be pointed at open API spec or GraphQL definitions. Try StackHawk for free at stackhawk.com and integrate it into your development process to improve software quality.

Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.

Automated Application Security Testing 

StackHawk is a dynamic application security testing tool that runs active security tests on various types of applications, providing simple descriptions and examples of security issues. It integrates with CI processes and provides feedback on scan findings. The StackHawk YAML is used to configure the scanner, including important information about the application and additional configuration options. OpenAPI and GraphQL integration is possible with minimal configuration.

Traditional security testing for JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast.

Automated Application Security Testing

Node Congress

Node Congress 2022

StackHawk is a dynamic application security testing tool that integrates with CI-CD workflows and simplifies finding and fixing security issues. The scan results include detailed descriptions of identified issues, along with links and request/response details for replaying the attack. The StackHawk YAML configuration allows for specifying application location, environment, and additional options for authentication and scanning exclusions.

Traditional security testing for Node and JS apps has focused on the front-end, but actual security issues most often lie in the backing REST API. Join StackHawk co-founder Scott Gerlach for a quick overview of why you need to rethink how you test your JS apps and how StackHawk can help you find and fix security bugs fast. You can check the slides for Scotts's talk <a href="https://drive.google.com/file/d/1nRupxCNMRXs3aCi_ymS_EMahjCwjmx8n/view?usp=sharing">here</a>. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Automated Application Security Testing with StackHawk

GraphQL Galaxy 2021

This workshop focuses on security testing automation for developers, with a specific emphasis on GraphQL. Neuralegion offers a comprehensive security testing solution for developers, supporting various types of applications and providing actionable results with remediation guidelines. The tool integrates seamlessly into CI/CD pipelines and prioritizes accuracy by minimizing false positives. Support and assistance are available 24/7, and the tool provides detailed information about findings and multiple ways to copy requests for debugging. Overall, the workshop highlights the importance of putting security testing into the hands of developers and offers practical solutions to integrate security into the development process.

As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing blocks your automation, creates bottlenecks and just delays releases, especially with graphQL...but it doesn't have to... NeuraLegion's developer-first Dynamic Application Security Testing (DAST) scanner enables developers to detect, prioritise and remediate security issues EARLY, on every commit, with NO false positives / alerts, without slowing you down. Join this workshop to learn different ways developers can access NeuraLegion's DAST scanner &amp; start scanning without leaving the terminal! We will be going through the set up end-to-end, whilst setting up a pipeline for a vulnerable GraphQL target, running security tests and looking at the results. Table of contents: - What developer-first DAST (Dynamic Application Security Testing) actually is and how it works - See where and how a modern, accurate dev-first DAST fits in the CI/CD - Integrate NeuraLegion's scanner with GitHub Actions - Understand how modern applications, GraphQL and other APIs and authentication mechanisms can be tested - Fork a repo, set up a pipeline, run security tests and look at the results <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Security Testing Automation for Developers on Every Build

Oliver Moradov

Bar Hofesh

Neuraligions is a dynamic application security testing scanner designed for developers to test apps, APIs, and ensure trusted security. It seamlessly integrates into pipelines, providing accurate results without false positives. The biggest issue with security scanners is accuracy, and Neuralegion addresses this by automatically validating findings and eliminating false positives. It also provides full visibility of recurring and new issues, along with developer-friendly remediation guidelines. Integrations with common tools and APIs make collaboration seamless and accurate.

NeuraLegion's developer friendly security scanner enables development teams to run dead accurate security tests on every build as part of their pipeline. False alerts and periodic infrequent scanning results in technical and security debt, as well as insecure product. But what is developer first DAST, when and how should you be integrating it into your pipelines and what should you be looking for when enhancing your GrapQL security testing automation? Join this talk to get up to date. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

GraphQL Security Testing Automation for Developers

Today's workshop covers Automated GraphQL Security Testing using tools like Dependabot, CodeQL, and StackHawk. It explores security tests such as software composition analysis and static application security testing. The workshop demonstrates setting up GitHub Actions workflows, enabling Dependabot for dependency security, and configuring CodeQL analysis. It also highlights the use of StackHawk for automated penetration testing and optimizing the scanning process. The workshop emphasizes the importance of continuous testing and security measures in software development.

We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone – putting the culture, processes, and tooling in place to make this happen is tough – especially for sophisticated applications like those backed GraphQL. In this hands-on technical session, StackHawk Senior DevOps Engineer, Zachary Conger, will walk through how to protect your GraphQL APIs from vulnerabilities using automated security testing. Get ready to roll-up your sleeves for automated AppSec testing. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

GraphQL Security Testing Technical Workshop

TestJS Summit 2021

Today's Workshop covered a range of topics related to web application security. It emphasized the importance of understanding and addressing security in everyday activities. The Workshop discussed various vulnerabilities and techniques for exploiting them, including SQL injection and cross-site scripting. It also highlighted the significance of secure design, proper authentication and session management, and the detection of breaches. Resources such as the OWASP Top 10 and the Security Knowledge Framework were recommended for further learning.

The Application Security Training is a 3 Hour training. This Training is intended for those who are interested in making a career in the Information Security domain. This training involves real world scenarios that every Security Professional must be well versed with. It involves decompiling, real-time analyzing and testing of the applications from a security standpoint. This training covers understanding the internals of web and mobile web applications, Real-time testing of web applications and android applications and a strategic approach to analyze applications for OWASP Top 10 vulnerabilities (Web) security issues such as Injections, Cross Site Scripting (XSS), CSRF Attacks, Insecure API’s, Insecure logging, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality and many more. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Learn to defend by learning the hacker mindset

Vandana Verma

Neuralegions is a dynamic application security testing scanner designed for developers. It allows you to build the scan surface from the first unit tests, seamlessly integrating into your pipelines. With no false positives, you can trust the output to quickly detect and fix security vulnerabilities. Eurolegion provides comprehensive coverage, supporting web apps, internal apps, and APIs. It can handle client-side dynamic content and integrates with existing functional scripts. Scans are fast and can test for business logic vulnerabilities. Authenticated scans are fully supported. The biggest issue with security scanners is accuracy. Developers want to know real issues, not hyperbole. Neuralegion focuses on removing false positives automatically. It validates every finding with a full proof of concept, eliminating the need for manual validation. Full visibility of recurring and new issues is provided, along with developer-friendly remediation guidelines. Neuralegion seamlessly integrates into your pipeline, allowing developers to shift left and scan every commit or pull request.

<div>NeuraLegion's developer friendly security scanner enables development teams to run dead accurate security tests on every build as part of their pipeline. False alerts and periodic infrequent scanning results in technical and security debt, as well as insecure product. But what is developer first DAST, when and how should you be integrating it into your pipelines and what should you be looking for when enhancing your security testing automation? Join this talk to get up to date.</div> <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

JS Do It.....Accurate Security Testing Automation for Developers

The Talk discusses the importance of software security and the risks associated with open-source software supply chains. It highlights real-world stories of developers' involvement in security incidents and emphasizes the need to trust the software we use. The Talk also addresses the vulnerabilities and targeted attacks that come with the growing dependency on open-source software. It explores the security risks in open-source dependencies, open-source ecosystems, and the future of open source software. Additionally, it provides insights into choosing the best vulnerability scanning software and promoting supply chain security practices.

The adoption of open-source software continues to grow and creates significant security concerns for everything from software supply chain attacks in language ecosystem registries to cloud-native application security concerns. In this session, we will explore how developers are targeted as a vehicle for malware distribution, how immensely we depend on open-source maintainers to release timely security fixes, and how the race to the cloud creates new security concerns for developers to cope with, as computing resources turn into infrastructure as code. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Are we Forever Doomed to Software Supply Chain Security?

Liran Tal

This workshop introduces developers to security testing automation using Neuralegion's Developer First DAST. It covers the challenges of application security testing, the limitations of static analysis tools, and the benefits of using DAST tools. The workshop includes hands-on exercises on forking a repo, running scans, analyzing results, and testing authentication mechanisms. Neuralegion's DAST features include API security testing, automatic validation of findings, seamless integration into pipelines, and optimization of scan speeds. The workshop also covers setting up CI workflows, running scans, and analyzing vulnerabilities. Participants can ask questions and receive continued support beyond the workshop.

As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing blocks your automation, creates bottlenecks and just delays releases...but it doesn't have to... NeuraLegion's developer-first Dynamic Application Security Testing (DAST) scanner enables developers to detect, prioritise and remediate security issues EARLY, on every commit, with NO false positives/alerts, without slowing you down. Join this workshop to learn different ways developers can access Nexploit &amp; start scanning without leaving the terminal! We will be going through the set up end-to-end, whilst setting up a pipeline, running security tests and looking at the results. Table of contents: - What developer-first DAST (Dynamic Application Security Testing) actually is and how it works - See where and how a modern, accurate dev-first DAST fits in the CI/CD - Integrate NeuraLegion's Nexploit scanner with GitHub Actions - Understand how modern applications, APIs and authentication mechanisms can be tested - Fork a repo, set up a pipeline, run security tests and look at the results <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

JS Security Testing Automation for Developers on Every Build

Node Congress 2021

This workshop on automated application security testing for Express apps covers the importance of early bug detection, the challenges of testing in production, and the benefits of using developer-friendly security tools. It explores different types of application security testing, including static testing and dynamic application security testing, and emphasizes the need to address vulnerabilities in both areas. The workshop also highlights the shift to cloud-native development, the responsibility of developers in managing infrastructure, and the importance of integrating security throughout the development process. The demo showcases the use of StackHawk and Snyk tools to find and fix security vulnerabilities in an app, demonstrating the effectiveness of dynamic application security testing and software composition analysis tools.

We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone - putting the culture, processes, and tooling in place to make this happen is tough - especially for sophisticated applications. Join Scott Gerlach (CSO, StackHawk) and Liran Tal (Developer Advocate, Snyk) as they dive into how you can add AppSec testing to your CI/CD pipeline to ship secure code faster. Prerequisites:Docker is a nice to have <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Securing Node Applications with Automated Security Testing in CI/CD

GraphQL Galaxy 2020

I'm Ryan Severns, COO of StackHawk, an application security testing tool that focuses on GraphQL. StackHawk offers active automated testing of GraphQL endpoints to find potential security vulnerabilities. The tool integrates with developer tools like Slack and Jira for easy vulnerability management and bug fixing. It provides detailed information, including request, response, and curl command, for debugging. StackHawk offers free single user accounts and team trials, and visitors can find more information at their booth in GraphQL Galaxy.

<div><div><div><div><div>With StackHawk, engineering teams can run security tests against GraphQL backed applications to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your GraphQL API is secure. Join StackHawk co-founder Ryan Severns for a quick overview of GraphQL security with StackHawk.</div></div></div></div></div> <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Security Testing for GraphQL Backed Applications

Ryan Severns

Lighting Talks - Day 1 - GraphQL Galaxy 2020

Matt Tanner

Brecht De Rooms

TestJS Summit - January, 2021

Stackhawk is an application security tool that focuses on dynamic application and API security testing. It is built on top of the open source ZAP project and designed for automation in CICD. Stackhawk provides a comprehensive set of tools for application security testing and bug fixing, including viewing findings, recreating requests, and easily fixing vulnerabilities. It allows for triaging findings and integrating with other engineering stacks. Visit stackhawk.com to sign up for a free account and learn more at docs.stackhawk.com.

With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Ryan Severns for a quick overview of JS application security testing with StackHawk. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

Security Testing for JS Apps

The panel discussion on application security testing covered various perspectives on DevSecOps, emphasizing the importance of shifting security left and the role of automation. Collaboration between developers and security teams was highlighted, as well as the need for developer-friendly security tooling. Pain points in integrating security testing early in the pipeline were discussed, including technical and cultural challenges. Open source project recommendations for building a secure pipeline were also provided.

Panel Discussion: Application Security Testing

Sam Stepanyan

JSNation Live

JSNation Live 2021

StackHawk is a dynamic application security testing tool that helps find and fix security vulnerabilities. It integrates with your engineering stack and works with popular players in CICD. The DAST scanner crawls your application, tests it, and provides a summary of the findings, including cross-site scripting and SQL injection issues. The output in CICD includes a link to triage the issues.

With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities fasters. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Scott Gerlach for a quick overview of JS application security testing with StackHawk. <a href="https://www.froala.com/wysiwyg-editor?pb=1"> </a>

#security testing