Dynamic Application Security Testing (DAST)

Embed security into the software development life cycle. Discover how to use online security testing to validate your code and uncover vulnerabilities.

Introduction

• The importance of online testing
• What you should know

1. Security Testing in QA

• Software quality assurance process
• Positive testing
• Negative testing
• SQA metrics
• OWASP Testing Guide
• Demo: OWASP ZAP

2. Assessing Deployed Apps

• Manual vs. automated testing
• Scanning vs. pen testing
• Testing in non-production
• Testing in production
• OSINT gathering
• Web app proxies
• Demo: Fiddler2
• Demo: Burp Suite
• Demo: Samurai Web Testing Framework (WTF)

3. Web App Pen Testing

• Scoping a web app pen test
• Avoiding production impacts
• The penetration testing execution standard
• Types of pen tests
• Web application firewalls
• SIEMs
• Purple teaming
• Demo: OWASP OWTF

4. Testing for the OWASP Top Ten (2017)

• The OWASP Top Ten
• A1: Injection
• A2: Broken authentication
• A3: Sensitive data exposure
• A4: XML external entities (XXE)
• A5: Broken access control
• A6: Security misconfiguration
• A7: Cross-site scripting (XSS)
• A8: Insecure deserialization
• A9: Using components with known vulnerabilities
• A10: Insufficient logging and monitoring

Conclusion

• Next steps