Cybersecurity is a major problem that the IT industry is facing today and will become an even greater threat as the stakes increase. The threat of a security breach exists at the IT infrastructure perimeter, network, hosting environment, and application level. Its extent is on the rise as cybersecurity hackers are constantly on the move to find new ways to invade IT security. This makes it increasingly difficult for organizations to maintain their security promise to their customers and stay out of the news.
The objective of this course is to understand the techniques and tools for testing web application security that will result in high confidence in a secure application. The course begins with an introduction to the security CIA (Confidentiality, Integrity, and Availability) triad and how it relates to the web application environment from the client-side to the server-side. It then illustrates how to derive the security controls from user story acceptance criteria in an agile SDLC. The course then dives into how to develop test cases from the security controls and deploy a multistage test approach – SAST (Static Application Security testing), DAST (Dynamic Application Security Testing), formal security validation, and PenTest (Penetration Testing). After establishing a solid foundation of various test approaches, the course then covers the methodology to build an effective test plan with the efficient use of methodologies and test tools.
Students in the workshop then get hands-on practice with ZAP (Zed Attack Proxy), an OWASP (Open Web Application Security Project) security scanning tool, and learn how to set it up in a test environment. We also cover how to analyze the ZAP scanning report.
Last but not least, the workshop demonstrates how to integrate a DAST security tool (ZAP) into a CI/CD framework such as Jenkins.
This workshop is designed for the QA professionals responsible for testing web applications. As a hands-on learning course, it includes exercises in a virtual learning environment. The goal is to equip students with takeaways that can be readily applied.