Seth Law from nVisium presents: Strategies for Effective Security Unit Testing
Summary: Using DevOps practices such as Test Driven Development (TDD) and Continuous Integration (CI), it is possible to overcome both security and development weaknesses around unit testing and implement a custom security unit-test suite for any application.
This presentation will address the current limitations of security unit-testing applications with existing tools and various frameworks. Seth will introduce a generic framework for creating security unit-tests for any application and then review common strategies for building application security-specific unit-tests, including function identification, testing approaches, edge cases, regression testing, and payload generation.
In addition, this presentation will demonstrate these techniques in Java Spring and .Net MVC frameworks using intentionally-vulnerable applications. Finally, Seth will introduce SPUTR (https://github.com/sethlaw/sputr), an open-source repository of security unit-testing payloads that can be used as a starting point for creating custom security unit-tests. Attendees will gain an understanding of how to implement custom security unit and integration-tests, to help their organization increase their assurance that security flaws do not exist in critical code bases.
Encourage members of your Development team to join you!
Bio: Seth Law is CSO with nVisium, and an expert in application security. He spends the majority of his time breaking web and mobile applications, but has been known to code when the need arises. Seth is currently involved in multiple open source projects (including RAFT) and is working with others to advance the state of security testing. He is presenting this same presentation at Black Hat Asia 2017 and has spoken previously at Blackhat, Defcon, Secure360 and other security conferences.