Safety First : Shift Left Security Testing with Selenium and DevSecOps

Software World has always been obsessed with delivery speed , value and outcomes but one thing that covid pandemic has taught us in last 2 years is to focus on "safety first" 

But Why? 

  • Increasing cyber threats & attacks - In 2021 cyber attack incident occured every 11 seconds ,this is twice the rate of 2019 and four times of 2016
  • Rising cost of vulnerabilities - cyberthreats/Crime industry is costing $6 trillion annually in 2021 and reaching $10.5 trillion in 2025 making it the world’s third-largest economy, after the United States and China.

  • Increasing penetration and demand  - Organisations are compelled to deliver changes so swiftly that the security don’t get enough time to catch up, leaving businesses vulnerable to the threats looming across the horizon.

 

So what does safety means in context to software and how can we enable this across our development life cycle in continuous way ? 

In this Talk we will present approach for implementing automated security at every phase of SDLC for the tooling aspect and practices for setting up DevSecOps in your Organisation.

We will focus on leveraging existing automation tools like selenium, appium and infrastructure as much as possible for everyone to get these implemented with minimal time, cost and learning curve.

 
 

Outline/Structure of the Demonstration

  1. Need For Security Testing and Safety First Approach 
  2. Need Automating Security Testing
  3. Tools and Solutions with DevSecOps 
  4. Leveraging Selenium for Security Testing 
  5. Framework Architecture and Pipeline 
  6. Live Demo 
  7. Analysis and Reporting
  8. Future Roadmap and Conclusion  

Learning Outcome

1.Learning about Importance and Approach to Security Testing

2.Leveraging selenium/appium to run security tests

3.Hands on open source examples for setting up SAST , DAST with CI/CD Pipelines 

4.Guide to setting up DevSecOps in your organisation 

Target Audience

Developers , Testers , Engineering and Product Managers ,Security Testers/Researchers

schedule Submitted 8 months ago

  • Andrew Knight
    keyboard_arrow_down

    Andrew Knight - The Screenplay Pattern: Better Interactions for Better Automation

    Andrew Knight
    Andrew Knight
    Developer Advocate
    Applitools
    schedule 9 months ago
    Sold Out!
    45 Mins
    Talk
    Intermediate

    Automating interactions for tests is hard. For the past decade, the primary way to automate web UI interactions has been the Page Object Model. Unfortunately, page objects do not scale well because, by design, they bind interactions to page structure, which causes lots of code duplication and unsafe activity. The Screenplay Pattern is a much better pattern for handling interactions. In Screenplay, Actors use Abilities to perform Interactions.

    In this talk, I’ll back up that claim in three parts:

    1. I’ll cover problems with traditional ways of automating interactions.
    2. I’ll explain why the Screenplay Pattern is a better way.
    3. I’ll show how to use the Screenplay Pattern with a C# library named Boa Constrictor.

    We will implement both a Web UI search engine test and a REST API web service test in C# with Boa Constrictor to demonstrate how to write readable, reliable tests using Screenplay calls. By the end of this talk, you’ll be able to start using the Screenplay Pattern for your own tests!

  • Gaurav Singh
    keyboard_arrow_down

    Gaurav Singh - Hello Espresso! Start with Android Gray box automation

    Gaurav Singh
    Gaurav Singh
    Software Engineer
    Meta
    schedule 8 months ago
    Sold Out!
    90 Mins
    Tutorial
    Beginner

    TL;DR Summary

    • Espresso is a powerful UI automation framework for the Android platform that offers gray box automation capabilities and has a simple, concise, and rich API. 
    • Onboarding to use espresso can however sometimes take time. In this talk, I will explain how to get started with Espresso in the shortest time possible and we’ll look at some recipes on how to automate common app scenarios with espresso API.

    Abstract

    • It’s 2022 and most businesses these days are mobile-first with a presence on major platforms. UI automation is a critical part of the testing strategy of businesses looking to release high-quality apps with confidence. While unit testing is a much wider adopted practice, writing scalable UI automation is often a challenge due to its higher fidelity.
    • Espresso is the dominant UI automation library for android from Google that provides a rich and concise API to test your android app's UI with confidence without sacrificing reliability and with minimal flakiness due to amazing integration with underlying instrumentation.
    • For an n00b engineer approaching their first Espresso test, it could be especially tough to wrap your head around its idioms and android context and get set up quickly. 
    • Well, In this talk:
      • we’ll solve for that exact persona and provide a quick understanding of an espresso test structure
      • Follow up by diving deeper into its API
      • Discuss different ready to use recipes that developers could use to solve some common use cases with mobile UI automation
      • Provide a boilerplate framework
      • I'll share Github repo links that have app source code along with their Espresso UI tests to follow along or revisit later.

     

  • Puja Chiman Jagani
    keyboard_arrow_down

    Puja Chiman Jagani - Selenium has a new trick up its sleeve to track failures

    Puja Chiman Jagani
    Puja Chiman Jagani
    Team Lead
    Browserstack
    schedule 8 months ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    As our systems and tests grow more and more complex we need to make sure that we have the tools to capture the root causes without spending hours or days chasing them down. This is where Observability becomes our best friend. Observability allows us to see what is going on inside a system based on what we think is crucial without trawling through logs! Just like any piece of software should be robust, scalable, maintainable, and reliable, it should also be observable. Observability makes the journey from identifying unexpected problems to identifying the root cause easier.

    To do so, the code should record as much useful granular information as possible. Metrics, logs, and traces are three known ways of encapsulating granular information. They are the primary sources of information to help determine the state of the system at any given point in time. 

    Selenium 4 introduced a fully distributed Grid with multiple components that communicate over the network. Troubleshooting and diagnosing problems in this setup is a challenge. To tackle this, Selenium integrated OpenTelemetry’s tracing and event logs.  This feature is now available out of the box by default when using Selenium.
    The users now have more power in their hands!

    I will dive into Selenium's observability journey by discussing: 

    1. What is observability?

    2. Need for observability

    3. Understanding the three pillars of observability: Metrics, Logging, and Tracing

    4. Generating telemetry data alone does not suffice. It is a process from design to deployment. 

    5. Full-stack tracing in Selenium (Grid and Java client library)

    6. Explain how we, at BrowserStack, are benefiting and exposing this information to our users.

  • Samiran Saha
    keyboard_arrow_down

    Samiran Saha / Dhvani Parekh - Testing Mobile Web Apps on Real Devices: A page out of "How Fortune 100 companies do it"

    45 Mins
    Talk
    Beginner

    With the advent and advancements in Web APIs, accurately displaying responsive web page content across fragmented mobile device browsers is merely just one of the checkboxes that Quality Assurance teams need to care about, albeit a very important one.

    Similar to native / hybrid apps installed directly on Android and iOS, mobile web applications also implement advanced real world use cases that heavily leverage mobile device hardware such as processor, graphics, memory etc. and device sensors like camera, microphone, location, motion etc.

    In addition, web apps can also access device OS level features for SMS/call integrations, notifications, payments, accessibility which further calls for testing such web apps on real mobile devices.

    In our talk, we are going to cover -

    1. Expansion of mobile web testing landscape with Web APIs

    2. Why is mobile web testing important for businesses

    3. Real-world mobile web testing customer use cases across Finance, Banking and E-commerce

    4. Mimics for a real device : A risky business

    5. Achieving versatility in meeting the dynamic infrastructure needs

  • Gayathri Mohan
    keyboard_arrow_down

    Gayathri Mohan / Pallavi Vadlamani - How to approach Continuous Testing of Cross-Functional Requirements?

    45 Mins
    Talk
    Advanced

    Cross-functional requirements (CFRs), predominantly referred to as Non-functional Requirements (NFRs), form an integral part of software quality and testing for them continuously is an absolute necessity for any team that promises to deliver high-quality software to their customers and end-users. Often, the emphasis that is placed on continuous testing (CT) the functional requirements are not equally placed on continuous testing the cross functional requirements in software delivery teams and by the business stakeholders. There could be multiple reasons catering to this phenomenon but one we believe could be a prominent reason is the lack of awareness on how to approach CFRs testing as they come across really vague, say, reliability or maintainability, for example. 

    In this talk, I, author of O'Reilly's Full Stack Testing book, and my colleague from Thoughtworks, Pallavi Vadlamani, would like to elaborate why it is essential to do continuous testing for cross-functional requirements and introduce a holistic approach to continuous testing of all the cross-functional requirements (the approach is carved as part of Gayathri's book). We will cover how different testing techniques such as static code analysis, architecture tests, visual tests, infrastructure tests, load tests, etc., cater to automating a variety of CFRs, including those really vague ones, and therefore, aid in continuous testing and building quality into the software. 

    We would continue the talk with applying the approach to a couple of CFRs specifically, say, security and accessibility, to give the audience a solid grasp on the approach. By the end of the talk, the audience should get a clear idea of how to approach continuous testing of any given CFR that is necessary for them to deliver a high-quality software.

  • Parasar Saha
    keyboard_arrow_down

    Parasar Saha - Cloud First Automation Approach – Road to Scalable and Faster Test Automation Pipelines

    Parasar Saha
    Parasar Saha
    CEO
    Digy4
    schedule 8 months ago
    Sold Out!
    45 Mins
    Talk
    Advanced

    Cloud has changed the way the software world works. Companies have accelerated their development and deployment cycles with 3x or more speed by adopting the cloud. But Testing in most organizations either is running locally or not taking advantage of the full potential of cloud infrastructure. Testing is the home-alone kid, left to spend the Christmas weekend without the bells the whistles that cloud has to offer.

     

    Digital transformation in IT and Agile delivery model are pushing the testing teams to complete their testing in shorter testing windows. 26 % of the organization are moving to daily releases. 70% of the organization have adopted Agile in delivery. Even after having a high amount of automation coverage teams are struggling to keep up with the pace of testing asked by the business teams.

     

    This talk is about how you can change the story and accelerate cloud adoption in your testing organization with Selenium-based frameworks. Through cloud adoption you benefit from box features of the cloud: On-demand scaling, Cost optimation, Security, Reliability, Geo -routing of your test infrastructure. Cloud adoption doesn’t need to limit to the execution of selenium tests but can help you in test management of automated selenium tests, test data generation, test reporting, test artifact store, and many more. It is not enough to have an Automation First Approach these days, you also need to have Cloud-First Approach for test infrastructure to get the best value from automation.

    The talk elaborates on factors to consider while building up the cloud-based testing pipeline and how they will benefit your organization in terms of time to market, cost optimization, and raising the bar of quality.

    Finally talks about the moonshot of having a Testing Cloud – AWS of Testing and what will it take to reach there as a testing community.

    Take your testing to the cloud, and fly your flag high in quality!

  • Yevgeniy Shunevych
    keyboard_arrow_down

    Yevgeniy Shunevych - Atata Framework - Elegant and Powerful Page Object Model

    45 Mins
    Tutorial
    Intermediate

    I'm a creator of Atata Framework and want to share information about it. Atata Framework - C#/.NET web test automation full-featured framework based on Selenium WebDriver. It uses a fluent page object pattern; has a built-in logging system; contains a unique triggers functionality; has a set of ready-to-use components. One of the key ideas of the framework is to provide a simple and intuitive syntax for defining and using page objects. A page object implementation requires as less code as possible. You can describe a page object class without any methods and only have a set of properties marked with attributes representing page components.

    Atata is a quite mature framework that is being developed by me since 2016. It is used in a variety of projects and has positive community feedback. I would like to tell about the framework and approaches implemented in it. Attendees may find Atata interesting to try in practice, as well as get familiar with specific Atata concepts that can be used separately from Atata.

  • Amuthan Sakthivel
    keyboard_arrow_down

    Amuthan Sakthivel - CLEAN TEST DESIGN PRACTICES FOR EFFECTIVE SELENIUM AUTOMATION FRAMEWORK

    Amuthan Sakthivel
    Amuthan Sakthivel
    SDET
    Clipboard Health
    schedule 8 months ago
    Sold Out!
    45 Mins
    Demonstration
    Intermediate

    Selenium is an amazing library for UI Automation. However, using it in a project needs a proper test design, a good approach and the best framework. I have listed some of the challenges that most people face during automation and will also brief on how we can solve those problems with effective design and approach.

    Key Challenges :

    1. Field level validations on a form containing several fields. (Many people will ignore these tests in automation as it may increase the number of lines of code and number of tests. Maintaining them is a difficult task)

    2. Verifying the state of the web element before operating on it. (It is imperative to check whether a web element is present or visible or clickable or needs a scroll to operate. Also, different elements need different explicit wait times. Most probably we will have number of methods like waitForElementToBeClickable, waitForElementToBeVisible. This again results in increased lines of code. )

    3. Assertion of multiple components on a page. (Sometimes we want to validate several items on a page and writing methods like getTitle, isCompanyLogoPresent, isFooterMenuPresent either results in multiple tests or poor test code spoiling the readability.)

    4. CI/CD integration. ( Most of the companies were using Jenkins as their CI/CD tool to schedule tests and this is most probably maintained by Devops team. To set up Jenkins job we need a lot of permission. At the worst we need a machine/infra to run and schedule our tests)


    How we can solve these commonly occurring problems?

    1. With the advent of functional programming, we can pass different behaviours to the test methods. In the demo, I will use BiPredicate Interface implementations to solve this problem with clean design.

    2. Annotations in Java is very powerful but hardly used in Test Automation Frameworks. I will use reflections and annotation to solve this problem with a much cleaner design.

    3. We can leverage Custom Validator classes and AssertJ to write some effective readable tests.

    4. We can leverage Github Actions and the Github runner to set up Selenium Grid Infrastructure and run our tests without any additional infra.

    Tech Stack : Java, Functional Interfaces, Selenium, AssertJ, Github Actions

  • Aliasgar Chaiwala
    keyboard_arrow_down

    Aliasgar Chaiwala - Karate - Simple and Unified Test Automation for BDD

    Aliasgar Chaiwala
    Aliasgar Chaiwala
    QA HEAD
    Teatrig technologies
    schedule 8 months ago
    Sold Out!
    45 Mins
    Demonstration
    Beginner

    As most of the Organization are moving towards BDD there was need of Simple easy test automation Framework that Supports BDD.

    Karate an Open source framework developed by Karatelabs has made Test Automation simple and unified for both API testing and UI Automation using Gherkins. In addition,  it also supports mocks, performance testing, and Mobile test Automation with other inbuilt features

  • Debasmriti Ghosh
    keyboard_arrow_down

    Debasmriti Ghosh - How to Test Selenium Device Grid

    20 Mins
    Case Study
    Beginner

    In a fast growing environment where everything is moving first, it is a no brainer to test web and apps on mobile devices. To build it there are so many articles and blogs but none speaks about how to test the device grid meant for testing. We have a similar problem where we need to test mobile device grid consisting of a truly fragmented use case.

    It is different from testing applications on different platforms/versions. Testing cloud services itself has many challenges like 

    1. Are we presenting the same Experience as a real physical device held in their hands to grid users?

    2. Testing Integrations with different components

    3. Implement Automation for complex scenarios like users actions(scroll, click etc) with stability, fast pace, and less maintenance.

    We have faced a lot of complex challenges in this endeavour, and our engineering team has tried to solve it with some amazing results. In this session, we will provide the gist on the below issues:

    • How we simulate user actions in real devices using selenium?

    • How to leverage available frameworks based on your usage

    • Impact of automation on productivity and quality

  • Shubham Yadav
    keyboard_arrow_down

    Shubham Yadav - Why and how we moved our test automation to Nightwatch - a case study

    Shubham Yadav
    Shubham Yadav
    Senior SDET
    BrowserStack
    schedule 8 months ago
    Sold Out!
    20 Mins
    Talk
    Intermediate

    With the increasing frequency of releases and an ever-increasing number of automation scenarios, our existing framework wasn't helping the case. We saw an increase in our time and efforts with little to no improvement in results. 

    With a bloated testing framework, we have serious performance and stability issues. Considering that we started to look into the fundamentals and started exploring new testing frameworks. We identified a few candidates that matched our requirements and finally selected Nightwatch. It satisfied all the criteria and gave better results when compared to our already existing framework.

    In this talk, we will cover

    1. Challenges with existing Framework

    2. Why Nightwatch?

    3. Learnings and Outcome from migration

  • Syam Sasi
    keyboard_arrow_down

    Syam Sasi - Integrating the desktop and mobile browser testing into the continuous delivery pipeline

    Syam Sasi
    Syam Sasi
    Senior Software Engineer
    Carousell
    schedule 9 months ago
    Sold Out!
    45 Mins
    Talk
    Beginner

    Automated Web UI testing can be challenging when the UI flows on the desktop web and mobile web are different because the product experience is separately optimized for each screen size.

     

    In this talk, I will be discussing about

    • Accessing native device components on the mobile web
    • Minimising the complexity with the help of  the business layer concept
    • Executing the desktop and mobile tests into the continuous delivery pipeline using Selenium, Docker, and Jenkins pipeline.
    • Sharing a template for selecting which cloud provider suits you for web automation testing.

    Techstack Used: Java, Selenium, Appium, Python, Docker

help