With increasing cyber threats & online attacks, an unavoidable situation for continuous security testing has emerged. Making sure all vulnerabilities are unleashed regularly is highly significant.

The paper hence proposes a solution where automated security testing could be achieved in conjunction with functional testing carried out using selenium API.

It introduces a framework that caters to automated security testing along with functional which could provide an integrated testing elucidation.

The paper, takes in these two premises to offer a solution where functional automation testers can now take on security testing. I propose a framework where automated security testing could be achieved in conjunction with functional testing using existing selenium API scripts.

The framework covers the top vulnerabilities and provides intuitive results that help a non-security tester interpret and act on the output. At the very core of this framework is the open source tool, OWASP ZAP, which is easy to use and integrates well with Selenium automation frameworks.

I bring in hands on project experience having implemented this framework for clients, who have been able to get the value of functional and security testing using the same set of scripts – it is this experience I would like to share with the SeleniumConf2016 audience, to help groom functional testers into security testing, with minimal cost and time, also enabling security testing to be performed every time functional automation is taken up.

 
8 favorite thumb_down thumb_up 11 comments visibility_off  Remove from Watchlist visibility  Add to Watchlist
 

Outline/structure of the Session

With increasing cyber threats & online attacks, continuous security testing has become inevitable and making sure all vulnerabilities are unleashed regularly, is highly significant.

The paper, hence proposes a solution where automated security testing could be achieved in conjunction with functional testing carried out using selenium API.

It introduces a framework that caters to automated security testing along with functional which could provide an integrated testing elucidation.

Followings are the main key points of this presentation :

  1. Need For Automated Security Testing
  2. Spectrum of Available Tools
  3. Core Tool Of Our Security Testing Framework
  4. Framework Architecture
  5. Framework Coverage
  6. Demo
  7. Analysis and Reporting
  8. Take Aways

Learning Outcome

  1. Make security testing a habit
  2. Leverage  existing functional test scripts - run security tests in parallel
  3. Sync with DevOps. Integrate with CI tools
  4. Open invite to all teams to try this tool

Target Audience

Software Professionals, Software Testers, QA Leads, Automation experts,

schedule Submitted 1 year ago

Comments Subscribe to Comments

comment Comment on this Proposal
  • Abhi Kyadari
    By Abhi Kyadari  ~  7 months ago
    reply Reply

    Hi Sarvesh,

    Could you share your sample working code of ZAP with selenium?

  • Gangadharan Subramanian
    By Gangadharan Subramanian  ~  11 months ago
    reply Reply

    Hi Sarvesh,

    If you share the video of the session, that would really be great. 

     

     

    • Sarvesh Shrivastava
      By Sarvesh Shrivastava  ~  9 months ago
      reply Reply

      Hi Gangadharan,

      I am also still waiting for the ink of videos fro the committee. I will share with you as I get it.

       

      Thanks,

      Sarvesh

    • Anand Bagmar
      By Anand Bagmar  ~  1 year ago
      reply Reply

      Hi,

      I like this. However, have a few suggestions:

      - make this in a 45 min talk - that will give more time to go through the large agenda you have

      - don't just talk about how to integrate the test, also demo how to interpret the results and take the next corrective steps

       

      • Sarvesh Shrivastava
        By Sarvesh Shrivastava  ~  1 year ago
        reply Reply

        Hello Anand,

        Thanks for your valuable suggestions.

        what is the normal duration people generally target in Selenium Conference?

        We can increase it to 40 minute if you want by increasing the content and the demo.. but then audience may loose interest. That is why we wanted it be short and sweet.


        Also we are planning to extend some capabilities to the existing demo and content and will showcase that with the corrective steps.

        • Anand Bagmar
          By Anand Bagmar  ~  1 year ago
          reply Reply

          Hi Sarvesh,

          We do have the 20 min and 45 min duration slots. As long as you are open about doing a 45 min talk (which I am guessing from your above comment you can), I will leave it like that for now and lets wait for the review committee to see what they think as a collective unit. Based on that feedback, you can then update the proposal accordingly. ok?

          Thanks again!

          • Sarvesh Shrivastava
            By Sarvesh Shrivastava  ~  1 year ago
            reply Reply

            Hello Anand, Manoj,

             

            Could you please share your email ids here, I need to clear some queries.

             

            Thanks,

            • Anand Bagmar
              By Anand Bagmar  ~  1 year ago
              reply Reply

              Hi,

              You can simply write a comment and select the "private message" checkbox for sending your questions across.

          • Sarvesh Shrivastava
            By Sarvesh Shrivastava  ~  1 year ago
            reply Reply

            Thank you Anand,

             

            Yes It would be good :)

    • ManojKumar
      By ManojKumar  ~  1 year ago
      reply Reply

      I did a bit of work in recent past using Zap-WebDriver, probably if you wanna add this, it may help in extending a 45 mins talk.

      Its using the OWASP ZAP java Api

      Not an endorsement, but a suggestion.

      • Sarvesh Shrivastava
        By Sarvesh Shrivastava  ~  1 year ago
        reply Reply

        Hi Manoj,

         

        Thank you for your suggestion and sorry for replying late !!

         

        I am already using OWASP ZAP's Java API in my framework and integrated ZAP - WebDriver. I will demonstrate it with a demo and also extending some capabilities to the existing demo and content.

        I think (It is my personal opinion, may be not so effective ) we can make questions answers round more interactive and interesting if we want instead of taking the presentation up to 45 minutes. What do you think about it ?

        But still we will think about your suggestions and will let you know if we can go with the extended slot and also agreed with @Anand's words.


    • Liked Simon Stewart
      keyboard_arrow_down

      Fix a Bug, Become a Committer

      Simon Stewart
      Simon Stewart
      WebDriver Creator
      Facebook
      schedule 1 year ago
      Sold Out!
      480 mins
      Workshop
      Beginner

      Have you ever wondered how Selenium works under the covers? Do you get frustrated with locators not locating, pages not loading, or browsers behaving inconsistently from one run to the next? Selenium is an attempt to unify thousands of disparate elements across a wide spectrum of challenges into a single, common interface that works seamlessly with all the major browsers - and yet only a handful of volunteers work to maintain this gigantic effort. If you would like to enhance your own Selenium experience while contributing back to the software that has defined so many of our careers, come to this workshop. In it we'll dissect the different elements of Selenium, dive into its internals, learn how it was built and how to make changes to it, and even write a unit test you can contribute on the same day!

    • Liked Irfan Ahmad
      keyboard_arrow_down

      Testing as a Container : Using Docker with selenium and friends to ship fast

      Irfan Ahmad
      Irfan Ahmad
      QA Engineering Lead
      Upgrad
      schedule 1 year ago
      Sold Out!
      45 mins
      Demonstration
      Intermediate

      We see two upcoming trends in the world of software delivery.

      1.Docker is becoming a standard for managing infrastructure using containers.

      2.Testing code and its infrastructure starts to grow at scale with more complexity, dependencies and technology diversity.

      A container is an entire portable runtime environment: an application, plus all its dependencies, libraries and other binaries, and configuration files needed to run it, bundled into one package. By containerizing the application platform and its dependencies ,all differences in OS distributions and underlying infrastructure are abstracted away which makes it easy to share and execute anywhere.

      At this talk we will learn how to leverage the container technology to solve the challenges of growing testing infrastructure and continuous delivery with key focus on below items.

      • Basics of the containers technology and specifically it’s application on the test automation. 
      • How Docker can reduce the time of test execution, ease the setup of clean test environments and drastically reduce the differences between the development, acceptance and production environments leading to the higher quality of the released software.
      • Examples to containerize entire testing stack together consisting of major automation tools (selenium, appium, phantomjs), performance tools (jmeter,gatling) with cucumber. 
      • Integrating and managing testing container with other application containers to achieve easily manageable continuous delivery pipeline.
      • Best practices and patterns for docker success.

       

       

    • Liked Roy Nuriel
      keyboard_arrow_down

      From Pyramids to hourglass - New approach and best practices for digital apps testing

      45 mins
      Talk
      Executive

      One of the first things that you learn when you enter the quality assurance space is the famous triangle braked down to Unit test at the lower, on top of it Acceptance Tests based on API (in some places this layer is integration tests but the idea is the same) and at the top of the Pyramid we have the User Interface (UI) Tests. This Pyramid, in the last two decades was the main principle on how to approach testing activities (mainly automation).

      In the last couple of year we are all taking part in the digital transformation that is taking place all over. Mobile Native applications as well as web applications take part in almost any activity that we are doing during the day, business are building their strategy on this channel and shifting resources and budgets to deliver applications maintained and expend their market share.

      So what changed?

      The users are no longer static, they are interacting with those apps while they are on the train on their way to the office, while waiting for a flight at the airport or drinking coffee while waiting for their next meeting – those “interactions” are done most of the time while they are on the go working with mobile device. In addition the application take advantage of the sensors that those devices provide in order to provide better user experience. The environment where our end users use our application has significant impact on the functionality and performance of our application which at the end of the day we call quality.

      During the last year we developed a new approach for digital application testing – The “Hourglass” – This new approach expend the known Pyramid and update it to the digital era – The client side is richer and contains many components that impact the quality of application. It redefine the definition of coverage. At the top of the pyramid we add 2 additional triangles (the gives the hourglass shape) – The first one is devices – what devices should we test, how we should approach the changes that happens in the devise market. The second is the environment, the places that our end users will use and interact with the application. We leverage the automation investment and get the real digital coverage which will help to reach high quality applications.   

       

    • Liked Ori Bendet
      keyboard_arrow_down

      Tales from the Dark Side: The Growth, Implementation and Influence of Selenium inside Hewlett Packard Enterprise

      45 mins
      Talk
      Intermediate

      I know what you’re thinking: the creators of WinRunner, QTP/UFT are now embracing Selenium?

      Ten years after Selenium came into existence as an open source alternative to Mercury Interactive, the perception and relationship between QTP and Selenium has morphed from competition to collaboration with complementary test automation frameworks.

      Join Ori Bendet, HPE Inbound Product Manager for Functional Testing to discuss how HPE’s R&D uses Selenium and other open source tools. Understand the new roles and responsibilities of dev/test @HPE and how they fit into current team structure. Discover their lessons learned about how Selenium and open source has contributed to the success and maturity of HPE's own quality assurance and testing tools across the entire portfolio.

    • Liked Sargis Sargsyan
      keyboard_arrow_down

      Better Page Object Handling with Loadable Component Pattern

      45 mins
      Talk
      Advanced

      One of the painful problems in Selenium automated testing is determining whether a HTML page has been loaded. This is especially the case when web application uses a JS  heavy framework such as the popular AngularJS.

      During this talk we will discuss how to handle Selenium Page Object pattern better with Loadable Component.

      The Loadable Component helps test case developers make sure that the page or a component of the page is loaded successfully. I will share my experience about the concept of the Loadable Component and Page Object patterns.

       

       

    • 45 mins
      Demonstration
      Intermediate

      Push Notifications are the latest way of sending updates to our users. More and more Organisations are implementing Web Push Notifications along with emails and other notification systems.

      So the Big Question that arises is "How do we automate them?"

      We have come up with a library in various languages which can be integrated with your Automation suite and provide you everything you need about the notification triggered.

      You can easily then trigger and verify the push notification sent and ship out the product without worries :)

    • Liked Bret Pettichord
      keyboard_arrow_down

      Checking as a Service

      Bret Pettichord
      Bret Pettichord
      Software Architect
      HomeAway
      schedule 1 year ago
      Sold Out!
      45 mins
      Keynote
      Beginner

      This talk suggests a reframe in how we understand the business value of automated testing. One shift is to see automation as "checking" rather than "testing". Another is the shift from software delivery to service delivery, including fully embracing DevOps. The resulting approach could be called Checking as a Service or CheckOps, and forces us to rethink traditional automation priorities. In this talk, Bret will explain how change in approach has affected teams he's worked with and how you can use it to improve your ability to deliver valued services.

    • Liked Vinay Babu
      keyboard_arrow_down

      Web Scrapping with Selenium and Data Analysis using IPython Notebook

      20 mins
      Talk
      Intermediate

      Data Analysis is one of the upcoming field and as many of the data scientists says that the most of time they spend for analysis is on Data cleaning, So, In this short session we will see how one can pull the data from the web using Selenium Webdriver and will use this data further for the Data Analysis, The entire exercise will be executed on a IPython Notebook, which is a tool used to execute & save your code and perform data analysis using python data analysis libraries, it also provides a platform to massage the data and visualize it in the form of graphs and tables.

      This entire exercise would be helpful for anyone who wants to understand how data can be pulled with the help of Selenium Webdriver from a website and organized using python libraries for the data analysis. During this session we would be using an open source data for analysis and see how we can draw conclusions using this data.

    • Liked Michal Vanek
      keyboard_arrow_down

      Breaking down the barriers: Testing desktop apps with Selenium

      45 mins
      Talk
      Intermediate

      Selenium was born for web-application testing. But have you ever thought it could be a great tool for testing Windows desktop apps too?

      Today, more and more desktop apps use a web-like approach to implement their UI. The methods vary from basic HTMLayout environment to complex designs in CEF (Chromium Embedded Framework). However traditional GUI automation tools seem to be a step behind or ignoring the trend completely. This situation calls for finding new ways of testing.

      In our talk we shall introduce to you a new way of utilizing Selenium for automated testing of desktop applications. No matter whether the HTML UI content is completely offline or loaded and updated dynamically, Selenium is able to access and navigate it just like in a web page. We’ll also show you how to build a small framework around it and plug it into your Continuous Integration process. All of this will be demonstrated using a real-life instance of Avast Antivirus for Windows.

       

    • Adam Carmi
      Adam Carmi
      Co-Founder and VP R&D
      Applitools
      schedule 1 year ago
      Sold Out!
      45 mins
      Talk
      Beginner

      Automated visual testing is a major emerging trend in the dev / test community. In this talk you will learn what visual testing is and why it should be automated. We will take a deep dive into some of the technological challenges involved with visual test automation and show how modern tools address them. We will review available Selenium-based open-source and commercial visual testing tools, demo cutting edge technologies that enable running cross browser and cross device visual tests at large scale, and show how visual test automation fits in the development / deployment lifecycle.

      If you don’t know what visual testing is, if you think that Sikuli is a visual test automation tool, if you are already automating your visual tests and want to learn more on what else is out there, if you are on your way to implement Continuous Deployment or just interested in seeing how cool image processing algorithms can be, this talk is for you!

    • Dan Cuellar
      Dan Cuellar
      Head of Software Testing
      FOODit
      schedule 1 year ago
      Sold Out!
      45 mins
      Talk
      Advanced

      Over the last few years, Appium has become the choice automation tool for mobile application UI testing. Most people are familiar with the basics of Appium, but did you know that you Appium can identify elements using image recognition? Did you know you it's also possible to automate Windows phone and Desktop apps with Appium? Have you ever seen Appium run the same test on multiple operating systems, or seen an Appium test run using several devices at once?

      The talk will cover advanced Appium topics such as these along with best practices to ensure you get the most out of Appium.

    • Luke Inman-Semerau
      Luke Inman-Semerau
      Lead Member Technical Staff
      Salesforce
      schedule 1 year ago
      Sold Out!
      480 mins
      Workshop
      Advanced

      Selenium Grid can be a bit daunting to get up and running. Starting it is quite easy, but using it effectively requires pulling in third party tools. In this workshop we’ll cover how you would realistically run your grid, using modern tooling to run a grid with docker containers or in a cloud service like AWS or theoretically your own VM provisioning environment.

       

    • Liked Parashuram
      keyboard_arrow_down

      Reusing Selenium tests for catching Performance Regressions

      90 mins
      Demonstration
      Beginner

      Almost all the tests we write today are geared towards verifying the functional correctness of products. Selenium gives us a great way to ensure that our web applications and browser behave correctly and our tests usually do an excellent job running through the happy path.

      Most successful websites or hybrid mobile applications are not just functionally correct, but also have a very smooth performance and user experience. Performance, for many, is now a feature. In this talk, we will look at ways to re-use our selenium test cases to also catch any performance regressions. We will measure key performance indicators like frame rates and memory usage as the selenium scripts navigate and perform actions on the website. We will look at logging all these metrics into a dashboard, and integrating this with a continuous integration system like Jenkis or Team City. Finally, we will also look at how such a system can catch any code change that is responsible for making the website slower than a threshold we set.

       

      We will look at how we could use existing testing frameworks like Protractor or Jest to add performance metrics. We will extend our test matrix to cover desktop browsers, browsers on popular mobile platforms and even hybrid apps like Apache Cordova, Ionic or Phonegap.

       

       

      If Performance is a feature, let us test it like we test features !!

       

    • Liked Christina Thalayasingam
      keyboard_arrow_down

      Distributed Testing and Test Reporting

      45 mins
      Demonstration
      Advanced

      As we are moving into the agile world, continuous integration has a major role to play.

      So how do we cater for a complete test on every sprint or every release? We can use Selenium for Test Automation. When we use a continuous integration approach it would be helpful to use Selenium Grid. It allows you to run your tests on different machines against different browsers in parallel. Essentially, Selenium-Grid supports distributed test execution. 

      This helps you to run your automated tests on various different machines, operating systems and browsers at the same time. This saves time and would help  to run your testing in a nightly build.

      Extent Reports will go hand in hand with Selenium Grid as it will help you retrieve all test results including Test Evidences into a comprehendible report.

      This talk would have a quick guide on how to use Selenium. With details on how to create html reports (with latest plug-in) which would give understanding test execution results for both technical and non technical people. The highlight of the talk would be on Selenium Grid which permits to run Selenium test cases on various operating systems and browsers from a specific hub. This would cover quick demonstrations on main browsers used in the industry such as Firefox, Chrome and Internet explorer. This would help for continuous integration.

    • 45 mins
      Talk
      Beginner

      This talk showcases how you can develop a framework in Java with all kinds of features like WebTesting with Selenium, Service Layer testing with SoapUI and Load Testing with JMeter - all packaged as a single testing solution. Above all, make use of open source libraries and get details HTML reports as well as Summary reports. This solution allows you to seamlessly integrate all your testing requirements under a single framework.

       

    • Liked Alexander Bayandin
      keyboard_arrow_down

      Mobile Web Test Automation: to the Desktop!

      45 mins
      Talk
      Advanced

      How does it usually look when people do Mobile Web Test Automation? They write a couple of tests, run them on some desktop browser and only after that try to run on emulators/simulators and the final step is adapting and fixing the tests for browsers on real devices.

      By happy chance we developed our tests for Mobile Web on real devices. But some time ago we decided to run on Desktop as well.

      Why? What benefits did we get? How do we have both Appium and Selenium tests in one repository? And what challenges did we face? About this and many other things I will tell in my talk.

    • Liked Vikram V Ingleshwar
      keyboard_arrow_down

      How to be a assistant cook from waiter - my experiences with software testing and automation

      Vikram V Ingleshwar
      Vikram V Ingleshwar
      SDET
      Microsoft GmbH
      schedule 1 year ago
      Sold Out!
      45 mins
      Talk
      Intermediate

      In this talk I would like to share good practices of BDD , Cucumber Tool and its usage with Selenium with Serenity framework , Appium and API Testing.

      I will be sharing how I had implemented BDD culture in team , which was following Agile ( fast waterfall ) , how it has helped business.

      There are many who know Selenium and are experts in it. But with BDD and Cucumber , it can be used much more efficiently.

       

      The main benefits of this methodology will be reducing bugs , re-work , tech debt , bad customer reviews , cost and increases overall productiveness and happiness across orgnisation

       

      With all these , QA can be assistant cook along with main cook ( who is developer and/or product ) and elevate from traditional waiter role , where some code is thrown at him to deliver to somebody who pays for it.

    • Liked Dharmesh Vaya
      keyboard_arrow_down

      Practical tutorial in Test Framework development

      480 mins
      Workshop
      Intermediate

      Advanced users in Selenium are given the challenging task of developing a framework from scratch. However, its best to understand the core requirements of how the framework is going to be utilized in order to develop the framework with minimal efforts. This tutorial teaches development of core-building blocks that can be implemented for any Selenium based framework with maximum flexibility and minimum efforts.

    • Liked Sweta Shahi
      keyboard_arrow_down

      Visual Regression Testing - How Selenium can help?

      Sweta Shahi
      Sweta Shahi
      Group Lead
      Srijan Technologies
      schedule 1 year ago
      Sold Out!
      20 mins
      Demonstration
      Beginner

      In today's software world, web applications need to go though constant change to maintain highest standards of quality of service. With continuous changes, one of the biggest challenges in the testing fraternity is to reduce the effort in regression testing. Often UI testing is cited as an area where automated tools have a limitation.

      In this session, will try to cover how using a simple program and using tools like ImageMagick, we can automate visual regression of the site in no time. Also, this means after every change (front-end or feature) if causes any unexpected behavior can be brought to notice immediately. A set of benchmark images of the stable version will be compared against those from the build's latest version and help reduce the extra effort testers spend in testing the UI on different browsers.