Exploratory Security Testing in the Browser
Much of the time, security testing is relegated to the end of development and then is assumed to be someone else’s problem. However, late security fixes can have a huge impact on your delivery dates. Although automated scanners offer some help by inspecting your application’s HTTP traffic, most common attacks are best performed in the browser, which should be the focus of your exploratory security testing. Using familiar automation practices, open source tools (Webdriver/Selenium), and a browser (Chrome/Firefox/Edge), Abraham Marin-Perez shows you how to drive a browser and attack a web application, thus providing a way to automate your security testing and receive quick feedback. The best way to find those nasty JavaScript injection bugs is by using an actual browser. With automation practices already familiar to teams, you can integrate a security testing technique—in an agile way—and keep your clients safe.
Abraham Marin-Perez is a Java programmer, author, speaker, and agile consultant. Abraham has been working in software development for a decade, paying special attention to what maximizes a team's capacity to deliver in the long term. This has led him to study everyday programming habits and techniques that ensure the sustainability of the development process, sharing his views in Real-World Maintainable Software and more informally in his blog and on Twitter (@AbrahamMarin). He helps run the London Java Community—an organization which is an elected member of the Java Community Process Executive Committee, and contributes as a Java news editor at InfoQ.