BRINGING SECURITY CLOSER TO QA
In Agile and DevOps Environments, application code is being continuously modified for enhancements or bug fixes. This change in the application’s code base has potential ramifications that could adversely impact the quality, functionality or worse, the security of it. Hence, applications are subjected to multiple iterations of tests for every release to prevent it from regressing. These regression tests are usually done on the application's functionality, user experience and scalability of the application against every build. This same concept can be applied to the security aspect of the application.
we45’s security regression framework helps engineering and QA teams extend the concept of regression tests to an application’s security component. These security regression tests ensure that the previously identified security vulnerabilities in the application are not unearthed in subsequent releases of the application.
The core of we45’s regression framework involves re-using QA automation and walkthrough scripts. These scripts when used in conjunction with DAST tools (such as ZAP, BURP), obtain additional context to run the payloads for the various types of vulnerabilities that it scans for. The resultant would be scan results with more focus and depth especially during iterative product releases. In addition, logic flaws exploited by penetration testing teams is fed as exploit automation scripts. These exploit scripts can be used for all future iterations of the applications’ development cycle to ensure that vulnerabilities that get fixed in one iteration do not regress in another iteration in the future.