Contact Us
Magenic
  • What We Do
  • How We Do It
  • Our Thinking
  • Join Us
  • Our Work
  • Industries
  • Cloud
  • Software Development
  • Quality Engineering
  • DevOps
  • Strategy
  • Experience Design
  • Data & Integration
  • Advisory Services
  • Careers
  • Culture
  • Events
  • Success Stories
  • Partnerships
  • Technologies
  • Professional Services
  • Financial Services
  • Retail
  • Health Care

Power to the Team!

June 25, 2020 // By Bill Roske

“Information is power”, as the saying goes, and crooks are always looking for more. Stories of security and data breaches are all too common these days. As software quality engineers we cannot all drop what we are doing and become security or “penetration testing” experts. But fear not! There IS something we can do.

The Open Web Application Security Project (OWASP) publishes a list of the Top 10 security vulnerabilities of web applications. Most developers know (or should know) about this list. But do they know when a change they made opens up a vulnerability on that list? Wouldn’t it be great if there was a way that we could monitor the application under test WHILE we test and identify some of these vulnerabilities, automatically? 

There is! OWASP makes available an open source security testing tool called the Zed Attack Proxy (ZAP). It can monitor all web traffic between a browser (or web API test) and the underlying services, identifying all the security risks it sees. Installing ZAP as a proxy behind your browser takes seconds and allows you to test your application (manually or with automation) as you normally would. At the end of your testing session you can generate a report that identifies specific risks, by risk level, with references and suggested solutions. 

ZAP has a BUNCH more capability than that. It can even perform an automated attack on your application. **NOTE: Do NOT do this without explicit permission and advisement from your security team. It WILL set off alarms you didn’t even know existed! (speaking from the experience of “a friend”😊) It’s not my intent to produce a tutorial on the use of ZAP in this forum. OWASP has done an excellent job of that, available at the link I mentioned above.

Injecting ZAP into your functional and regression testing can provide information to developers early in the development process and prevent an embarrassing and costly vulnerability in your application. It’s not a silver bullet! It doesn’t take the place of a thorough security testing strategy. However, the cost is minimal and the information generated is invaluable.

Remember: “Information is Power.” Power to the team!!

Categories // Quality Engineering, Security
Tags Security, Quality Engineering
SHARE:
THE LATEST:
  • FEBRUARY 23, 2021 // blog
    Stronger Product Owner = Better Software, Faster
  • FEBRUARY 19, 2021 // blog
    Security In Five Bi-Weekly Roundup – 2/19/21
  • FEBRUARY 18, 2021 // blog
    Doesn’t Everybody Know This?
Featured Content:
  • JANUARY 25, 2021 // White Paper
    The Top 7 Technology Trends of 2021

Related Posts

Podcast
Security In Five Bi-Weekly Roundup – 2/19/21
Learn More
Podcast
Security In Five Bi-Weekly Roundup – 2/5/21
Learn More
Podcast
Security In Five Bi-Weekly Roundup – 1/8/21
Learn More
Podcast
Security In Five Bi-Weekly Roundup – 12/25/20
Learn More

Ready to speak with our experts?

Have a question?

This field is required
This field is required
This field is required
This field is required

Thanks for Contacting Magenic

One of our experts will be contacting you directly within the next business day.

Return To Home
Magenic

info@magenic.com+1.877.277.1044

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • RSS Feed

© Magenic Inc.Privacy NoticeTerms & ConditionsSitemap