Declan O'Riordan

Testing IT

Application Security testing is a broad and deep topic that few Testers or Developers ever master. Static and dynamic analysis vulnerability detection tools are proven to be appallingly inaccurate. Specialised hands-on security testing tools require intensive effort by skilled experts who remain in short supply. Thoroughly security testing a web application presents extreme challenges to the delivery date and to the scope of test coverage. The shift to Agile and DevOps can exacerbate the conflict between security and timely delivery if conventional tools and techniques are retained from sequential project development methodologies.

A new approach to Application Security has arrived that turns our traditional testing model inside-out.  Now we can integrate security tools with the code and components inside applications. Instead of scanning and probing an application from the outside, we can make security attributes report out to us from inside the application itself. Security becomes part of the code and operates in continuous real-time. This is the story of the first UK implementation of Interactive Application Security Testing (IAST).

This paper was the joint winner of the Best Paper at the EuroSTAR Software Testing Conference Awards in 2016.

Key Takeaways

• Technology problems can be solved with technology solutions. Learn to understand and harness the new enabling technology.
• IAST is the biggest and most disruptive security testing advance in decades. It has the potential to make you a great security tester in a matter of seconds.
• Understanding the differences between continuous versus continual, and sensing versus scanning, are key to DevOps success.

Browse all the EuroSTAR Best Paper winners here. Check out this year’s EuroSTAR Software Testing Conference.