Security is a topic that’s on every tester’s mind this year. Whether you’re testing behind your company’s firewall, improving your application’s security against hackers, or ensuring privacy in a consumer-facing application, many of us know that security is important but neglect it as part of our strategy.
During Selenium Conf Austin, test automation experts Denali Lumma and Surendran Ehiraj shared their insights on the best practices for more efficient web security testing.
It’s no surprise Uber has a prominent concern for security testing with over 2 billion rides taken. Considering the amount of user information they acquire, confidentiality, integrity, and availability all serve a vital role in quality engineering efforts.
Denali Lumma is the Senior Technology Manager and the Founder of People Engineering at Uber tasked with hiring the engineers that will ship high quality, high security libraries through identification, authentication, and authorization user processes.
In “Catching Waves in the Ocean of Quality,” she posits that like successful quality work, successful security must be integrated into each step of the development process including design, RFC, code, and review.
Lumma and her team first built a secure customer authentication platform to protect user identity, defend against defrauding, embed privacy, and support the company ecosystem. It also improved usability, scalability, maintainability, and extensibility.
The way data is handled is also essential through practices including deletion, filtering, and encryption. This means making sure data is deleted without reappearing, sharing data internally and externally without compromising individual privacy, and regularly changing encryption keys are critical.
To approach this Lumma uses a differential privacy to ensure indistinguishably and limit the amount of information someone can gain about individuals and prevent insufficient anonymization while preserving trends and data.
In response to Uber’s growing consumer base, Lumma and her team were able to meet the high priority need for thorough security testing, while simultaneously increasing user acquisition, improving performance, and reducing losses due to fraud.
- Do you think in this digital world NFR’s such as security are important?
- If yes, are you doing security testing as part of an agile process?
- If yes, what is the frequency of your test?
These are the questions that Surendran Ehiraj posed at the start of his presentation, “Security Test Driven Development (STDD) Using Selenium/Appium”.
“Security is important. We all know, but we don’t do it,” says Ehiraj. “We compromise on security.”
Instead of including it in our agile development process, Ehiraj noticed that it becomes a concern after there’s an issue, referencing the infamous Ashley Madison hack as an example of a time where security was considered after it was a little too late.
To combat breaches, Ehiraj asserts that static, dynamic, and forensic application security testing can be inserted into the TDD process using existing tools and practices to include a greater focus on security into the development process.
For example, using Zed Attack Proxy (ZAP) as an open source solution for finding vulnerabilities in web applications, you can continue to use existing Selenium tests while advancing security measures.
Ehiraj promoted ZAP as something he uses quite often to act like a proxy, and while automation experts might be hesitant to begin security testing, the tool is fairly easy to use even for beginners to collect comprehensive results on how secure a web application is.
Even better, we played around a little with ZAP and it works against CrossBrowserTesting, which means you can execute cross-browser security testing with Selenium. Very fancy.
We know the importance of automated testing and cross-browser testing. However, one area we often disregard is security testing.
To ensure that your engineers are deploying high-quality and trusted web applications, web security testing needs to become a part of the testing and development process. By prioritizing the security of your company and your customers, you can avoid the past pitfalls, data breaches, and security hacks that less fortunate applications have suffered from in profit and reputation.