Penetration Testing in the Release Pipeline – David Brownhill & Craig Scott-Angell- Software Delivery, Agile on the Beach 2016
David Brownhill & Craig Scott-Angell – Penetration Testing in the Release Pipeline
Short synopsis: Agile development teams that have security verification requirements for their user story acceptance criteria will have these defined using a BDD-style scenario. The talk will explain how the security tests can be defined and implemented using a framework combining tools from the popular KALI Linux tool-set.
Long synopsis: Teams should take security seriously with today’s online threats and follow secure coding practices. They should utilise web and native application scanning tools both statically and dynamically where-ever possible and required. These tools can be time consuming in a release pipeline which is where you want to target your testing to real security requirements for fast feedback. Utilising a framework like BDD-Security you can utilise a collection of provided scenarios or write your own specific security tests. Potential vulnerabilities within a build candidate may be functional and driven using Selenium WebDriver in the form of a traditional penetration test or API based. SSL vulnerabilities can be checked and verified using SSLyze and scans utilising the OWASP Zed Attack Proxy can be run. Example scenarios will be presented along with an example implementation of a release pipeline running against AWS, built from Team City using Ansible and executing vulnerability tests against both pre-production and production environments.
David is a Non Functional Test Consultant currently working with implementing non-functional requirements as part of a continuously deploying pipeline. In addition to security this includes performance and operational acceptance scenarios.
Graduating from Stirling University David started his career as a developer at British Telecom in Martlesham Heath progressing via performance testing to a more all encompassing role including a full range of non-functional responsibilities.
Craig is a Software Test Engineer with extensive experience in quality assurance through a career in defence, Finance and internet economy businesses.
Originally graduating as an Electro-Mechanical Engineer Craig started his career as a System engineer in defence at General Dynamics before moving to a career as a software Test Engineer for Ingenico UK and Skyscanner. Craig now works as a Senior Automation Engineer.
Working closely with Agile teams, Craig believes that Security testing should be a key component of the software development lifecycle to ensure secure, quality software in a continuous integration environment.
Craig is passionate about building quality from the start and thrives on the challenge of cultivating a security conscious culture to ensure continued success in the current climate of online threats.