SummarySecurity testing sounds like it might be best left to the “experts”, whoever they are, but I will share how we can include it in our day-to-day testing. From exploratory testing to API and automated testing, there are things that we can and should be doing.Through this workshop we will learn about the scope of security testing, find out about the automated tools available and then spend some time practicing basic security testing techniques like SQL Injection, Insecure Direct Object Reference and using browser developer tools.Setup- Attendees will need to bring a laptop or pair up. Any browser is fine but Chrome recommended. - Screen & HDMI/equivalent for presenting slide & demos.ActivitiesFor a 2 hour workshop:- IDOR / URL manipulation- Bypassing UI using developer tools- Cross site scripting (XSS)- SQL injectionIf a 4 hour workshop is preferred, I can add in additional activities including analysing session data and a Capture the Flag exercise.
Key takeaways:- Recognise that security testing is something that you can & should be doing
- Identify the "low hanging fruit" security bugs in software
- Execute basic penetration tests against an online system
