One of the most challenging phases within the Secure Software Development Life Cycle (SSDLC) is the implementation of Dynamic Application Security Testing (DAST). In this talk, we propose a new vision to address this critical phase, transforming it into a more efficient and accessible process by integrating it directly with the web tests developed by software quality teams.
The need for a robust dynamic security testing process that can be easily adopted by software quality teams has been the driving force behind this research. For this purpose, two key concepts are merged: automated web testing and the dynamic security testing tool ZAProxy. Typically, the configuration process of dynamic analysis tools requires prior analysis of URLs to be attacked and configuration of authentication processes, among other things.
However, in this talk we propose a different approach allowing ZAProxy to connect directly to the browser where the tests are executed. This approach has several advantages like analysis by functionality, simplicity, prevention.
Finally, in the last part of the talk, we will compare the results obtained using the traditional approach (spidering URLs with the tool) with the results obtained by running web tests with Selenium and ZAProxy, both in passive and active analysis. The goal is to consolidate all the proposed concepts and demonstrate that an alternative approach to dynamic security testing is not only feasible, but also more efficient and practical.
