API Security Assurance via E2E Testing
E2E testing engineers are the `final frontier` before an change is deployed into production. They could function as a security champion. By introducing API security assurance into E2E testing, while promoting the engineers to come up with security edge cases, typically in the form of a threat modeling activity, an application could be continuously designed and tested to be secure, starting with its MVP release. Can users expect a product to be continuously secure, end-to-end? Mature Continuous Integration (CI) practices require product engineering teams to add End-to-End testing into the development process, in order to increase the speed and frequency of deployments, without compromising user experience. This capability is delivered by automation testing engineers who build high quality UI and API automation tests to ensure end-users have a consistent journey in the product, while allowing the engineering team validate the UI and API are robust and flexible enough to withstand edge cases. Edge cases are an attacker’s playground. I will demonstrate various E2E tests to validate an API is resistant to the OWASP Top 10 API risks starting from a fairly straight forward security test – can the API be invoked without proper authentication of the user? Additional cases for security automation: – Validate proper JWT verification (role forging) and signature validation – Security headers validation – Access API/data for another user – Invoke restricted operations – Confirm server responses do not include confidentials fields, i.e. “Password” – Bypass application business-logic rules Key topics : – Security controls, such as authentication & access control and be tested automatically during E2E testing – Automation engineers are required to play the role of the devil’s advocate during a sprint planning meeting and help design and define the security controls, which would be then validated at the end of feature development.
About the Speaker
Alex Mor is a seasoned cybersecurity professional with over 15 years of hands-on experience in the field. He is passionate about security and likes to assume both the builder and breaker roles, depending on the hour. As the head of AB InBev’s enterprise application security program, he leads both the application security and offensive security teams, offering expert technical guidance to product teams in ensuring the security of their platform and development process. With a wealth of experience in designing, implementing, and managing vulnerability assessment and penetration testing programs, Alex is also tasked with evaluating and selecting application security tools to minimize enterprise risk. This involves conducting gap analysis, defining requirements, conducting market research, prototyping, and optimizing workflow and processes.