Finally, a win-win-win for development, QA, and security! If your development team is looking for easier ways to incorporate security earlier in a way that’s simple, easy and that your team to understand, we may have a solution for you. Security defects are like any other defect. Finding them early saves money and time. There are tools that execute security tests for security professionals - like Rapid7's (formerly NT OBJECTives) AppSpider. AppSpider can use the application knowledge defined Selenium scripts to execute a better, more comprehensive security test on an application.
The problem has always been that developers and testers know the application and security teams know security. It's been hard for the two teams to collaborate to build security earlier into the development lifecycle. This solution combines the development team’s knowledge about the application is captured in the Selenium scripts with the Security teams’ expertise built into their security tests.
It has long been known that fixing defects earlier in the software development lifecycle is less expensive and easier than fixing them later. The same is true for security defects - it is easier and less expensive to fix them when they are found earlier, before they are replicated across the application. To that end, integrating security testing earlier into the lifecycle, makes perfect sense.
So, why wait for the security team to find defects toward the end of development when you can build it into your process - especially your CI process - so it's automatic and early! It will make your life easier. Security defects will be reported alongside all of your other Selenium/SauceLabs defects. With this integration, you can incorporate a security test with very very little additional work.
Now development and security can form an effective partnership with development creating test scripts to make sure the application works and security teams adding in the security auditing. Encourage your security team to leverage combine your team’s Selenium scripts with their security tests!!
How Rapid7’s AppSpider Works with Sauce
Development & QA teams typically record a series of Selenium scripts to test specific application functionality (e.g., create an account, select a product, purchase your items). The aggregation of these scripts guarantees that the application is tested in its entirety. Our partnership allows security and QA groups to leverage these scripts to test the applications for security vulnerabilities.
AppSpider integrates with both the cloud version of Selenium that Sauce Labs offers as well as local installations of Selenium. [More on how AppSpider works with Selenium in another blog].
All an enterprise has to do is configure the addition of the Selenium script into AppSpider, Radid7’s automated vulnerability assessment tool, and start a scan.
Rapid7 offers an array of scalable web application security services and solutions designed to meet the unique needs of our clients. These days, finding an accurate, comprehensive web application security scanner is difficult, as many scanning solutions are only capable of scanning HTML – leaving you with less coverage and less accurate results.
However, Rapid7’s fully-automated AppSpider dynamic application security scanner does what many scanning solutions do not – we interpret and attack today’s modern applications build with rich clients, mobile clients and web services. (Using technologies like REST, AJAX, JSON and GWT) providing full coverage of your mobile and web applications, because we understand that coverage is the first step of accuracy. We also offer the same extensive scanning solution, AppSpider On-Demand, in one convenient, easy-to-use SaaS/cloud offering – that can be leveraged without purchasing or installing scanning software.
What does this mean?
The AppSpider and Selenium integration enables you to automatically detect security defects earlier in the software development lifecycle, such as during the nightly build process.
The benefits of leveraging the combined solution are:
Find security defects early - build security testing processes early into the lifecycle to find security defects early and save money.
Streamline defect reporting - report security defects like any other defects reported in Selenium.
Integrate with CI - many development teams are using Continuous Integration solutions (such as Hudson or Jenkins or home grown solutions) to streamline testing and speed time to market. Developers, testing teams and security teams are looking for ways to plug their work into the CI to ensure that all relevant testing processes are automated during the tests. With Sauce Labs’ and Rapid7’s, developers, testers and security experts can automatically integrate re-usable, pre-defined tests into nightly builds.
Speed up development - by adding AppSpider security testing into your SauceLabs Selenium testing, you can speed development by avoiding late stage discoveries of security defects.
Make security testing easy - this combined solution is designed to enable you to execute repeatable, comprehensive tests automatically. It's designed to make life easier for development teams.
Streamline reporting - security and functional testing use the same Selenium scripts so that all defects are reported in the same way.
Mobile testing supported - both Rapid7 and Sauce Labs are committed to supported the technologies used in today’s applications. That includes mobile applications. Both Rapid7 and Sauce Labs have support for testing your mobile applications.
Combine Sauce Labs and AppSpider - so simple, yet it makes so much sense!
More about Sauce Labs