Global AppSec Dublin 2023

Motivated by our promising research results (see anonymized attached document), also presented at OWASP AppSec last year, and by their successful initial evaluation in industrial settings, we have just started a new OWASP project to make our Testability Patterns for Web Applications consumable to and improvable by the entire community. In this presentation, we will present the goals of our OWASP project and the importance of the testability dimension for the security and privacy of Web Applications. We will showcase our approach in the context of Static Application Security Testing (SAST). First, we will present with concrete examples what testability patterns for SAST are and how they impede the ability of state-of-the-art SAST tools to analyze web application code. Second, we will present our open source framework to operate these patterns. The framework allows for evaluating SAST tools against the testability patterns so to know which patterns are problematic for which tool. The framework also allows the discovery of patterns within web applications source code so to make developers aware of which code areas will be problematic for SAST. Third, we will introduce the three main targeted audience groups: web developers, SAST tool developers, and security central teams. For each one of these groups, we will clarify which added-values these SAST patterns provide and how that group can join our project community and contribute to create and mature testability patterns. Last, but not least, we will expose the plan for our OWASP project.

Dates

Author

Conferences

Tags

Testability Patterns for Web Applications - a new OWASP project

tldr - powered by Generative AI