ReTestBash 2023 Challenges on Security and Performance

🧑‍🏫 Content Discussions
, , ,
1

As we countdown to ReTestBash UK 2023 on 2nd Nov, our commitment to enriching our understanding of the topics at TestBash UK 2023 grows. This week, we’re delving into the worlds of security and performance, guided by the invaluable insights shared by @oxygenaddict and @marie.drake during TestBash UK.

Join us as we embark on a learning journey, embracing challenges that will expand our horizons in security and performance testing. Together, we will uncover practical strategies and psychological underpinnings that drive user behaviour and preferences online.

:closed_lock_with_key: :globe_with_meridians: Five Security and Performance Challenges for the Week:

  1. Rewatch and Reflect:

  • Exploratory Security Testing: Rewatch Richard Adams’ “Exploring Security in Day-to-day Testing”. Engage in a team discussion on how basic techniques and free tools can be integrated into your daily testing routines.

  • The Human Side of Web Performance: Rewatch Marie Cruz’s “The Psychology of Web Performance”. Reflect on the human factors that influence perceptions of website performance and how these can guide your testing processes.

  1. Poll:
    Post-talks from Richard Adams and Marie Cruz, we are curious about your take on their insights!

:bar_chart: Which strategies resonate with you and you’re excited to integrate into your testing routine?

  • Proactive Security Testing: Identifying “low hanging fruit” security bugs using exploratory approaches.
  • Understanding Attack Vectors: Learning about XSS, SQL injection, and elevation of privilege attacks.
  • Performance Psychology: Recognizing the human aspects affecting the perception of web performance.
  • Enhancing UX through Speed: Implementing strategies to optimize both actual and perceived website performance.
0 voters
  1. Reflections on Security and Performance in Your Workplace:
  • How do Richard Adams’s insights change your view on integrating security testing in your regular workflows?
  • How might Marie Cruz’s exploration of waiting psychology influence your approach to performance testing?
  1. Team Activities:
  • Security Bug Hunt: Inspired by Richard Adams’s talk, simulate common attack scenarios like XSS or SQL injection on your applications, noting discoveries and potential improvements.
  • Psychology-Based Performance Testing: Drawing from Marie Cruz’s insights, create testing scenarios reflecting real user impatience and expectations. Discuss how user psychology can shape your performance testing strategies.
  1. Deep Dive Challenge:

Security Deep Dive Challenge: Navigating Real-World Web Vulnerabilities

Inspired by Richard Adams’ “Red Pen Testing” activity from Testbash UK, we’re delving deeper into hands-on security testing, but this time on a real application designed to safely practice and identify vulnerabilities.

Objective: Engage with the WebGoat platform, spot vulnerabilities, and draft a strategy to communicate your findings effectively.

Instructions:

Set Up WebGoat (10 minutes):

  • Navigate to the WebGoat GitHub repository and follow the instructions to set it up on your local machine. Read and acknowledge the warnings before you get started.
  • Once set up, familiarise yourself with the platform.

Dive into Vulnerabilities (30 minutes):

  • Choose a specific module or challenge within WebGoat that intrigues you.
  • Use the tools at your disposal, whether it’s your browser’s developer tools or any security testing tools you prefer, to identify vulnerabilities. Use the items in the Resources section below if you’re unsure which tool to use.
  • Document your findings

Compile and Communicate Your Findings (10 minutes):

Frame a brief report on the vulnerabilities you identified. Your report should detail the risks, potential implications, and possible remedies.

Engage with the Community (10 minutes):

  • Post your report, the vulnerabilities you delved into, and your methodology in reply to this post.
  • Engage with at least one other post, offering insights, feedback, or further queries.

Wrap-up:

Engaging with real-world applications like WebGoat bridges the gap between theoretical knowledge and practical understanding. Ethical considerations are paramount, especially when working on real platforms.

Key Takeaways:

  • Real-world platforms offer invaluable learning experiences.
  • The balance between discovering vulnerabilities and ethical considerations is delicate and crucial.
  • Efficient communication of security concerns can drive actionable change.
  • Continuous learning is pivotal in the dynamic domain of security.

Resources:

Rich’s Security Cheat Sheet

PortSwigger’s Web Security Academy

Chrome DevTools

Firefox DevTools User Docs

Ministry of Testing Tools Directory (keyword search for “security”)

Why Participate?

  • Elevate Your Skillset: Engaging in these challenges will refine your testing skills, enhancing your ability to consider psychological aspects of user experience and to identify often-overlooked security vulnerabilities.
  • Prepare for Informed Interactions: Participation will prime you for deeper engagement during the Ask Me Anything sessions at ReTestBash 2023
  • Contribute to Collective Growth: Your shared experiences will influence industry practices, contributing to a broader understanding of effective testing strategies that consider both security and human factors.
  • Enhance Your Professional Journey: The practical skills gained from these challenges will distinguish you as a tester, capable of incorporating nuanced user behaviour insights and security considerations in your testing methodologies.

**Join us on the 2nd of November for ReTestBash UK!

1 Like