Shift-Left-Security with the Security Test Pyramid


The test pyramid by Mike Cohn should be familiar to most developers and is often used in projects practicing test-driven development.
But does your test pyramid also include verification of application security?

In the context of agile development and continuous delivery, it is essential to continuously assess application security. The current pattern of conducting penetration tests just a few days before going live no longer scales. Instead, concrete security requirements must be specified in each sprint and those requirements have to be verified by corresponding (preferably automated) tests. This is the only way to achieve an effective shift-left for security.

In this talk, we will look at the well-known test pyramid from a security perspective. We will look at how to add effective security tests at each level of the pyramid. This way, a large part of the OWASP top 10 security categories can actually be covered by automated testing. This will be practically illustrated using live demos based on a Spring Boot Java application with automated tests for authentication, authorization, input validation, and SQL injection prevention, among others.

Scheduled on Tuesday from 15:50 to 16:40 in Exec Room


Andreas Falk

Novatec Consulting

Andreas Falk has been working on enterprise application development projects for more than twenty years.

Currently, he is working as a managing consultant for Novatec Consulting, located in Germany. In various projects, he has since been around as an architect, developer, coach, and trainer. His focus is on the agile development of cloud-native enterprise Java applications using the complete Spring platform. As the lead of agile security at Novatec Consulting and a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well.

Andreas is also a frequent speaker at conferences like Devoxx, Spring I/O, CloudFoundry Summit, and OWASP.