If you didn’t have the chance to be at the AppSecEU 2017 conference in Belfast or you didn’t make it to my talk there, here’s the official recording:
OWASP Juice Shop is a “shooting star” among broken web applications. To make sure it does not end as a “one-hit wonder”, the project embraces principles and techniques that enhance its sustainability, e.g. Clean Code, TDD, CI/CD, Quality Metrics and Mutation Testing.
In this session you will see how
– a complete and reliable test suite eliminates the “fear of change”
– automation is a key to increased productivity – even for small open source projects
– free-for-open-source SaaS tools can improve your development process
Where is light, there is shadow! You will also learn
– about some limitations in the automation processes
– why some 3rd party services had to be dropped
If the Internet gods are with us, we will even perform a production release of OWASP Juice Shop during the session!
You can find the original HTML5 slide deck at http://bkimminich.github.io/juice-shop/appseceu_2017.html. The slightly less fancy PDF-version is available on SlideShare:
This talk illustrates how a suite of well-written tests can benefit any Open Source project on multiple levels*:
- improve maintainability of the code-base
- help increase the truck factor** of the project
- “after-the-fact” tests help understand existing code and serve as documentation
- Behavior Driven Development (BDD) concepts can help create specification-like tests
The idea of adding BDD-style unit tests was introduced into the actively developed OWASP ZAP project end of 2012. It will be explained
- how the ZAP team approached this task initially
- what the improvements for the project were so far
- where we are going with automated testing in the future
Disclaimer: Some source code will definetely be shown during this talk, but you won’t need to be a Java expert to follow the story! Having some general programming experience is totally sufficient!
*= surprisingly also works for proprietary software projects!
**= number of contributors that could be (fatally) run over by a truck without effectively killing the project