OWASP Juice Shop 5.x and beyond

For those who did not participate in the German OWASP Day 2017 but still want to have a brief and emojiful overview of what happened in the OWASP Juice Shop project over the course of 2017, here are the slides for you!

This year OWASP Juice Shop saw several significant enhancements and extensions that you will learn all about in this talk: 2x NoSQL injection and 2x typosquatting challenges! Customization and re-branding of the shop to your own corporate look & feel! Juice Shop CTF extension makes setting up hacking events fast & easy! Free “Pwning the OWASP Juice Shop” eBook surpasses 150 pages of in-depth information, hints and solutions for all challenges and more! At AppSecEU the project was promoted into OWASP’s “Lab Projects” maturity stage! You can now 3D-print your own Juice Shop merchandise! And much, much more – actually more than can be demonstrated in this 15min session, so best install the Juice Shop yourself afterwards and explore its capabilities yourself!

Advertisements

OWASP Juice Shop – Achieving sustainability for open source projects

If you didn’t have the chance to be at the AppSecEU 2017 conference in Belfast or you didn’t make it to my talk there, here’s the official recording:

OWASP Juice Shop is a “shooting star” among broken web applications. To make sure it does not end as a “one-hit wonder”, the project embraces principles and techniques that enhance its sustainability, e.g. Clean Code, TDD, CI/CD, Quality Metrics and Mutation Testing.

In this session you will see how
– even a horrible language such as Javascript can be written in a maintainable manner
– a complete and reliable test suite eliminates the “fear of change”
– automation is a key to increased productivity – even for small open source projects
– free-for-open-source SaaS tools can improve your development process

Where is light, there is shadow! You will also learn
– about some limitations in the automation processes
– the pain keeping Javascript dependencies up to date
– why some 3rd party services had to be dropped

If the Internet gods are with us, we will even perform a production release of OWASP Juice Shop during the session!

You can find the original HTML5 slide deck at http://bkimminich.github.io/juice-shop/appseceu_2017.html. The slightly less fancy PDF-version is available on SlideShare:

Quo pertentas, OSS? – How Open Source can benefit from well-crafted Tests

 This talk illustrates how a suite of well-written tests can benefit any Open Source project on multiple levels*: 

  • improve maintainability of the code-base
  • help increase the truck factor** of the project
  • “after-the-fact” tests help understand existing code and serve as documentation
  • Behavior Driven Development (BDD) concepts can help create specification-like tests

The idea of adding BDD-style unit tests was introduced into the actively developed OWASP ZAP project end of 2012. It will be explained 

  • how the ZAP team approached this task initially
  • what the improvements for the project were so far
  • where we are going with automated testing in the future

Disclaimer: Some source code will definetely be shown during this talk, but you won’t need to be a Java expert to follow the story! Having some general programming experience is totally sufficient! 

*= surprisingly also works for proprietary software projects! 
**= number of contributors that could be (fatally) run over by a truck without effectively killing the project