Hacking the Juice Shop: Security Testing for Beginners

Lena Wiberg

Half-day workshop - in English

Security testing seems to be viewed as an extremely complicated area where only experts can contribute. In this workshop, we’ll demonstrate that in truth, there’s plenty of things you can do being an expert in security testing.

We have worked in a number of teams where security testing was seen as something you buy as a service from an external vendor and then you try to make sense of the report and hopefully you figure out what to change. After reading a number of those reports, we realized that not only did the same issues keep coming back; they were also things we should be able to check for ourselves on a regular basis instead of paying top dollars for someone else to do it once every year. By introducing just a few new checks into the regular testing of most web applications, we can gain confidence in ourselves and the security of our systems. Bringing in a security expert is of course still valuable, but now we can let them focus on the trickier stuff.

The OWASP Juice Shop is an intentionally insecure web application, as an exercise and training environment for quality engineers and developers of all skill levels. In this workshop, we will use it as our lab environment as we go over the current OWASP Top 10 list of web application risks. We’ll guide you through some handy tricks and tools for solving some of the Juice Shop challenges and reflect on how this can be used in your everyday situations. The focus will be on “low-hanging fruit”, i.e. things that can be done quickly and are easily applied regardless of situation. Hopefully this will leave you with a lot of new ideas, a hunger for learning more and an itch to solve all the challenges of the Juice Shop!

The format will be a Capture the flag-event where you will be trying out some of the practices, getting you started on a continuous learning journey that hopefully can keep going for years.

Takeaways

  • Things you can introduce into you regular testing process today
  • Introduction to  security testing for web
  • You don’t have to be an expert to start!
  • Ideas on how to delve deeper once you get comfortable with the basics

Primarily for: Developers, Tester/test leads, Scrum masters, Agile coaches

Participant requirements: Laptop with a number of tools installed. I have a list of preparations for them I can send