Log in
JavaScript conferences
Vue.js London Live 2021Vue.js London Live 2021
workshops

JS Security Testing in GitHub Actions

Zachary Conger
Zachary Conger
StackHawk
Rate this content
Bookmark

Software development has changed - Frequent deployments, APIs, GraphQL, Cloud Architecture and CI/CD Automation are the norm. So why is security testing the same way it was a decade ago?

Leading teams are realizing that periodical penetration testing and security audits is not enough when code is being shipped daily. Instead, these teams are using developer-centric tools to run automated security testing in a CI/CD pipeline. Join Zachary Conger as he walks through how to automate application JS security testing using GitHub actions.

FAQ

Software Composition Analysis (SCA) is a security testing method that analyzes a project's open-source dependencies for known security vulnerabilities. It examines files like package.json and package-lock.json to identify and report any vulnerabilities in the libraries used by the software.

Common tools used for Software Composition Analysis include Dependabot, Snyk, and FOSSA. Dependabot and Snyk are integrated with GitHub and help automate the detection and resolution of security vulnerabilities in dependencies.

Static Application Security Testing (SAST) is a type of security testing that involves examining the source code of an application to detect potential security vulnerabilities. It does not require the application to be running, making it possible to identify issues early in the development process.

Dynamic Application Security Testing (DAST) differs from SAST by testing an application while it is running, rather than analyzing static code. DAST involves sending requests to an application and analyzing the responses to identify security vulnerabilities that are exposed through its functionality.

Popular DAST tools include OWASP ZAP, StackHawk, and Burp Suite. These tools interact with applications through their web interfaces to identify security vulnerabilities and are particularly useful for testing web applications and APIs.

GitHub Actions is used to automate security testing workflows directly within GitHub repositories. It allows for the integration of security testing tools like CodeQL, Dependabot, and SAST/DAST scanners into the CI/CD pipeline, enabling continuous security analysis and vulnerability detection.

Integrating security testing tools with GitHub provides several advantages, including the automation of security checks, immediate feedback on security vulnerabilities within pull requests, and the ability to track and manage security issues alongside code changes. This integration helps maintain the security of the codebase throughout the development lifecycle.

Zachary Conger
Zachary Conger
12 Oct, 2021
Video transcription, chapters and summary will be available after the recording is published.