The workshops from the list below are the complimentary part of full tickets.
The recordings of most workshops will be shared with full ticket holders after the conference.
Workshops will be run remotely via Zoom.
Automated Security Testing of GraphQL APIs with Express
We’ve all heard the buzz around pushing application security into the hands of developers, but if you’re like most companies, it has been hard to actually make this a reality. You aren’t alone - putting the culture, processes, and tooling in place to make this happen is tough - especially for sophisticated applications. Join StackHawk CSO Scott Gerlach as he shares how you can add application security testing to your CI/CD pipeline for a GraphQL API with Express.
January 25, 17:00-18:00 CET. Remote.
Testing React Server Calls: Loading and Errors
When you make a server call from your React application, you want to let the user know what's going on. Is the application waiting for the server? Did the server return an error? In this workshop, we will discuss how to mock the server response and test the sequence of expected phases for the app depending on the server response.
- - Brief introduction to TDD
- - Plan the (single-component) app to test
- - Brief introduction to Testing Library and its philosophy
- - Mock server response with Mock Service Worker
- - Write tests using Testing Library
- - Write the application to make the tests pass
- - Discuss code in more realistic app (implementation involves Redux Saga)
- Familiarity with React and the useState hook;
- Download and run npm install on the workshop repository (link to be posted the week before the workshop).
This workshop is best for Front End Developers.
Intermediate.
January 25, 18:00-20:00 CET. Remote.
Testing Web Applications Using Cypress
This workshop will teach you the basics of writing useful end-to-end tests using Cypress Test Runner.
We will cover writing tests, covering every application feature, structuring tests, intercepting network requests, and setting up the backend data.
Anyone who knows JavaScript programming language and has NPM installed would be able to follow along.
Most of all the workshop fits developers who need to write end-to-end tests for their websites and web applications.
January 26, 16:00-19:00 CET. Remote.
Introduction to JS Functional Testing at Scale
There are thousands of ways if not more to set up your automated testing environment. When it comes to stability and maintainability it is crucial to choose the right frameworks at the beginning of the journey. The ecosystem provides a variety of different tools that all rely on certain protocols and come with different levels of support for different use cases.
While there are the traditional WebDriver based JavaScript frameworks like Selenium or WebdriverIO, many new projects have popped up in recent years that provide even more capabilities, particularly for front-end developers.
In this workshop we will take a look at the JavaScript framework landscape for automated functional testing, such as Puppeteer, Playright, Cypress, and others. We will explore what their differences are and how to choose the right tool for your project. Then, we will look at various scenarios, from basic functional test concepts to complex visual and frontend performance tests and complete the session with scaling up our solution using a cloud vendor like Sauce Labs.
Key Takeaways
- Understand the principles of browser automation
- Learn to pick the right JavaScript framework for your project
- Master various of common automation scenarios including network stubbing, visual and automated performance testing using traditional frameworks such as WebdriverIO or newer tools like Puppeteer, Playwright or Cypress
- Knowledge of JavaScript
- Node 14 LTS installed
- Your preferred IDE installed
January 27, 16:00-19:00 CET.
Unleash the Power of Node.js Component (Integration) Tests
This workshop deals with component/integration tests which are the most powerful technique for testing modern backends. This type of tests focuses on realistic scenarios, user-oriented flows, production-like conditions. To achieve this high reliability it includes databases, message queues, the web framework, API, and all the other moving pieces that exist in our… production. This workshop takes it beyond the basics and covers also advanced topics like testing with message queues, optimizing a DB for testing, simulating failure by 3rd parties services, and more. By the end of the workshop, after practicing how to simplify the setup and increase the bugs coverage with more testing techniques - Your tests value will greatly increase. Warning: This might make you really looove tests.
- - Lecture: New challenges demand a new toolbox - Testing plain functions or API is common knowledge, but how should a test approach challenges like seeding a database, tearing it down, checking the communication between Microservices, authorization, testing error handling, and other beyond the basics things that happen in production? Meet component tests, a hybrid between unit and integration tests, that becomes slowly a standard weapon for testing modern backends.
- - Class exercise: Coding our first component tests - Let's craft some real-world tests against our real-world backend which involves real-world DB and real-world 3rd party services. Yay, it’s all real-world.
- - Lecture: More power for me - Let's take your skills above the average and discuss strategic topics like error handling tests, testing secured routes, testing our OpenAPI docs (i.e. Swagger), messages queues, and more.
- - Class exercise: Pro component tests - Ready to code advanced tests that provide even more confidence? In this exercise, you will practice advanced test scenarios.
Experience in writing Node.js backend; familiarity with writing automated testing (e.g. unit or integration).
Intermediate to advanced.
February 1, 16:00-19:30 CET. Remote. The workshop will be recorded partially (lecture part only).
Hacking Modern Web apps with RCE and Prototype Pollution
If you are the kind of person who enjoys webinars with practical information that you can immediately apply when you go back to work, this webinar is for you, all action, no fluff :)
"Hacking Modern Web apps: Master the Future of Attack Vectors" is a web security course that provides you with case studies from real-world vulnerable applications as well as know-how and techniques to take your websec kung-fu to the next level. In this brief 60-minute webinar we will explain what the course covers and give you a few lab samples covering the following topics:
- RCE options against Node.js applications
- Introduction to Prototype Pollution
- Prototype Pollution attacks in practice
This content should be interesting for any JavaScript developer or tester interested in security in Web and Desktop applications. Node.js developers might find this most interesting.
From new to advanced, content should keep all skill levels happy.
February 2, 17:00-18:00 CET. Remote. The workshop won't be recorded.
Hacking Modern Desktop apps with XSS and RCE
If you are the kind of person who enjoys webinars with practical information that you can immediately apply when you go back to work, this webinar is for you, all action, no fluff :)
"Hacking Modern Desktop apps: Master the Future of Attack Vectors" is a desktop app security course that provides you with case studies from real-world vulnerable applications as well as know-how and techniques to take your desktop app security auditing kung-fu to the next level. The course covers attacks and mitigation against desktop apps on Linux, Windows and Mac OS X. The focus focuses on Electron but the techniques covered will be helpful against other desktop platforms, as well as CSP bypasses and other web security techniques. In this brief 60-minute webinar we will explain what the course covers and give you a few lab samples covering the following topics:
- Essential techniques to audit Electron applications
- What XSS means in a desktop application
- How to turn XSS into RCE in Modern apps
- Attacking preload scripts
- RCE via IPC
This content should be interesting for any JavaScript developer or tester interested in security in Web and Desktop applications. Electron developers might find this most interesting.
From new to advanced, content should keep all skill levels happy.
February 2, 18:15-19:15 CET. Remote. The workshop won't be recorded.
Uniform Browser Automation Infrastructure: Selenium, Pupppeteer and Playwright Tests on Laptop and in Remote Cluster
There are a lot of different types of tests and all of them are important. However, the only way to check that your product is working correctly is running it in the same environment as its user does. For web applications such environment is a browser. This is why reliable browser automation infrastructure nowadays is very important.
In this workshop, I will show you how to quickly deploy and use browser automation infrastructure with Moon solution. We will start by deploying everything on your workstation and will soon be able to run Selenium, Playwright and Puppeteer tests in parallel in the same cluster. Then I will demonstrate how to easily deliver the same experience for your team using a remote cluster in the cloud platform.
Intermediate.
February 3, 17:00-19:00 CET. Remote.
Security Testing Automation for Developers to Get Compliance on Every Build
As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing just delays releases...
NeuraLegion's developer focussed AppSec testing technology enables developers to detect, prioritise and remediate security issues EARLY, as part of your agile development and unit testing processes, without slowing down DevOps.
Join this workshop to learn different ways developers can access NexDAST & start scanning without leaving the terminal!
- - What DAST (Dynamic Application Security Testing) actually means and how it works
- - What is CI/CD and how GitHub Actions work
- - How to call the NexDAST scanner from GitHub Actions and run it efficiently
- - What the results mean from this scanner
February 4, 16:00-17:30 CET. Remote.
Trainers
Scott Gerlach is Co-founder and Chief Security Officer at StackHawk, a Denver-based startup focused on empowering engineers to easily identify and remediate security bugs. Scott brings over two decades of security and engineering experience to his current role, having served as CSO, CISO, and in other executive leadership functions at companies like SendGrid, Twilio, and GoDaddy. When he's not at work, you'll find Scott spending time with family, brewing beer, and playing guitar.
In her 18 years in the software industry, Bonnie has discovered that she loves all things testing (how great is it when testing reveals exactly what you need to fix about your refactor or new feature?). She's particularly devoted to Test Driven Development for its emphasis on planning before coding. Bonnie is equally passionate about teaching, and she's pleased as punch to be producing online content full time. She feels weird writing about herself in the third person.
Cypress.io VP of engineering.
Gleb Bahmutov is JavaScript ninja, image processing expert and software quality fanatic. During the day Gleb is making the web a better place as VP of Engineering at Cypress.io. At night he is fighting software bugs and blogs about it at glebbahmutov.com/blog.
Core maintainer WebDriver.io.
Christian Bromann is a member of the Open Source Program Office at Sauce Labs and is working on various open source projects related to test automation and Node.js. He represents the company as Advisory Committee representative at the W3C and the WebdriverIO project as core contributor in the OpenJS Foundation Cross-Project Council. In the past he has been leading various product initiatives at Sauce Labs including extended debugging capabilities for automated tests as well as frontend performance testing using WebDriver.
Nikolay Advolodkin is a Senior Solutions Architect at Sauce Labs. He has an extensive background in software testing, quality assurance, and test automation as the CEO and Test Automation Instructor at UltimateQA.com, a training site full of videos and resources covering the gamut of testing topics and technologies. Nikolay has taught more than 50,000 students in over 120 countries about test automation. He is a frequent contributor to open source and was selected as one of the top automation engineers in the world three years in a row by TechBeacon.com.
Yoni Goldberg is an independent consultant who works with 500 fortune corporates and garage startups on polishing their JS & Node.js applications. He's the author of Node's largest best practices collection (link below). More than any other topic he is fascinated by and aims to master the art of testing. At his spare time, he likes to write in his blog and debug production application using console.log.
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity, a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. Former senior penetration tester / team lead at Cure53 and Version 1.
Creator of “Practical Web Defense” - a hands-on eLearnSecurity attack / defense course, OWASP OWTF project leader, an OWASP flagship project, Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.
Co-Founder and CTO of NeuraLegion.
A cyber security veteran with more than a decade of experience acting as a Security Officer, Researcher, Hacker, Developer and Software architect, Bar is instrumental in developing NeuraLegion's proprietary AIAST Technology, a New Generation of AppSec Testing Automation built for developers and DevOps.