In this chapter, we have demonstrated three technical approaches to NodeGoat security automation testing. The first approach is to use the ZAP-CLI to do a quick scan of the target website. This kind of testing can be used as a smoke test for every release. It helps us to identify potentially serious security issues. We also applied Selenium and JMeter to guide ZAP for authenticated pages and other web UI flows. Selenium can launch the browser to simulate a user's web operation behavior. JMeter sends the HTTP requests and asserts the HTTP responses for the API-level user sign-in flow.
For the selenium approach, it's suggested to use the Selenium IDE to record the sign-in operations and export to a Python unit test script. Once the script is generated, we execute the Selenium script with the OWASP ZAP proxy to identify the security issues.
For the adoption of JMeter...
