Building a Secure Test Automation Experience

Building a Secure Test Automation Experience Juliette MacPhail July 20, 2021

May 05, 2026 · 5 min read · Testing Guide

Building a Secure Test Automation Experience

Juliette MacPhail
July 20, 2021

Last week mabl announced that we & nbsp; making it easier for our customer community to see how we control that their test datum is protected. A major part of this enterprise includes the mabl desktop application.Launchedin February this year, we made major strides in capabilities within our exam automation platform by insert API testing and mobile web examination, as well as improving testing speeds. In increase to these improvement, the mabl team focused on increasing user control over their data, making the automated testing operation more secure. After all, screen is ideally integrated into the overall development operation, and we need to ensure that quality teams have the support they necessitate to encounter the security requirements of their organizations. & nbsp;

The Secure Testing Experience

A nucleus component of preserve a unafraid test automation result is the secure examine experience in the mabl app. As we built the app as a best, more powerful testing experience compared to the Chrome extension, security was a priority to ensure a positive experience. & nbsp;

The Rise of the Chrome Extension

The Chrome extension test recorder has be a staple of low-code examination. Nearly every vendor in the space has one, in addition to open-source alternatives like Selenium IDE. & nbsp; & nbsp;

The reason is simple: robust test capture expect deep access to the actions that users take in the browser. A examination mechanization solution take approach to DOM ingredient and events, file download operations, cookies, tabs, navigation actions, and web requests. For playback, the examine tool also needs to be capable to simulate and recreate these things, as easily as execute arbitrary JavaScript provide by the customer. Chrome extension by nonremittal run inside the browser and can bespeak broad permit to read and modify data.

The Secure Test Automation Problem

Typically, extension developers can keep permissions in two manner: restricting the depth of access by limiting what permissions it enquire for, or restricting the largeness of access by define the situation the test automation result can access. A mutual example are plugins designed exclusively to work with Google Calendar.

However, the core capabilities that support user-friendly, full-bodied test creation and playback besides get test transcription extension basically high-risk. Due to the factors discussed supra, exam recorders require deep access to the browsing experience, with few ways to limit the data they collect. Since extension license are requested globally, they need broad entree and typically request access to all website. In other words, the default installation background of examination recorder extension allow it to access almost everything users do in the browser. & nbsp; & nbsp;

For autonomous testing across multiple user personas, check out SUSATest — it explores your app like 10 different real users.

That want of nuance is a significant challenge to create a secure test automation framework without sacrificing functionality, one that mabl set out to solve as we built the low-code test automation experience from the land up for the mabl app. & nbsp;

Existing controls

The ecosystem provides some degree of protection against malicious or poorly behaving codification. Reputable commercial vendors with solid privacy policies and popular, actively maintained open source solutions should but be capturing datum when test recording is explicitly on, and even then the test recorder should solely collect the data postulate to renovate and maintain the test. Furthermore, the Chrome team routinely reviews extension submission and has been raising their standards for privacy and security with the introduction ofPlain V3& nbsp; by more thoroughly reviewing propagation that request all-embracing permissions.

But even the best intentioned companies and well-run open source projection have security vulnerabilities. Good security practices would take that trial automation answer providers restrict the extension ’ s access to only the essential data needed to do its job. But, as seen too oft in real-world security practices, these ideal criterion become untenable when applied organizationally. & nbsp; & nbsp;

As an single tester, there are a few options to limit the machine-controlled test extension ’ s degree of access. The nigh comprehensive would be to instal it in a dedicated Chrome profile that ’ s only used for testing, which would effectively isolate your normal browsing from your testing activity. Chrome 80 also acquaint the power to explicitly configure which sites an extension can entree. But even these resolution have drawbacks: it ’ s easy to fox Chrome profile and it ’ s potential to have both testing and non-testing use cases for individual websites, cave any limitations placed on extension access.

But the biggest problem with these solutions is scalability, or want thereof. QA leaders, peculiarly those at matured DevOps organizations with aculture of quality& nbsp; that receive everyone contributing to package testing, can ’ t ask every end user to modify their browsing habits or explicitly configure restricted site. Adding to the challenge is that the managed tools available for extensions are much more limited. While it ’ s possible to specify organization-wide allow or block list for an extension, the most untroubled version of this list would require centralised maintenance of which sites are being screen, a major challenge and productivity blocker. Blocking access to sensitive website also could occlude usability as well, since the organization jeopardy block the ability to test those sites using test accounts and data. & nbsp; & nbsp;

A Better Solution: The mabl App

The fundamental problem is that Chrome extensions are project as a way to augment the browse experience. Low-code exam automation tools are healthy package programs that require taking over the browsing experience completely, but only when explicitly asked to do so. & nbsp; As the mabl squad explore new ways to improve the secure testing experience, it became clear that a dedicated coating that enfold the browser would be a better fit compared to an extension that sit inside the browser.

This model has a number of clear benefits. The most obvious is that a dedicated automated screen application completely removes the testing creature from the browser instances used for general browsing. This eliminates any care about fitly sandboxing the examination mechanization puppet. Given how many brass have policies limiting local filesystem storage of sensible data and the amount of sensitive data accessed strictly online, this is a substantial betterment and enhances our power to respect user privacy, a nucleus factor of SOC 2. & nbsp; & nbsp;

Though desktop applications open up a new set of security risks by moving the test mechanization tool outside the browser sandpile, modern operate systems have a racy set of security control around sandboxing and/or limiting the accession of individual applications. Testers ultimately have much more control equate to the traditional Chrome propagation model, again supporting mabl ’ s commitment to empowering examiner in all aspects of package quality. Security and privacy are further enhanced since those security control can be applied at the case-by-case level or by a centrally managed IT team, depending on the general terminus direction policies of an organization. & nbsp;

Experience secure testing with agratis run of the mabl app

Quality Engineering Resources

Automate This With SUSA

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts needed.

Try SUSA Free

Test Your App Autonomously

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts.

Try SUSA Free