End-to-end tests considered harmful (securing credentials for E2E and synthetic testing)

Last summer, eager to show a team how easily they could author Microsoft Playwright tests to determine whether their site still works after each new vendor patch ... I came five seconds away from hitting "send" on a test run results report that would have included:

1. screenshots of my bank account number, and
2. browser history including a cookie that could have let them log in as me and reroute my next payments to themselves.

My impatient boundless enthusiasm is partly to blame, but it could happen to any of us, because the problem is inherent to the nature of automation:

• Credential problems arise quickly when we take humans out of the loop and automate testing authenticated systems.

This session explores the security implications of common testing practices, and presents practical alternatives that maintain quality assurance and observability without compromising security.

You'll learn authentication and authorization patterns to improve test security across the software development lifecycle.

Properly implementing mitigations like health check endpoints, synthetic data, and privilege separation likely involves more subject matter expertise than is reasonable to expect everyone to hold at once, so you'll leave this session with a shareable vocabulary you can use to align business, development, quality, identity, security, and monitoring teams as you work toward safer test automation against your most important systems.

• Intermediate
• Development
• Design