...
- Identify the test scenarios that you want to use for penetration testing and copy them. You can continue executing the original test scenarios for functional testing as normal.
For test clients (for example, SOAP Client, REST Client, EDI Client, or Messaging Client), add the Penetration Testing Tools to the Traffic Object outputs that make the API calls that need penetration testing.
For Browser Playback Tools, add the Penetration Testing Tools to the HTTP Traffic or Browser Contents outputs that need penetration testing. When the tool is chained to an HTTP Traffic output, the tool attacks just the request described by that traffic message. When the tool is chained to Browser Contents, it attacks all requests made by the Browser Playback tool. By default, binary files are ignored unless enabled in Parasoft > Preferences > Browser Settings (see Additional Preference Settings).
- As the application changes, update only the functional test scenarios. Whenever you are ready to run the corresponding penetration test scenarios, repeat the above process of copying from the latest set of functional tests and then configuring the copy for penetration testing.
...
For more information see Reviewing Results.
Suppressing False Positives
...
SOAtest uses a preconfigured instance of OWASP ZAP under the hood to perform penetration testing. You also have the option to to use the commercial tool Burp Suite for penetration testing by leveraging the extension https://docs.parasoft.com/display/SOA20211/Burp +Suite+Extensions+1.0Suite Extension.