 So, hello and welcome everyone to the DevSecOps on steroids by Mathias Lacks. We are glad Mathias can join us today. Yeah, thank you very much. Thank you much for the introduction. And of course, thank you very much for having me here at the Selenium conference. Yeah, hello. Yeah, today I'm going to talk about security testing, DevSecOps on steroids. Yeah, so continue security testing, you know. I'm an engineer and I'm focusing on usually new stuff, yeah, trends and security itself is not pretty new, but there is a high trend on it, a high demand on it. Just imagine if you have some vulnerabilities in your software, it gets exploited, you lose data, you get a bad reputation on the market. The loss to your company is not even countable. Yeah, so Nova wants to have it and exactly this I want to take today, how you can implement security testing, how you can implement continuous security testing to your team. Yeah, so kind of having these DevSecOps and also how your Selenium test can empower it. Yeah, so how you can use them. Before I start, please also let introduce myself a little bit that you know who is talking. This sucks, as you already heard, I'm from Vienna, so Austria in Europe, and work there for the company Rappers & Bank International as an agile engineering coach. If people ask me what the company is who I'm working for, I always tell them it's an IT company with a banking license. And if they ask me what I'm doing, I'm helping and coaching teams and people to getting better in their majority level of development, especially test operation. I also am there to organize of the community of practice for test automation, and I'm talking on conferences and contributing to IT magazines, always in the sense of test automation. So you see my profession and meanwhile also my passion in this area. If you want to get in contact, please use the following links or LinkedIn or Twitter. And then of course we can also keep you in contact. For those who don't know RBI that you also get a little bit context where this comes from by also security is for us so important RBI. So Rappers & Bank International is a traditional bank with more than 100 years of history, meanwhile fully agile transformed or also in between. We are located in Austria where the headquarters is and Central Eastern Europe. We have currently there are 13 network banks. So this is all our family so to say. And we are the leading corporate and investment bank in these countries for the top 1000s conversion customers. We have a lot of employees so more than 70,000 and more than 16 million customers. So in the context where this comes from by I also went into this topic. What are some objectives so how have I structured the talk today and what is the stuff what you can take away of it. First, I will talk about security. Yeah, and I will generate some awareness so you will understand the sense of security why it's needed. And what do we mean here. Yeah, and you also see why it is getting more and more important as you will hopefully remember this. And then also start off something in your teams. I will explain you then for security testing approaches which I recommend, and you will be able to differentiate yeah. And then I will show you how you can integrate these four security testing approaches into your pipeline so into a CI CD pipeline. Yeah, and this you will then memorize. And at the end, I will show how to implement your Selenium tests with a dust tool also dynamic security testing tool called over step. So then you will see also some source code, and maybe you can take the implementation of that or so. Okay, so this is kind of the agenda. Yeah, just differently presented. What was the motivation. Yeah, as I mentioned before, engineer testing was also something which I'm in those in three years before I was developer security was something new. What was my motivation why I went into this topic security was always something which was there. Yeah, I mean I was aware of it. I know it has to be done. To be honest, concrete steps for me was not clear. And it was also really tangible. It was always kind of a big, big thing, which was kind of, yeah, we need to externalize it or their own department which cares about it. The team itself have does not have to care about it. By the way, that's wrong security is everyone's responsibility. And if you talk about security, always aware that this is expensive. Yeah, yeah, now we have to shift our ship or software to the external company that do this external penetration test we get the reports me to fix it. And with that, it also slows down our release cycle time. That was my biggest travel and release cycle time the time where I commit code up to the time that the customer can use it. This I want to have very low as an engineer with also want to automate kind of everything. I want to do this several times a day. And the big and fancy companies do this. Yeah. So now I understand kind of my motivation, maybe the one or the other or so. Research and definitely want to share here these numbers which I found those numbers got published from companies called purpose ag sonic war and cyber security ventures. They did investigation and the research. And as I mentioned they published numbers. The first number is incredible high in my opinion, and this is about 90% and TV talk 90% or security incidents are due to the fact that attackers use known software type of box. So they exploit known software parks. And you know if the attackers know them, your team also knows it. So you could fix it, but you just don't do it. And that's the reason why hackers can use it. So we definitely have to decrease this number. So that's kind of the status quo. The next is a trend. Here we talk about year on year value. So for 2020 2021, the increase of mail where attacks was about 40%. The number is growing on the year on the year comparison value. So you see a positive trend in pre attacks get more and more. Just, you know, computing power is pretty cheap. And also, there are a lot of tools at the moment at the market which you can use local also have to know you can. Yeah, it's pretty easy to do hacking. The first number is about an estimation about the damage. Yeah, and this is according to ransomware and this was about 20 billion. That's a pretty small circle or I can make it bigger. Yeah, in 2024 we talked about already more than 40 billion, but the six more than 70 billion. In 2021, more than 260 billion. Of course, rough estimations, but still you'll see the trend. Yeah, and they had some data. And to be honest, I don't want to contribute to this number. And I also don't want that my company contributes to this number. So we need to do something. So what is this security testing now what we're talking about what is this continuous security testing you know very often if you ask your 10 people, most probably you get 11 different answers or something like this. Yes, you get the point. So please let me give you my explanation during security testing vulnerabilities are discovered and attempts are made to exploit them. Pretty easy pretty straightforward, of course, in a nutshell and very simplified. But now you know about what we're talking. There are three between three types. First is the vulnerability assessment. Yeah, so here the system, you can use them and check if you have there are some issues with abilities. For example, as you have outdated software libraries like an old Java version or whatever, or PHP or departure. Then penetration testing. So your system gets analyzed and attacked by simulated malicious users and so called pen testers and they try to get access. So you can use your process side scripting is possible on the login or SQL injections and so on. Not good. And the server is compliance testing. Now it's a known as conform the test or regulatory tests. So if you need to comply to certain standards. Yeah, you need to has two specific requirements. For example, if you need to be PCI compliant, you need to test the things which they gave you first is the function security testing. Yeah, this is a group which is pretty often not know. Yeah, so you need to define function security tests. For example, for your login, that if you're in the email address and a parcel, it's wrong. Maybe you should not give back password wrong, or mail address already in use, because hackers can fetch an email address is just my brute force attacks. Yeah, log out that the credentials are or cleared. If the puzzle policy works, potential management works and so on. These are function security tests and very important. The second is non function security tests. Here, I want to mention the nonprofit foundation of us as an open web application security project, they have a pretty nice website, they define their they're always top 10 and so on. So when abilities which you should test against it. And then I want to measure SCA as a software composition analysis. You know, you have dependencies and these dependencies have dependencies. And this is kind of the analyzation. If there are some vulnerabilities or software bugs or main security issues in the dependencies. There are some compliance checks, I already mentioned, yes, or here or software versions, as many injections possible, and so on. Good, so you understood now what the motivation was, you know, that there is a high demand on it, a trend ongoing, and increasing risk. You understood what security testing is, but how can we tackle it? How can we now make our software more secure. The security testing approaches which I mentioned in advance, yeah, my four locks, which I want to use here, this is SAS, DUST, ASD, and RASP. What are those? The first lock is SAS, so static application security testing. What is this testing approach? It's called a wide ox testing approach. Yeah, so this means SAS, the SAS tour is checking your software binaries, your source code, your artifacts, if you have some security issues. So it's a very shift left approach. It's quite early in the STLC, so in the software development life cycle. And you can fix it very early. That's of course, very, very important and highly recommended to use. You can't discover any runtime and environmental issues just by definition, but it's also not the intention to use SAS for. From tooling perspective, just that you heard it. I don't know here into details. It's about also from OSP to have your tool called the benefit check for solar cube. I guess it's pretty known it's also used for SAS. And of course there are several other tools in the market, just that you heard one of those. The first lock is dust. So dynamic application security testing. We had wide box before, now we have black box. So this means this test approach needs a running system. It needs a running application, it needs an environment, and it tries kind of to hack it. So it's a little bit later in STLC, of course you need to build package or software, you need to deploy it, but it's the first approach which you can do after the deployment. And it uses for the injection techniques. It's a kind of also penetration testing, because it screens your software, it tries to hack it, it tries to find vulnerabilities. It tries SQL injections, JavaScript injections, and you name it, there are a lot of different things and finds their vulnerabilities. The tool is also from OSP, it's OSCEP, or Propsuit, or a lot of other tools here. And OSCEP, you heard that already as a spoiler at the beginning, this you will see at the end, how to use it with your selamium test. And I promise you the integration is pretty easy. The next lock, so the third out of four is IST, interactive applications to the testing. What is that? The cool stuff is this is kind of a combination of Sust and Dust. It combines the shortcomings, the advantages of both approaches, and gets the best out of it. A little bit of drawback is here, you need a dedicated software installed in your app, in your environment, which is then doing the analysation. So doing the kind of the dust checks, if it gets deeper into your software, it will also do execute Sust checks. And what you get is a less force positive rate, which is of course pretty important. And this agent is doing a lot of analysis. It analyzes the runtime, the data flow, the configuration for this sort, where is it, or of course, HTTP requests and responses, which libraries are used with frameworks and so on. And it will give you a pretty detailed result. And it's a learning tool. It means most of these tools, which are capable of IST, provide also learning, means more of the executed, the more precise it gets, means the less force positives you have. For example, here the contrast community edition is a tool for that. A lot of theory about Sust and IST, let me kind of visualise it, let me give you an example. If you have a login, a login GSP and you execute over Zapp and you go to a dust check, or depending on the tool, of course, how the message looks like, you get, you have an SQL injection vulnerability, at least in the parameter and login GSP, you could be exploited with this and that. Cool. If it was Sust, it will give you, you have their SQL injection vulnerability at this file at that line, not more. But if you use IST, you get that you have the SQL injection vulnerability at this file at that line with that parameter in this file. And you could exploit that with this SQL statement. So pretty detailed error message also, which is then of course will be used. I guess now you know what I'm talking about here. And the last log, which is rather security testing, it's more, it's more protection, it's more a monitoring tool is about REST, so runtime application self-protection. And as I mentioned, like a monitor, it works inside the application, it works inside your environment, your production environment, and you can also feed it with data from your application. And as you can write scripts that you feed the rest with additional information, you know, more than RAM usage, CPU usage, whatever, to get more insight, because it provides your visibility, which is very important. You want to know what's ongoing in your production at the end to protect it. So it provides your visibility, and you also have the possibility to make instant activations so you can define events that you can either alert it, which is of course recommended because it's pretty straightforward and easy to set up. Up to the time that you can say, okay, if this happens, destroy the session, kill it. Just to protect. Of course, additionally, I would also make an email event or whatever just that you can investigate afterwards. To protect your production. Now, tools here are like began from all of us. App sensors, and also the contrast community edition is capable of this security testing approach, or here in that sense, monitoring. So the four locks summarized starts white box, it checks code dependencies dust black box, it checks your environment application. I asked, it combines Susten test, you know, you saw the example. Rust, it runs a production and protects it, it verifies if you get attacked. Good. So now it's time to see how this looks in the pipeline. So that's the time to do the four locks at the pipeline. So how does a competent security CICD pipeline play. Let me draw the picture again. So in phases, you saw it before as a spoiler. You have to secure design phase, you have to secure coding phase. Then you do continuous integration, you deploy it. You do testing. Here I mean the test execution. And then kind of the production runtime defense. This is how I call it all the secure CICD pipeline. And here you have triggers. So which trigger you should do then activities security testing activities. So here's the design phase. So here talk about if you design a new feature, if you define a new application, or whatever. Yeah. If you're going to design, you can hear already do some security testing approaches. For example, threat modeling, very briefly explained. Yeah. So you draw kind of the picture of your feature where the threats are going, which is in terms of external where are the risks where you should focus on testing, where I simply explained, don't want to go into details. And by this defining functional security tests. As I mentioned before, for the login, how the error message is right. Does the credential management work and so on. Define here security tests, which are not for your users, scenarios for your end user or so. Yeah. But for in the sense of security. So this design phase, then we come to coding. Here we have the coding itself, the code review, yeah, pull request. And of course, continuous executions. And activities and here comes the first lock into the game. It starts. Yeah. So says static analyzers. And I highly recommend you with the idea plugin. If you only have it in the code review or a continuously nightly build exercise. People will not look at it. If you have it. Of course, this is depending on the tour your use. If you have it with your idea plugin. You know it by coding, yeah. And then you will definitely use it. Because no one wants to implement security. Bucks or. And also SCA. Yeah. So the, the checks your dependencies. What's ongoing here. So this is in that phase. The next we have the events or the triggers with built with the packaging and the deployment. Again, we need to execute your SAS and SCA because at the time where you build it where you package the stuff. It's quite common that additional stuff gets, gets attached to it. It's more components, more configuration files, whatever. So you make this check again. And of course, after deployment, we learned that black box testing approach dust comes into the game. So you try, you see, you know, what the findings are here from the result of your tool. And this you will see also in some minutes with over step. We have no two locks. The next is done testing. So here we talk all kinds of testing, test automation, is it manual testing, exploiter testing, whatever. First, recommend this again dust. Because this testing is very often happening on the user acceptance environment or integration environment. So you have your more connections. And this can lead to the fact that you have more findings. And then it's time for us to set up your as to what you want to use. Make experience out of that. If it's beneficial, if you want to use it, get out of the advantages of it. Of course, functional security tests, which you have defined at the beginning that you know execute them and also penetration testing is your pretty common to do before you release the production. Production time. This is continuous exercises. And here we come with the force log and this is rest. So you want to get insights, you want to see what's ongoing, you want to define your events, your triggers to protect your production. Cool. So this is how the secure pipeline looks like. And I promised you, I want to show you some code. So now it's time for source code. How to empower overstep the other dust with your same team tests or vice versa, how you can empower your salating tests with overstep. From the demonstration on the tech stack. What I will show you is first overstep. Installation is easy. Even talk arrest you will see it in a second. The system on the test which I will use this year, quote, note code, it's from almost that which can use that you also find some vulnerabilities from technology perspective. It's written in Selenium, of course, and Java Gradle and test engine. Yeah, now it's time for rock and roll. So let me start the video. Okay, so you can see here that's the website from overstep. You can see here a lot of different installers, yes or windows, Linux, macOS, whatever, and also Docker REST. If you want to use Docker REST. I used Windows just because I had it installed. All that stuff looks like, yeah, so it also offers you a GUI. Of course, if you use another installations, maybe you only have it from command line. But here for demo purposes, it's also good to have it with the GUI. From functionality, you can also use it kind of manually. Yeah, so you insert your URL of your application and you do a check. So you attack it and it will show you or security findings out of that. But this I don't want to focus on today. I want to focus on Selenium tests and overstep also comes with a proxy. Yeah, so it acts as a proxy and this is now how we will use it. This is the system of the test. So the note code application deployed on Heroku. And you have your pretty easy login. You know, if you do not the manual stuff that you hack it, attack it, sorry, then it cannot get inside the login. So this is the only surface where it can hack it or attack it. And with our tests, we make it not able to get inside the application. So this is the system of the test, which we will use just to let you have seen it. Let's come to our tests. I fear, yeah, IntelliJ, Java, pretty straightforward, no fancy stuff here. It's just demo purpose. We have here an easy login test case with valid credentials and afterwards it's just whether they need the dashboard feedless displayed. So we go to the URL for a demo purpose of a rate. We perform the login. There are the locators, dashboard and a pretty easy assertion. If you execute this test now, I guess everyone knows this here in the audience, you get then a red or a green. Yeah, if this login feature is working or not, but we can get something more. So let's see what I do here before method. So what I do first, I need to set a proxy. So let's where can we get these values from all of us. We have here the tools. And then we have the options. And now I let it already proxy. We have written the local proxy, and you see it runs a local host and on the port 7777. Just because 8080 was already blocked on my side, different story. I just changed it to 7777. And so this is the proxy configuration, and we did an API key later on for the report I will show it to you, but they just show it here where you can get it. You have API and you have the key. So these three values we need first for the proxy. As you can see your local host 7777 and the key. Good. So we set it first to the stream. This proxy class is coming from Selenium. So this is already a class from Selenium. If you have to use a proxy, you can use that. It has HTTP and SSL proxy. So for both. And on the Chrome, we have to edit with the set proxy. So the Chrome options. You can use that one, the web driver. It does. And then we start the Chrome driver. Here, this line of code is about the API and the client API. This class is coming from overstep. Very simply explained, we just need it to the report. Because we do a lot of, we execute it. It was a lot of detection of security findings. And of course, I want to have a report afterwards. And therefore I just need a pretty simple API core, which I do then in the after suite. So after all methods were executed, of course, now we have just one with some configuration. I just call the reports generate and it will generate me a report to the target for them. Cool. I mean, I guess everything is explained. Let's run it. So it's been of the test. It opens the Chrome. It goes to the system of the test in the data. Let me also open overstep that you can see what it's already doing. So you see here, sites that already collected. And what you can see here now is welcome to the SAP Hub. This is coming from overstep. Also, if you do manual testing, you can see here the findings which it already found and then you can continue to target and continue or some manual testing. If you don't close the driver and so on, or you configure the proxy on your Firefox or Chrome, then you can also do that. Also here, but it will close also with the execution afterwards. Just so you know what this was. Okay. The test case is screened. So usually what you have now is a test summary report where there is the test case screen. Super. Everything is cooler. But now you see here in overstep a lot of findings. You can, of course, you use the overstep tool and do them some passing of data and whatever. This is not content of this workshop of this presentation. We just have it simple. We just use it what it found. What is the report about? So you can see here the summary of alerts in the dedicated risk level and the summary of alerts in the group on the finding. And if you go now in, you can go dig into each finding and it will give you where it was found. What is the problem? What is the solution? Some references and so on, of course, depending on the finding and up to you. If you say, this is fine for me, okay, then release. But if you say, hmm, the fix is taking, I don't know, one minute and we can do it. Maybe we should fix it before someone else can maybe exploit it because we have here already some issues with a vulnerable JavaScript library. And you saw what the integration was about. Pretty straightforward. And beside the test summary board with test case log in successfully. You have now an addition to that from a security report, which tells you you have some vulnerabilities. Do you plan to deal with the risk? Do you want to deploy or should we fix it? So let me come back to the slides. As a promise to the integration was pretty straightforward. It was just a proxy. Yeah, extension of your Chrome options or whatever gravity you use to set the proxy and to get API just to get the reports up. And of course you need to install overstep. Yeah, but as I mentioned, you can, I don't know, don't pull and don't run. Let the sum up. I want to give you a recommendation kind of the next steps or seven steps how to come to the secure pipeline. Yeah, pipeline by pipeline, you know, that helps you want to have fast feedback. That's second step you also get feedback in the sense of security to empower your team. First is you need to upskill in security, join department or join join forces, good department, get a coach to a learning journey, go to a conference like this and get first insights into the area of security. Then go for Sust. Yeah, it's a pretty easy approach. And with that he begins, as I mentioned, you need the feedback very fast, otherwise you will ignore it. So first of course set up progress that you're not allowed to commit new. Then dust. Yeah, go for dust, add it to your pipeline very important don't go now with overstep to automatically execution you do it for three springs and then stop. No, you add it to a pipeline it gets automatically executed, and you have the reports and you care about that. And if you don't do that, very often you just do it for some sprints and you stop that. And you saw, use your slave tests, they're empowered test checks with Selenium integration you've seen. Define metrics and a positive brand very often this approach is new for the teams and they start now with the first findings. And agree on as a team agreement from now on, we will decrease this number, or at least we will not increase. Don't aim for zero medium fannings or whatever. This is very often not, not feasible. Makes no sense. You don't have the resources for that. Fifth, automate security tests, non factual and factual ones. This is how you can ensure that they will get excellent. And for us to get insights of your production environment protected. Also sometimes you get pretty good insights also just for the normal usage that you have to have to do some optimizations, but also here is the focus is here from protected from hackers. Last is set up I asked with the agent here. Explore it. If it's beneficial for you, if you can get something out of that on the test environment, and go for it. This is how I recommend it. Yeah, with my current knowledge. And, yeah, I think with that, you are in the good track to build a pretty secure application. At least you are aware of it. Thank you very much for your attention. The focus to be finished earlier that we have now time for questions, but of course I will be also present in the hangout afterwards. And, yeah, I want to hand over back to Ankit. Are there questions I can see there are questions. Yep. There are two questions. Let me stop sharing. And let me read out the questions. Thank you for the questions. Can we do this for legacy application application platforms mainframe windows based applications to if so what the tools used in this case. Good question. I got this already once. And to be honest, I don't know. It's a little bit depending on the risk. I think this mainframe applications have pretty strictly API is to the inside the own company, very rare outside to the company. So the risk is not so high as having a mobile app or internet banking application on the browser. It's always depending on the risk. What kind of security test lever you want to go for. There are tools for that to be honest, this is not where I'm specialized in, I don't know, also not for witness applications. I also need to check that out. So sorry, I cannot recommend here any tools, but just from the security testing approach, it's always a matter of risk. Yeah, so you you need to align on your team. What is the risk. Who is my users what is my audience from who is my application or from whom is my application reachable. Hopefully the answer is okay for you. The next one is how to reduce a war avoid force positives showing up in dust. The other is here more or less go for I asked, because if that you can reduce it otherwise it's pretty tricky. Yeah, of course there are force positives just by definition because it gives you a lot of findings. You can investigate in all of them. Yeah, you can then also classify them and check the report and then say okay decent that our kind of force positives, and you can ignore it. And also that you check them, what are the news will new findings would come if you're aligned on the current report, and you executed that with the next release, you get then maybe one, two more findings should not be that you get 50 more. And that you always focus on those and see, should we fix it, or can we live a bit. And otherwise, otherwise to reduce it. I don't know at the moment. Just I can recommend going then for us. Good. What plugins do you recommend. I cannot recommend any plugins at the moment I just recommend a plugin now from the idea perspective that whatever sauce to use that you also use the tool that you get directly input there we use your also team scale and we have here a team scale plugin in an idea and and this is not so much for security but also for us that the code analyzers. This I can recommend. If you mean from over step. I'm not an expert here. I'm also want to be here, quite honest. So I cannot recommend your plugins. I'm not at that level. Is there any way to include almost security report in our frame test framework. Yes, this I would definitely recommend. Yeah, I mean it's what it generates is an HTML file. And you can of course include any HTML files, whatever you want. And if there is maybe also an integration on the XML file base for testing yeast and using need to search it out. It's a good question I will also investigate on that one. Thank you for the hint. So maybe it can also be integrated and source level that it generates out of it. Otherwise you can always extend the reports that it gets integrated, especially, you know, we often have done kind of alone test some reports we ever integrate all the reports. Yeah, it's of course it's HTML that you have you have seen it. But I will check it out if there is any more narrow integration also. Thank you for the hint. So it was good. Yeah, if you share things and get good questions, then you get also. Yeah, the hint for new approaches. Can you recommend learning path to be good in security testing. Yeah, seems to be that they also participated the last talk about for movie. Kind of recommend the learning path which we had was mainly internally, because you know we have a big security department and they created a content internally. That's a very good question. We don't have it at the moment in our test automation journey, which we have seen also maybe before. It's a very good input. I will check it out if you have maybe also here from the app retours or from other providers which already used if they provide some good security testing which starts also from basic because very often see that this is also something which is missing and very important there. So yeah, that's my answer. I guess not very satisfying. Yeah, I'm sorry. But I can recommend maybe this is what I was did there. Start very small as I showed you. My security testing approaches are not the most sophisticated one and this is does not mean that you have a super secure application because there are very involved. So I'm going to show you some of my security testing approaches, which are not with this sauce sauce as the rest of the I have explained you. But what this is, it is a critical start. Yeah, it will reduce your findings if you need to do pen testing you will definitely need this external company because they are certified, but you will reduce already the report with this current approaches, and then extend it. Yeah, so I extended it now with the with the selenium tests yet to get more inside of the application. You know, it's always a risk if someone gets inside the application. What can he do then. Yeah, or what he or she can do then do you want to know that so you want to see this. Yeah. And then you know step by step, but always get this dopamine so finish stuff, and then extend it. Good. Currently we are using solar cube check marks. Last component application. Okay, for performance testing is good. Okay, all of them are licensed do you suggest any of open source which we can replace these. I mean, solar cube is kind of free of use but if you're enterprise of course you need to pay for it from overstep. Yeah, I mentioned here a lot of tools which you can use they are free. They are open source tools. We use I guess code QL from GitHub, but of course you are also cost rated it very often there are then cost rated it there and then it comes commercial tools. What I just can recommend you because those tools have really good standing on the market is the one which are published from overstep and get the most out of it. So very often this conversion tools, they have the one or the other feature, which the overs of which the open source to does not have, which is then very often quite important. But let's see. As I mentioned before, it's always a matter of risk. So recommendation I can give you from the overstep nonprofit company. I can give you from the overstep the better Jack absence or and so on. Last question for now, do we have time. Yeah, okay, super. The, the way of connecting Selenium with dock arrest run of almost in a CI system is the same as you have shown. More or less. There are some standard stones which you need to care about it, especially if everything is running on local host then you need to create a token network that they can communicate with each other so if your application stock arrest at the stock arrest, but all the instructions you can find on the overstep homepage. So, yes, you can definitely do that. There is no difference just I didn't use it because I don't know. I had already over seven stored and it was an easier for me, and I was about to show you the GUI and how you can use the the attack functionality, which was also very often. So, but our bottom line is, yes, just there are some special special settings which you need to cool. Yeah, thank you very much for all the questions. Yeah, a lot of them were also for me beneficial thank you very much for the hints I have to know some homework. Thank you very much for participating in this talk. Hopefully, you will be able to take something with you. And if it is only the awareness, but this is something where it starts.