diff --git a/initializr-service/src/main/java/io/spring/initializr/service/extension/SpringSecurityTestRequestPostProcessor.java b/initializr-service/src/main/java/io/spring/initializr/service/extension/SpringSecurityTestRequestPostProcessor.java
new file mode 100644
index 00000000..9451a955
--- /dev/null
+++ b/initializr-service/src/main/java/io/spring/initializr/service/extension/SpringSecurityTestRequestPostProcessor.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.spring.initializr.service.extension;
+
+import io.spring.initializr.generator.ProjectRequest;
+import io.spring.initializr.generator.ProjectRequestPostProcessor;
+import io.spring.initializr.metadata.Dependency;
+import io.spring.initializr.metadata.InitializrMetadata;
+import io.spring.initializr.util.Version;
+
+import org.springframework.stereotype.Component;
+
+/**
+ * A {@link ProjectRequestPostProcessor} that automatically adds
+ * {@code spring-security-test} when Spring Security is selected.
+ *
+ * @author Stephane Nicoll
+ */
+@Component
+class SpringSecurityTestRequestPostProcessor implements ProjectRequestPostProcessor {
+
+	private static final Version VERSION_1_3_0 = Version.parse("1.3.0.RELEASE");
+
+	private final Dependency springSecurityTest;
+
+	public SpringSecurityTestRequestPostProcessor() {
+		this.springSecurityTest = Dependency.withId("spring-security-test",
+				"org.springframework.security", "spring-security-test");
+		this.springSecurityTest.setScope(Dependency.SCOPE_TEST);
+	}
+
+	@Override
+	public void postProcessAfterResolution(ProjectRequest request,
+			InitializrMetadata metadata) {
+		if (hasSpringSecurity(request) && isAtLeastAfter(request, VERSION_1_3_0)) {
+			request.getResolvedDependencies().add(this.springSecurityTest);
+		}
+	}
+
+	private boolean hasSpringSecurity(ProjectRequest request) {
+		return request.getResolvedDependencies().stream()
+				.anyMatch(d -> "security".equals(d.getId()));
+	}
+
+	private boolean isAtLeastAfter(ProjectRequest request, Version version) {
+		Version requestVersion = Version.safeParse(request.getBootVersion());
+		return version.compareTo(requestVersion) <= 0;
+	}
+
+}
diff --git a/initializr-service/src/test/java/io/spring/initializr/service/extension/SpringSecurityTestRequestPostProcessorTests.java b/initializr-service/src/test/java/io/spring/initializr/service/extension/SpringSecurityTestRequestPostProcessorTests.java
new file mode 100644
index 00000000..18c4f421
--- /dev/null
+++ b/initializr-service/src/test/java/io/spring/initializr/service/extension/SpringSecurityTestRequestPostProcessorTests.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.spring.initializr.service.extension;
+
+import io.spring.initializr.generator.ProjectRequest;
+import io.spring.initializr.metadata.Dependency;
+import org.junit.Test;
+
+/**
+ * Tests for {@link SpringSecurityTestRequestPostProcessor}.
+ *
+ * @author Stephane Nicoll
+ */
+public class SpringSecurityTestRequestPostProcessorTests
+		extends AbstractRequestPostProcessorTests {
+
+	@Test
+	public void securityTestIsAdded() {
+		ProjectRequest request = createProjectRequest("security");
+		Dependency springSecurityTest = Dependency.withId(
+				"spring-security-test", "org.springframework.security", "spring-security-test");
+		springSecurityTest.setScope(Dependency.SCOPE_TEST);
+		generateMavenPom(request)
+				.hasSpringBootStarterDependency("security")
+				.hasSpringBootStarterTest()
+				.hasDependency(springSecurityTest)
+				.hasDependenciesCount(3);
+	}
+
+	@Test
+	public void securityTestIsNotAddedBefore13() {
+		ProjectRequest request = createProjectRequest("security");
+		request.setBootVersion("1.2.7.RELEASE");
+		generateMavenPom(request)
+				.hasSpringBootStarterDependency("security")
+				.hasSpringBootStarterTest()
+				.hasDependenciesCount(2);
+	}
+
+	@Test
+	public void securityTestIsNotAddedWithoutSpringSecurity() {
+		ProjectRequest request = createProjectRequest("web");
+		generateMavenPom(request)
+				.hasSpringBootStarterDependency("web")
+				.hasSpringBootStarterTest()
+				.hasDependenciesCount(2);
+	}
+
+}