Floating the goat: How to use DevSecOps to secure OWASP WebGoat

Presented at Diana Initiative 2023, Aug. 7, 2023, 11:30 a.m. (60 minutes)

Thinking you know what DevSecOps is a entirely different entity from actually incorporating DevSecOps into a CI/CD pipeline and using it on a daily basis. And then when it comes to figuring out where and how to start building out a CI/CD pipeline can also be daunting. Utilizing an intentionally vulnerable web application like OWASP WebGoat to use as a starting point to automatically scan, find, and resolve vulnerabilities is an excellent way to learn about web application security, AWS and cloud security, open source tools, and DevSecOps. In this talk we plan to define requirements, threat model the architecture, create an AWS account to set up a development environment and utilize different tools, build then test code, automate and monitor the pipeline, and then to continuously improve the pipeline.

Presenters:

• Chloe Potsklan
  Chloe Potsklan is a cyber security engineer working on the endpoint security platforms team in Security Architecture and Engineering. Before joining the endpoint team, she worked on the security architecture team mainly focusing on securing cloud environments. She previously worked at Deloitte as a senior cyber risk consultant working in DevSecOps, application security, penetration testing, and vulnerability management. On the side, Chloe teaches intro to cyber security bootcamps through Savvy Coders, is a member of Cabal, and spends her free time playing water polo and running.

Links:

• https://thedianainitiative2023.sched.com/event/1O5lz/floating-the-goat-how-to-use-devsecops-to-secure-owasp-webgoat

Similar Presentations:

• Diana Initiative 2019 / OWASP DevSlop: A DevSecOps Pipeline
• CircleCityCon 8.0 (2021) Virtual / So Happy Together: Making DevSECOps a Reality
• DEF CON 30 (2022) / CICD security: A new eldorado Workshop