AppSec Automation: Pipelines, APIs and Getting Things Done Faster

Presented at LocoMocoSec 2018, April 4, 2018, 9 a.m. (480 minutes)

Note: This is a two day, hands-on course You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools and training needed to actually start that testing?  This training does exactly that.  It provides the tools you’ll need to take you from testing to reporting to remediation and retesting with the help of automation.  Utilizing multiple open source tools including OWASP’s AppSec Pipeline and Defect Dojo, the training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security programs and gain experience with integrating APIs,conducting continuous testing, ChatOps integration (Slack), get techniques to  automate commercial scanners, how to consolidate and de-dup security issues, automating submission of issues to defect trackers and generating reports/metrics. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local or cloud infrastructure.  The techniques in this training have been used at real-world companies at scale and shown an increase in the AppSec team output of a 5x increase year over year, and a 9.4x increase over two years.  With an AppSec Pipeline, you don’t have to dread hearing about that release that’s happening tomorrow. The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards continuous testing. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their specific situation.  New implementations of OWASP’s AppSec Pipeline are being released as part of this training so be the first to use the next generation of testing automation. Who Should Take This Course? AppSec professionals who are part of an internal AppSec program or anyone needing to automate security assessment work.  This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages and OWASP projects will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.  Additionally, those conducting penetration tests or running a team of testers could also gain valuable insight into how to speed up their work and remove some of the drudgery from pen testing. What Should Students Bring? A 64 bit laptop capable of running Docker. Custom Dockers will be provided to the students which contains all the necessary software for the labs.

Presenters:

• Matt Tesauro - Duo Security
  Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace.  He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security.  Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM.  His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at the University of Texas and Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. WTE is a collection of application security testing tools and the AppSec Pipeline project brings lessons from DevOps and Agile into Application Security. He holds two degrees from Texas A&M University and several security and Linux certifications.

Links:

• https://locomocosecurityconference2018.sched.com/event/CJzY/appsec-automation-pipelines-apis-and-getting-things-done-faster
• https://locomocosecurityconference2018.sched.com/event/CJzZ/appsec-automation-pipelines-apis-and-getting-things-done-faster

Similar Presentations:

• BSides Austin 2016 / Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better
• AppSec USA 2016 / AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
• AppSec USA 2015 / Training (2 days): Creating and automating your own AppSec Pipeline