Presented at
AppSec USA 2017,
Sept. 19, 2017, 9 a.m.
(480 minutes)
After immensely successful workshops in the Bay Area, Bangalore, AppSecEU 2017 and record, sold-out workshop at the OWASP AppSecUSA 2016 in Washington D.C., we bring to you a new avatar of the Hands-on Security in DevOps workshop, this time, with some focused content on Application Security Automation.
Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.
While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.
This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In this workshop you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:
¥ Static Application Security Testing - Integrated with Continuous Integration Services
¥ Rolling out Custom SAST - using Abstract Syntax Trees and Regular Expressions
¥ Customized Security Automation Scripting Framework with Continuous Integration
¥ Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
¥ Performing Automated, Authenticated and Parameterized Vulnerability Assessments against Web Apps and Web Services by hacking tools like ZAP and w3af
¥ Automation Scripting for Application Security Vulnerability Scanners - OWASP ZAP Custom Scripts - Active Scanning, HTTPSender, Proxy Scripts, with an introduction to Zest Scrits. MITMproxy Inline Scripting
¥ An Introduction to Behavior Driven Security Testing
¥ Parameterized Security Testing for Web Services using the OpenAPI Specification
¥ Security in Configuration management and Continuous Deployment
¥ Security Practices and Considerations for Docker Deployments
¥ Creating Security Configuration Management "Infrastructure as Code" and Validation Scripts - using Ansible
¥ Practical Threat Modeling in an Agile and DevOps world
Presenters:
-
Abhay Bhargav
- Chief Technology Officer - we45
Abhay Bhargav is the founder and CTO of the we45, a focused Information Security Solutions Company. He has extensive experience with Information Security. He has performed security assessments for various enterprises in various domains like banking, software development, retail, telecom and legal. He is also the co-author of "Secure Java for Web Application Development" published by CRC Press, New York and is the author of "PCI Compliance: A Definitive Guide" for CRC Press as well.
Links:
Similar Presentations: