Practical Dynamic Application Security Testing within an Enterprise

Presented at AppSec USA 2017, Sept. 22, 2017, 3:30 p.m. (45 minutes)

The incorporation of DevOps within a large enterprise is generally accomplished through strategic planning on the organizational level. Having a common pipeline for Continuous Integration (CI) and Continuous Deployment (CD) can enhance the security posture of an application and enable organizations to rapidly release applications into production. However, the insertion of application security in the pipeline is only one step of a multidimensional application security approach.   In this presentation, we will describe our implementation of two complementary methods, which have allowed us to provide the scalability and coverage required in order to meet the needs of a large enterprise. The first method utilizes a tool written in Java to allow for easy integration with your build. We will demonstrate how to deploy and use a dynamic scanner within a Continuous Integration (CI) and Continuous Deployment (CD) pipeline. The second method leverages the data collected from analytic tools such as Splunk, LogStash, Tealeaf and SiteCatalyst. Through the utilization of containers, we will demonstrate how a RESTful API service can be implemented to perform a quick analysis of applications to ensure basic security requirements are met on a large scale. An example will be presented utilizing a RESTful API service to enhance our continuous scanning platform with multiple scanning technologies.   Implementing these solutions has transformed the way we assess our applications. Using the first method we were able to present a dynamic scanning solution to all of our applications that support automated regression testing. Our second method has enabled us to effortlessly scan over 2000 urls in less than 2 hours to provide a quick look at the security of all of our exposed urls. It is essential to put security on the forefront of organizational structure and to ensure that dynamic analysis is part of all build cycles

Presenters:

• Nicholas Kenney - Application Security Engineer - Verizon
  Nicholas Kenney is an application security engineer at Verizon. He received his B.Sc. degree in Computer Science from East Stroudsburg University in 2012 and has worked in IT for 7 years. Nick started out working as a freelance web developer while in college, until being hired by Verizon in 2013 as PHP developer. In 2016, he made the switch over to application security. Currently, he spends his time penetration testing and automating security in a continuous integration environment.
• Nicholas Doell - Senior Application Security Engineer - Verizon
  Nicholas Doell is a senior application security engineer at Verizon. He received his M.Sc. degree in System Security Engineering from Stevens Institute of Technology in 2012 and has nine years of experience working in multiple security fields. He has a passion for web and mobile security, automation and finding bugs. In his current role, Nicholas's work ranges from executing penetration tests, providing developer training and automating security within a continuous integration and deployment (CI/CD) environment.

Links:

• https://appsecusa2017.sched.com/event/B26Q/practical-dynamic-application-security-testing-within-an-enterprise
• https://infocon.org/cons/OWASP/AppSecUSA 2017/Practical Dynamic Application Security Testing within an Enterprise.mp4
• https://www.youtube.com/watch?v=ERiAJbfZxL0

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Security Automation in your Continuous Integration Pipeline
• DEF CON 30 (2022) / CICD security: A new eldorado Workshop
• Global AppSec - DC 2019 / DevSecOps: Essential Pipeline Tooling to Enable Continuous Security