Adding SAST to CI/CD, Without Losing Any Friends

Presented at BSidesLV 2023, Aug. 8, 2023, 3 p.m. (Unknown duration)

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this learning lab we will discuss multiple options for adding static application security testing (SAST) to your CI/CD, in ways that won't compromise speed or results, such as learning which results can be safely ignored, writing your own rules, company-specific checks, scanning PRs instead of commits, splitting blocking scans versus deep audit scans, etc. We will also cover ways to continuously find vulnerabilities.

Presenters:

• Enno Liu
  Enno (they/she) is a security researcher at Semgrep, specializing in static analysis. Driven by a passion for data safety and user privacy, they are interested in tools that prevent insecure code semantics while empowering the user through safer and more productive alternatives. They did research in malware analysis and obfuscation during college, and they currently create educational videos about static analysis. Enno also loves their cat Aria, listening to shoegaze music, going to raves, and cooking Chinese food.
• Colleen Dai
• Tanya Janca
  Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security'. She is also the founder of We Hack Purple, an online learning academy, community, podcast, and training company that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty-five years, won countless awards, and has been everywhere from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things'. She is an award-winning public speaker, active blogger & podcaster and has delivered hundreds of talks on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives. Advisor: Nord VPN, Aiya Corp Faculty: IANs Research Founder: We Hack Purple, OWASP DevSlop, #CyberMentoringMonday, WoSEC

Links:

• https://www.bsideslv.org/talks#HP9G7Y

Similar Presentations:

• Black Hat USA 2022 / RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise
• ShellCon 2019 / Rolling Your Own: How to Write Custom, Lightweight Static Analysis Tools
• DEF CON 30 (2022) / CICD security: A new eldorado Workshop