AppSec Automation: Pipelines, APIs and Getting Things Done Faster
Note: This is a two day, hands-on course
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, using Serverless functions (Lambda), ChatOps integration (Slack), automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local and cloud infrastructure. The techniques in this training have been used at real-world companies at scale and shown a 5x increase year over year, and a 9.4x increase over two years, of the throughput of the AppSec teams implementing them.
The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards Cloud and Serverless automation. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.
Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages and OWASP projects will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline. Additionally, those conducting penetration tests or running a team of testers could also gain valuable insight into how to speed up their work and remove some of the drudgery from pen testing.
What Should Students Bring?
A 64 bit laptop capable of running Docker. Custom Dockers will be provided to the students which contains all the necessary software for the labs.
Broadly experienced information security professional specializing in web application security. I utilize a combination of dynamic, manual and static analysis when testing web applications. Other specializations include penetration testing, vulnerability assessments and wireless security assessments. Heavily involved in Rugged DevOps and security automation.
CISSP (Certificate # 67636)
CEH (Certified Ethical Hacker)
RHCE (Red Hat Linux Certified Engineer # 803005588313799)
Specialties: Application Security,