Loading…
LASCON 2018 has ended
Back To Schedule
Tuesday, October 23 • 9:00am - 5:00pm
Two-Day Training: AppSec Automation: DevSecOps, Pipelines, APIs and Getting Things Done Faster w/Matt Tesauro (Day 1) LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity seats available

Note: This is a two day, hands-on course

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, setting up continuous testing, ChatOps integration (Slack), automating security scanning with Docker, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with a firm understanding of how to apply DevOps and Agile concepts to optimize their security programs using local and cloud infrastructure.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline specifically geared towards continuous testing. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation. The class utilizes OWASP’s AppSec Pipeline and Defect Dojo projects allowing the students to take lessons and tools from this class with them to solve security automation challenges.

Course Outline
Introduction 
* Application Security Programs
* AppSec – Current State of Affairs
* AppSec Pipelines – Why?
* Lab #1 – Getting to know the Lab Dockers
Docker Overview 
* Docker Fundamentals
* Dockerfiles, volumes, layers and more
* Being productive with Docker
DevOps and AppSec (Quick Overview) 
* The Three Ways of DevOps
* The First Way
* The Second Way
* The Third Way
Setting up your AppSec Pipelines 
* Intake
* Lab #2 - Defect Dojo’s take on Intake
* Orchestration * Engagements
* Lab #3 - Defect Dojo’s take on Engagements
* Tools
* Data Management
* Lab #4 - Dojo to Manage Data
* Output of the AppSec Pipelines
* Lab #5 – Getting Results to Dev teams
Continuous Testing with OWASP AppSec Pipeline 
* AppSec Pipeline Overview
* Adding Security Tests to the AppSec Pipeline
* Optimizing tool profiles in the AppSec Pipeline
* Adding Infrastructure testing to the AppSec Pipeline
* Taking things full circle: Find, Report, Remediation and Re-Test
* Lab #6 Demo/Lab of the AppSec Pipeline running security tests
Conclusion

Required Materials
What Should Students Bring? A 64 bit laptop capable of running Docker. Custom Dockers will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Security Engineer, Citizen of the World
Matt Tesauro is currently rolling out AppSec automation at a major financial institution and is a founder of 10Security.  Prior work included the Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer building an AppSec Pipeline and continuous security... Read More →


Tuesday October 23, 2018 9:00am - 5:00pm CDT
Magnolia A Room