Adding Security Testing to CI/CD, Without Losing Any Friends
Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. After consulting with hundreds of companies, giving advice on AppSec programs and tooling implementation, there a few “right” ways and several “wrong” ways to use security testing tools, both in a pipeline and out. In this talk we will discuss multiple options for adding dynamic application security testing (DAST) to your CI/CD, in ways that won’t compromise speed or results. Some of the options we will cover include: limiting scope, using HAR files, using technology-based testing subsets, and only testing for certain types of bugs. We will dive deep into what DAST is and exactly how it works, interacting with your applications and APIs in real time, to find real bugs. We will also cover several other options for the automation of finding vulnerabilities in your web apps and APIs, all at the speed of DevOps.
Tanya Janca, also known as SheHacksPurple, is the best-selling author of Alice and Bob Learn Application Security. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.