Adding Security Testing to CI/CD, Without Losing Any Friends
Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. After consulting with hundreds of companies, giving advice on AppSec programs and tooling implementation, there a few “right” ways and several “wrong” ways to use security testing tools, both in a pipeline and out. In this talk we will discuss multiple options for adding dynamic application security testing (DAST) to your CI/CD, in ways that won’t compromise speed or results. Some of the options we will cover include: limiting scope, using HAR files, using technology-based testing subsets, and only testing for certain types of bugs. We will dive deep into what DAST is and exactly how it works, interacting with your applications and APIs in real time, to find real bugs. We will also cover several other options for the automation of finding vulnerabilities in your web apps and APIs, all at the speed of DevOps.