Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.
The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.
This will be a hands-on class and attendees are expected to have:
- A laptop capable of running VirtualBox and a VM with at least 2048 MB RAM for the VM - 4096 is even better
- VMs will be provided on a USB drive formatted as a NTFS volume
- VMs will be in .ova (Open Virtualization Format) which is generally 'importable' in more then just VirtualBox if you happen to already have virtualization software installed
I'll have printed handouts and digital versions on the USB drive as well.
Note for those bringing a Mac laptop to the training: Mac's hasn't consistently supported reading from NTFS formatted disks. There's usually one or two students who cannot read the USB drives I hand out to the class with Macs. I usually recommend they use the 15 day trial of Tuxera to get past the problem for the training -
http://www.tuxera.com/products/tuxera-ntfs-for-mac/. Other alternatives are outlined in this article:
http://www.howtogeek.com/236055/how-to-write-to-ntfs-drives-on-a-mac/
