[BAD SOUND FOR ONE SPEAKER - SORRY!]

Practical Dynamic Application Security Testing within an Enterprise

The incorporation of DevOps within a large enterprise is generally accomplished through strategic planning on the organizational level. Having a common pipeline for Continuous Integration (CI) and Continuous Deployment (CD) can enhance the security posture of an application and enable organizations to rapidly release applications into production. However, the insertion of application security in the pipeline is only one step of a multidimensional application security approach.




In this presentation, we will describe our implementation of two complementary methods, which have allowed us to provide the scalability and coverage required in order to meet the needs of a large enterprise. The first method utilizes a tool written in Java to allow for easy integration with your build. We will demonstrate how to deploy and use a dynamic scanner within a Continuous Integration (CI) and Continuous Deployment (CD) pipeline. The second method leverages the data collected from analytic tools such as Splunk, LogStash, Tealeaf and SiteCatalyst. Through the utilization of containers, we will demonstrate how a RESTful API service can be implemented to perform a quick analysis of applications to ensure basic security requirements are met on a large scale. An example will be presented utilizing a RESTful API service to enhance our continuous scanning platform with multiple scanning technologies.




Implementing these solutions has transformed the way we assess our applications. Using the first method we were able to present a dynamic scanning solution to all of our applications that support automated regression testing. Our second method has enabled us to effortlessly scan over 2000 urls in less than 2 hours to provide a quick look at the security of all of our exposed urls. It is essential to put security on the forefront of organizational structure and to ensure that dynamic analysis is part of all build cycles


Speakers

Nicholas Doell
Senior Application Security Engineer, Verizon
Nicholas Doell is a senior application security engineer at Verizon. He received his M.Sc. degree in System Security Engineering from Stevens Institute of Technology in 2012 and has nine years of experience working in multiple security fields.


Nicholas Kenney
Application Security Engineer, Verizon
Nicholas Kenney is an application security engineer at Verizon. He received his B.Sc. degree in Computer Science from East Stroudsburg University in 2012 and has worked in IT for 7 years.


-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...