A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Abuse Case Testing in DevOps - Stephen Deck (Circle City Con 2018 Videos) (Hacking Illustrated Series InfoSec Tutorial Videos)

Abuse Case Testing in DevOps
Stephen Deck

@ranger_cha
Circle City Con 2018

DevOps software development presents a fundamental challenge to traditional software security practices. Multi-day static and dynamic analysis run by a small pool of security experts is not a tenable model when the business demands multiple software releases per day. Modern system administration and quality assurance roles have adapted by using automation to empower developers to elevate code safely and as often as possible. By operating within the DevOps culture and tooling, security experts can educate developers and instrument systems in much the same way as other stakeholders in the development process. Proper abuse case development, metrics, unit, and integration testing can minimize risk while still enabling the rapid software development that businesses demand. This presentation covers the process of creating and testing abuse cases to detect vulnerabilities in the OWASP Juice Shop application. Automated abuse case testing with the Mocha and Chai NodeJS libraries provides fast feedback so developers can fix bugs early in the software development lifecycle instead of waiting on traditional static analysis, dynamic analysis, and penetration testing.

Stephen Deck is an application security consultant with DirectDefense where he assesses applications for security vulnerabilities and works to enhance company's software development security practices. Stephen has spent the last 8 years in the application security field, but has also worked as an incident responder, security engineer, software developer, and infantry officer. He also holds several security certifications including the GSE, OSCE, and CISSP.

Back to Circle City Con 2018 Videos list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast