A common refrain in the application security profession these days is to meet developers where they work by embedding security tools into the SDLC. But just how much effort does it take to do this? How confident can you be in recommending a course of action you have not tried? This talk details the path the speaker took in implementing and exercising free and open-source security tools, and will include a basic how-to as well as lessons learned so you can do the same (and yes, that means actual documentation). It will include what is sure to be an entertaining live demo.
Nathan Larson has led static analysis teams at two major financial institutions, pen-tested internet-connected industrial devices, performed code review in aerospace, and taught security and programming at the university and grad school levels. He has an MS in software engineering, a BS in computer science, and has held a few security certifications -- all of which show a proficiency in reading textbooks and passing exams. He wrote insecure code in several industries for two decades before catching the AppSec bug, from which he hasn't recovered in 10+ years.
He works as an AppSec architect at a consulting shop called Concord in the Twin Cities (MN, USA), and leads the local OWASP chapter, which you can find by typing "OWASP-MSP" in your favorite search engine (we're always looking for speakers, hint hint). He enjoys astronomy, cribbage, raising chickens, and finding silly mistakes in production code.
Disclaimer: This talk does not necessarily represent the policies or processes of past, present, or future employers. I am not speaking on behalf of any company during this presentation. I use product names as examples, and do not intend them as endorsements -- except those of OWASP projects, which are awesome and should be checked out by everyone in technology.
- System setup
- Jenkins setup & demo
- SCA tool scanning setup & demo
- SAST tool scanning setup & demo
- The CI pipeline as code
- Development teams have many priorities; we don’t want to waste their time
- Meet devs where they work, and shift left in the process
- Add the value of direct experience to your recommendations
- Interrupt with questions!
- There are no silver bullets