Building your first AppSec pipeline with all bells and whistles

Abstract of the workshop:

In this workshop we will learn and get a good understanding how to set up security test automation into your CI/CD pipelines.

Most customers in need for security test automation all utilise different CI tools that fit their needs. Getting your security tools in these CI environments makes you fully dependent on the plugins the CI environment provides. Now, imagine a world where we could configure our security tools once and use this as a blueprint over all the CI tools?

Docker helps security engineers to weaponise the customers CI/CD pipe-lines in a heartbeat with hard to configure security tools. Delivering the entire security test automation and vulnerability management solution a scripted manner that roles out in the blink of an eye!

After we have the basic set-up configured correctly we can start collecting the right tooling to get the job done. There are a lot of things we should take into consideration if we want to cover the entire attack surface. How to secure the application host, containers, manage secrets, and implement static/dynamic analysis tools. Even more importantly, how to ultimately manage all the vulnerabilities in an effective way where we can do delta reporting and false positive suppression to make everything more maintainable?

Trough pain and lessons learned we want to share our experiences in the form of a workshop to give handles and guides to get security automation started in your company!

Why:This workshop aims at helping developers to improve their security skill: when you go devops style, you need to onboard security as well. However, you don’t want to have huge manual quality gates: instead you need to automate! This workshop will help developers understanding the basics and various levels of security checks involved in an AppSec pipeline

About the Trainers

Trainer 1: Glenn ten Cate as a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. One of the founders of defensive development [defdev] a security trainings series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

Trainer 2: Riccardo ten Cate as a penetration tester from the Netherlands Riccardo specialises in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design. Not only does Riccardo train developers, he and his brother Glenn also donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP. See: SKF (Security knowledge framework) .

Riccardo also has expertise on implementing security test automation in CI/CD pipelines. This helps create short feedback loops back to the developer and prevents bugs from getting into production into an early phase of the development lifecycle.

*Note: Registration details will be shared with Trainers and Sponsors

The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.