Automating & Making Security Testing ... SECsy !!!
When was the last time you as a developer were hoping to open a port on a server and thought about the ramifications of the same ?
When was the last time when you decided to setup a new file transfer said, "Hmm .. I better write a Security Test acceptance criteria first for my stories/tasks" ?
We as developers have inherited a huge responsibility. And this cannot be better summarised than the Rugged Manifesto @ https://ruggedsoftware.org
It talks about "I am rugged because I refuse to be a source of vulnerability or weakness." We as developers, not only need to follow clean code & emergent design but we also need to ensure that our code performs for the most latent needs, which includes being rugged to attacks, unintended use & being robust even with changing times.
For many of us the Security Tester is a mythical creature who might turn up at dusk and at dawn send us a PDF report. For some of us who work in Scaled Agile Framework (SAFe) she/he might be loaned to us from the Shared Services.
Lets face it, there aren't many Security Analysts out there to benefit every Agile team on the face of the earth.
Udacity expects that we need 1.8 million cyber-security experts by 2022 !!! https://in.udacity.com/course/cybersecurity-nanodegree--nd1337
There is an urgent need to free up our security experts and shift left basic security tests through automation. We also need to integrate Security testing in our CI/CD pipeline for early detection and early fixes.
Ultimately for our users, business sponsors, shareholders and last but not the least for the pride which we put in our work, it doesn't matter where the weak link is .... it ultimately hurts us all.
"I am rugged, not because it is easy, but because it is necessary and I am up for the challenge."
Outline/Structure of the Demonstration
- Why Automate Security Tests
- The Rugged Manifesto
- The Cultural Shift for Shift Left Security
- Demo of a few tools (like Arachni, Gauntlt etc.)
- First Steps towards Automating Security tests
- Learn about what cultural changes you need to Shift Left Security
- Focus on security right from onset
- Automate your security tests
- Learn what tools will suit your needs
Developers, Security Testers/Analysts
Prerequisites for Attendees
- Some familiarity with Docker, Git & command line
- Continuous Integration & Continuous Delivery
- OWASP Top 10