Testing for Security: The oft forgotten aspect of DevOps

Agile development and DevOps churn through testing at a rate that is impossible for a human to keep up with. Security tools are often designed to have someone at the helm, targeting the systems and applications or performing time intensive penetration tests.

What if there were a way to layer in security as applications are being developed? It is unreasonable to believe that automation can completely replace a knowledgeable security tester, but much of the groundwork and preliminary analysis can be incorporated into the software lifecycle.

If nothing else, these tools and methods will help prevent completing an application, only to discover security findings that cannot be resolved before being released.


Outline/Structure of the Talk

  1. Introduction
  2. Outline of SDLC Phases
    1. Requirements Analysis
    2. Design
    3. Implementation
    4. Testing
    5. Evaluation
  3. Injecting Security into the Phases
    1. Design
      1. Source Code Analysis – Yasca/Fortify
    2. Implementation/Testing
      1. Vulnerability Web App Testing – OWASP ZAP
      2. Vulnerability Environment Testing – OpenVAS
  4. Combining Security together with Jenkins
  5. Demo of the DevOps Process
    1. Code change kicks off subsequent Security Analysis
    2. Overview and how to interpret results

Learning Outcome

Participants will learn how to design maintainable security efforts through the use of automated security tools.

These methods will not solve or complete all security testing that is required, but it will significantly reduce the time needed by security analysts and identify problems earlier within the development process.

Target Audience

DevOps and Security

schedule Submitted 5 years ago

  • 45 Mins

    The Zombie Retrospective - presented by Tommie Adams 

    So they say the retrospective is one of the strongest and most powerful tools in the agile scrum methodology tool kit, and is often overlooked or skipped. So how does a scrum master find ways to creatively explain and express the importance of this agile scrum ceremony, or even the basics of agile scrum in general. How does the scrum master explain the importance of banding together as a team in this brave new agile scrum world.  In many organizations, nowadays, the teams are even made up of outside vendors as well as in house associates. So how do you even start to pique the interest and the importance of team collaboration to a bunch of folks who are strangers to one another on a agile scrum team?  Even more specifically, how do you explain how the retrospective ceremony will help improve the way they work with one another over time?

    My answer: ZOMBIES!!!  Everyone loves zombies, right?  So come, take a bite!

    Tommie works for Marriott International in Bethesda MD. His background is in theater and communication which he studied at Grinnell College in Iowa. He has worked for Marriott International for 26 years with jobs ranging from reservation sales associate, to group sales manager, to functional IT tester to his current position as scrum master for the Marriott Rewards Agile Scrum Team. A native of Omaha, Nebraska, his hobbies include photography, cello and learning the ukulele, (you know, in case you were curious.) 

  • Thomas Stiehm

    Thomas Stiehm - How to add Application Security to your Agile Practices

    Thomas Stiehm
    Thomas Stiehm
    Coveros, Inc.
    schedule 5 years ago
    Sold Out!
    45 Mins

    The Internet is full of insecure applications that cost organizations time and money, while damaging their reputations when their systems are compromised. We need to build secure applications as never before. While at the same time Agile Software Development practices are moving into the mainstream because they offer companies a faster path to getting their software in the hands of their customers. While security and agility may appear to be in natural opposites that don’t mix well, they don’t need to be. Learn how to integrate application security practices into your Agile practices in a way that doesn’t compromise either. Join Tom to explore real-world examples of secure application development practices integrated into the regular cycle of iterative development used in Agile projects. Learn to marry Agile development with application security practices in a way that best leverages the strengths of both.

  • Max Saperstone

    Max Saperstone - Test Automation Strategies and Frameworks: What Should Your Team Do?

    45 Mins

    Agile practices have done a magnificent job of speeding up the software development process. Unfortunately, simply applying agile practices to testing isn't enough to keep testers at the same pace. Test automation is necessary to support agile delivery. Max Saperstone explores popular test automation frameworks and shares the benefits of applying these frameworks, their implementation strategies, and best usage practices. Focusing on the pros and cons of each framework, Max discusses data-driven, keyword-driven, and action-driven approaches. Find out which framework and automation strategy are most beneficial for specific situations. Although this presentation is tool agnostic, Max demonstrates automation with examples from current tooling options. If you are new to test automation or trying to optimize your current automation strategy, this session is for you.


  • Max Saperstone

    Max Saperstone - Testing with a Rooted Mobile Device

    45 Mins

    Traditional applications are tested through the GUI and through all exposed APIs. However, typical mobile app testing is only done through the front-end GUI. In addition, performance and security details are not readily available from the mobile device. Max Saperstone demonstrates some benefits of testing a native mobile application on a rooted device—one with privileged access control. Although Max does not describe how to root a device, he shares how to access back-end processes and test at this detailed level. He discusses the technical controls made available through a rooted device—together with its auditing, logging, and monitoring—and describes the gathering of additional metrics. Max demonstrates tools for penetration testing, sniffing, and network hacking; shares how to access application data directly; and shows how data security is implemented for the application. Learn how to use the admin rights associated with a rooted device to examine device performance and to simulate interrupts and system faults.