Overview
Explore a 40-minute conference talk from LASCON 2015 that delves into integrating security practices with Continuous Integration and Continuous Deployment (CI/CD) processes. Learn how Samsung's OpenCloud team developed a Threadfix-Centric Application Security Architecture to automate security testing. Discover why traditional AppSec approaches need updating, how security testing differs from QA testing, and the considerations for building a security automation framework. Gain insights into Threadfix's role beyond being a security dashboard and understand the core components of effective security implementation. Additionally, find out how to leverage QA regression tests to enhance AppSec testing coverage. The talk covers topics such as threat modeling, challenges in implementation, creating accounts and applications, configuring scans, utilizing tools like Zap proxy, and managing defects and issues in the CI/CD pipeline.
Syllabus
Intro
Threat Modeling
Big Bang
Challenges
Solution
Introduction
Create Account
Create Payment Application
Visit Application
Set Defect Tracker
Install Zap
Configure scans for web applications
Scan jobs
Bscan
QA regression
Payment regression
Zap proxy
Configure QA regression
Create XML file
Tools
Create a Defect
File Issues
Ticket Updates
Scanners
Security Transformation
Taught by
LASCON