Overview
Explore methods for calculating and tracking web application attack surface evolution in this 27-minute conference talk from AppSec EU 2017. Dive into techniques for integrating security testing into CI/CD pipelines, focusing on metrics and thresholds for DevOps practices. Learn about manual testing, hybrid analysis mapping, and dynamic application security testing. Discover how to use commandline client scans, analyze changes over time and between commits, detect new attack surfaces, and identify potential vulnerabilities in GitHub repositories. Gain valuable insights on optimizing security testing activities and effectively monitoring your application's attack surface to enhance overall security posture.
Syllabus
Intro
Agenda
Background
OAuth Zap
Example Code Base
Attack Surface and DevOps
Manual Testing
Hybrid Analysis Mapping
Dynamic Application Security Testing
Commandline Client
Scans
Looking over time
Looking between commits
Viewing files impacted by commits
Detecting new attack surface
Github repository
Identifying the attack surface
Taught by
OWASP Foundation