Discover best practices for building a robust security test automation framework in this 53-minute OWASP Foundation talk by Riccardo Ten Cate. Learn how to implement an agnostic and scalable solution using Docker and Kubernetes, effectively manage findings with Defect Dojo for vulnerability management, and prevent key sprawl using a Keyvault for secure secret management. Explore techniques for integrating security tooling into various CI/CD platforms and pipelines, including Jenkins, VSTS, and Travis. Gain insights into overcoming common pitfalls in implementing security automation, containerizing security tools, and leveraging Kubernetes for deployment. Address challenges such as managing false positives, implementing delta reporting, and securing API keys and application secrets. Benefit from Ten Cate's expertise as a penetration tester specializing in web application security and his experience as a project leader of the OWASP Security Knowledge Framework.
Building a Security Test Automation Framework
Overview
Syllabus
Intro
Issues with security automation
Benefits of security automation
Task Scheduler
Security Tools
OS Benchmark
Flaws
Logic Flaws
Defect Dojo
Vulnerability Management Tool
Gift
Containerization
Passwords
API Keys
Application Secrets
Fault
Fun Fact
Fuck It
Fear Is Lost
Call Your Questions
Zoom In
What I did here
Deployment
API
Demo
Pipeline
Defect
Scanning
Dependency Check
Security Cherry
Security Application
Taught by
OWASP Foundation
