Writing good code is a challenge. Writing a code that is working, maintainable and secure is very hard to achieve. This is why we need automation – to spot the issues we missed. Tools like unit tests, code coverage or security tests can help detect various issues and help us write better code. This talk will focus on security tests – what kinds of tests exist? What value they have? And most important, what tools what can use to start running these tests today?
> The talk will contain a live (and hopefully interactive) demo of the tools, to demo what issues they can detect. All the tools that I’ll discuss are free OSS software that you can start using today.
10. Wra p p i n g U p
@omerlhhttp://www.viralgoal.com/wrap-adorable-cat-blanket-named-purritos/
Test Type Tool Name
Static Analysis NodeJSScan
Dynamy Analysis OWASP Zap
Packages NPM audit/Snyk
https://wp.me/pakmvi-3g
11. Q u e st i o n s ?
@omerlhhttp://www.applestory.biz/hermione-hand-raise-gif.html
Especially when starting to work on a new platform – we don’t always have the time on security
Security tools can help us with that
Embedding security into the pipeline can help us with that – by running security tests the pipeline can let us know that our code is secure
This is why we need to secure the pipeline
I’m a builder, this is what I love doing and doing it from a really early age
Doing it professionally for the last 8 years
I’m from Israel, married etc
Who else is a builder? This talk is for you!
Today I’m working at Soluto, our missing is to help people with their technology
My job is DevSecOps, or as I see it - helping the entire team to build a more secure software
I’m achieving it via many approaches, including education, reviewing and threat modeling – but what I love the most is threat modeling
Big part of my work is OWASP, I’m enthusiast and familiar to many project. I contributed code to projects, mainly Zap and Glue and I’m a paid memember and project leader of Glue.
Glue is a tool that helps to integrate security tools into the CI/CD pipeline – I will not have time to dive into the tool, but come talk with me later about it – I have stickers
This is the questions we started with.
It’s a really wide question, and it’s really hard to answer it
Let’s use induction – take one specific use case, find the answer and try to generalize it
This is the questions we started with.
It’s a really wide question, and it’s really hard to answer it
Let’s use induction – take one specific use case, find the answer and try to generalize it
I talked a lot about tools – but where is the pipeline part?
Due to time limit, I focused more on what tests and tools you should be using.
The next step is pipeline integration – and all the tools could be integrated into the pipeline
These are the tools I showed during this talk, you can find all the information I discussed and more on this blog post. You can also play with the readme. All these are generics and can be used by multiple languages and frameworks.
If you got value from this session, I’ll highly appreciate your feedback – personally or via twitter
I talked a lot in this talk, and I showed you 5 different types of tests, and tools you can start using today. My part is over now – and now it’s your turn. Think about one tool, just one, from all the tools I’ve discussed and give it a try – use the repo or the blog post.