Jumpstarting Your DevSecOps Pipeline with IAST and RASP
Jeff Williams at AppSec EU 2018
DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools. We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning. Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits. And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.
* We will enable developers with real-time security feedback right in their IDE
* We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
* We'll integrate security into the CI/CD process so that we can easily fail a build
* We'll identify application layer attacks and create a whole new level of visibility for your SOC
* We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries
After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.
* We will enable developers with real-time security feedback right in their IDE
* We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
* We'll integrate security into the CI/CD process so that we can easily fail a build
* We'll identify application layer attacks and create a whole new level of visibility for your SOC
* We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries
After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.