Building your own large scale web security scanning infrastructure in 40 minutes
Albert Yu, Bishan Kochar at AppSec USA 2015
There exists a lot of web security scanners and many are doing a descent good job. Yet there are times and genuine reasons when you wished you had your own scanning infrastructure. You perhaps wished how great it would be if you could build your own in 40 minutes. That you had more control. That you can add your custom requirements. Or may be using an existing one was not an option, from cost, scale, speed or code reuse perspective.
In this talk we will demonstrate:
1. how to build a robust web security scanner that answers many questions you might have.
2. how to scale it up as an infrastructure,
3. how to integrate it into your own continuous delivery pipeline.
We will also discuss the difference in the nature of this project as compared to related works such as Mozilla Minion and Netflix Monterey.
Bishan Kochar
I am a security engineer at Yahoo, building automation wherever I can to make security transparent, proactive, effective and / or enabling. In the past I did pen testing, mostly web. Grew to actually trying to solve the problems. And that's what I keep doing today.
Albert Yu
Security Engineer, Sr Principal, Yahoo
I works in the Yahoo Paranoid team, spending most of my time exploring how engineers build things and when stuff breaks. My current focus is to develop solutions that assure application security is kept intact regardless how fast we build and deliver.
In this talk we will demonstrate:
1. how to build a robust web security scanner that answers many questions you might have.
2. how to scale it up as an infrastructure,
3. how to integrate it into your own continuous delivery pipeline.
We will also discuss the difference in the nature of this project as compared to related works such as Mozilla Minion and Netflix Monterey.
Bishan Kochar
I am a security engineer at Yahoo, building automation wherever I can to make security transparent, proactive, effective and / or enabling. In the past I did pen testing, mostly web. Grew to actually trying to solve the problems. And that's what I keep doing today.
Albert Yu
Security Engineer, Sr Principal, Yahoo
I works in the Yahoo Paranoid team, spending most of my time exploring how engineers build things and when stuff breaks. My current focus is to develop solutions that assure application security is kept intact regardless how fast we build and deliver.