Automating Security

I am a really bad presenter for this topic ●

I suggested it because I wanted to learn from other people’s experiences. ○



I care about security, and know basic security concepts ○ ○



I can barely speak coherently on the topics in this slide deck ...but I have not had the opportunity to implement it other than opening a couple bugs on it I listen to security podcasts

I know of some security related software ○

...but I have not had the opportunity to play with any and cannot speak

Who has automated security tests?

Consider ● ●

Prioritization Ownership ○



Separate security team?

OWASP Top 10

Know your dependencies ●

OWASP Dependency Analyzer ○ ○ ○ ○

A9 - Using components with known vulnerabilities Fail your build on matching vulnerabilities Nice HTML report Configure false positives

Know your product ●

Access points ○



Users and roles ○



APIs Only give the access you need (database, system)

Data and information protected ○ ○

Encrypting traffic Secured database

Security testing Products ●

OWASP ZAP (Zed Attack Proxy) ○



Threadfix ○ ○



Automated API Security Testing Tool

Burp Suite ○ ○

● ●

Static and Dynamic application security scanning tools Results reporting

Syntribos ○



Has automated scanners

Proxy lets you inspect and modify traffic between the browser and web application bscan - headless mode

GauntLt Fortify

Experiences in Security testing? Tools? Pros/Cons?

Resources ● ● ● ● ● ● ●

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project http://www.threadfix.org/ https://github.com/rackerlabs/syntribos https://portswigger.net/burp/ http://gauntlt.org/ http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/

Podcasts ● ● ● ●

https://isc.sans.edu/podcast.html - Daily, 5 minutes https://www.sophos.com/en-us/company/podcasts.aspx - Weekly, 15 minutes http://podcast.wh1t3rabbit.net/ - Weekly, 1 hour+ https://twit.tv/shows/security-now - Weekly, 1 hour+

Recently recommended to me ●

http://securityweekly.com/

Automating Security -

A9 - Using components with known vulnerabilities. ○. Fail your build on ... https://twit.tv/shows/security-now - Weekly, 1 hour+. Recently recommended to me.
Download PDF
93KB Sizes 4 Downloads 200 Views
Report

Recommend Documents

Towards Automating Security Compliance Value Chain.pdf ...
Towards Automating Security Compliance Value Chain.pdf. Towards Automating Security Compliance Value Chain.pdf. Open. Extract. Open with. Sign In.
read pdf Automating Security in the Cloud: Modernizing ...
read pdf Automating Security in the Cloud: Modernizing Governance through Security. Design FREE Download ... integration, targeted. guidanceTrain security.
Automating Manufacturing Systems
Apr 3, 2003 - loop will quit, otherwise the computer will go back up to the REPEAT ... sions and update outputs to drive actuators, as shown in Figure 2.9.
Automating Manufacturing Systems
set a desired position for a system, but no sensors are used to verify the position. When a ...... (Note: This example could be for a motion detector that turns on.
Download Books Automating SOLIDWORKS 2015 ...
Amazon com Automating SOLIDWORKS 2015 Using Macros , Mike Spens Books ... The focus of this book is primarily on the Visual Studio Tools for Applications ...
Automating Inventory management Process
Automating Inventory management Process. 1 Raghavendra.K.M, 2 Shivshankar.B.S.. 1 M.Tech, Mechanical ... connectivity, diverse system integration, and centralized data storage from various systems, analysis of plant data and integration of stakeholde
Automating Manufacturing Systems - Electrical Engineering Portal
Mar 21, 2008 - published by the Free Software Foundation; with no Invariant Sections, no. Front-Cover Texts, and no Back-Cover Texts. A copy of the .... Other Base Number Systems. 13.10 ..... Phone Lines. 29.3. 29.1.3 ..... internet chapter.