OWASP Quebec City

Quebec City Chapter Logo



2020/10/10 : DevSecOps Workshop - DAST Automation Edition (by we45)

Nithin Jois
Senior Solutions Engineer
we45

Description

Wouldn’t it be great to automate your favorite Dynamic Tools like OWASP ZAP or BurpSuite as part of your pentesting or DevSecOps pipeline? While this sounds great, there are several challenges that you will face in automating these tools. In addition, automating security testing for Single Page Applications (SPAs) and REST APIs is even more difficult because of authentication and access control requirements. This is a hands-on in-depth course that explores the security automation possibilities of OWASP ZAP. As part of our cyber-ranges you will get to explore the various automation possibilities and “recipes” with Dynamic Scanning tools, with a special focus on OWASP ZAP. You will learn to leverage Test Automation Frameworks like Selenium and Robot framework to perform fully authenticated and contextually aware scanning of your web applications and web services. In addition, you’ll be building custom scripts for OWASP ZAP and BurpSuite to expand your scanning workflows to aid in pentesting as well as automation. Finally, we’ll be looking at how you can integrate these tools into a DevSecOps or CI pipeline and leverage continuous scanning efforts for your applications.

Summary

  • Deep-dive into OWASP ZAP and BurpSuite API and learn how to leverage these APIs for Security Automation
  • Skip the inefficient spider. Leverage Test Automation with Selenium and other test automation frameworks to perform deeper and more powerful security testing against your Web Application or REST API.
  • Learn advanced automation techniques by leveraging OWASP ZAP and BurpSuite in DevSecOps Pipelines
  • Learn how you can leverage custom scripting frameworks in OWASP ZAP and BurpSuite to deliver more powerful security automation and pentesting workflows

Prerequisites

Requirements

  • Knowledge of OWASP Top 10 Vulnerabilities and some exposure to Application Security Testing
  • Basic knowledge of Web Vulnerability Scanning tools like OWASP ZAP will help

System Requirements

  • You will work on the labs from our cloud lab environment. We will share links to sign up before the workshop. Owing to this, you’ll not need to install additional software of any kind
  • You will need: Reasonably powerful laptop or tablet computing device. Updated Browser (preferably Chrome)

Bio

Nithin Jois is a Senior Solutions Engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45 developed security platforms and he has also helped clients of we45 deploy their Applications securely.Nithin is a passionate Open Source enthusiast and is the co-lead-developer of ThreatPlaybook - An Open Source framework that facilitates Threat Modeling as Code married with Application Security Automation on a single Fabric. He has also written multiple libraries that complement ThreatPlaybook.Nithin is an automation junkie who has built Scalable Scanner Integrations that leverage containers to the hilt and is passionate about Security, Containers and Serverless technology. He speaks at meetup groups, webinars and training sessions. He participates in multiple CTF events and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training.Nithin was a trainer and speaker at events like AppSecDC-2019, AppSecUS-2018, SHACK-2019, AppSecCali-2019, DefCon-2019, BlackHat USA 2019, AppSecCali-2020 and many more! In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and other such topics. Nithin is an avid traveler and loves sharing stories over a cup of hot coffee.


This event is a courtesy of we45


Please note this event will be in English only

Date and Hour:
   Saturday, October 10, 2020
   9:00 AM – 11:00 AM EST (duration 2 hours)

RSVP! Free registration






Chapter Supporters / Commanditaires du chapitre


Gold / Or

BENTLEY iA



OWASP Ville de Québec est à la recherche de conférenciers!


Si vous souhaiteriez présenter, pour l’avancement de la science et de la connaissance en sécurité applicative, un sujet lors d’une prochaine rencontre OWASP, SVP communiquez avec nous!

Toute intervention orale (présentation, formation) lors d’un meeting OWASP est soumise à l’acceptation préalable du règlement des conférenciers.

Voici à titre indicatif quelques idées de présentations en lien avec la sécurité applicative, vos sujets nous intéressent également, alors faites-nous en part! :

  • Démonstration d’utilisation d’outils de sécurité disponibles gratuitement ou open source (ex : ZAP, AppSensor, FindSecBugs, Burp, BeEF, ModSecurity, etc.).
  • Les démonstrations et/ou retours d’expérience d’outils de sécurité applicative commerciaux sont permis, toutefois dans un souci de neutralité et d’indépendance, nous demandons à ce que ces présentations demeurent impartiales
  • Couverture d’un élément du Top 10 OWASP 2017 (ex : XXE, Insecure deserialization, Insufficient logging and monitoring)
  • Méthodes et outils de vérifications du code
  • Exploitations de vulnérabilités, contournements de mécanismes de sécurité et comment les prévenir
  • Sécurité des applications dans les architectures Web n-tiers et micro-services
  • Retour sur expériences dans la résolution et/ou l’implantation de fonctions de sécurité
  • Les pièges à éviter dans les configurations CORS
  • L’usage sécuritaire des JWT
  • Projets de recherches, discussions ouvertes, workshops, brainstorming

Logistique :

  • Les présentations devraient être de 45 à 75 minutes maximum
  • Elles débutent généralement après 18h, en fonction des institutions qui nous fourniront les locaux
  • Brevages et croutilles seront fournis

Notes :

  • La neutralité et l’impartialité sont de mise, vos opinions sont bienvenues en autant qu’elles soient exprimées dans le respect
  • Toute intervention orale (présentation, formation) lors d’un meeting OWASP est soumise à l’acceptation préalable du règlement des conférenciers
  • La vente de produits est strictement interdite.


2020

2019

2018

2017

2016

2015

2014

2013