DevOps software development presents a fundamental challenge to traditional software security practices. Multi-day static and dynamic analysis run by a small pool of security experts is not a tenable model when the business demands multiple software releases per day. Modern system administration and quality assurance roles have adapted by using automation to empower developers to elevate code safely and frequently as possible. By operating within the DevOps culture and tooling, security experts can educate developers and instrument systems in much the same way as other stakeholders in the development process. Proper abuse case development, metrics, unit, and integration testing can minimize risk while still enabling the rapid software development that businesses demand.
This presentation covers the process of creating and testing abuse cases to detect vulnerabilities in the OWASP Juice Shop application. Automated abuse case testing with the Mocha and Chai NodeJS libraries provides fast feedback so developers can fix bugs early in the SDLC instead of waiting on traditional SAST, DAST, and penetration testing.
After the initial presentation, Stephen will run through some specific abuse cases and lead us in the writing of automated test cases in small groups.
Stephen Deck is a Senior Security Consultant with DirectDefense where he focuses on application security testing and code security reviews. Stephen worked as an Army infantry officer for four years and spent 15 years in the Information Technology field. During his time in IT, he worked in the penetration testing, security engineering, incident response, and software development fields. Stephen holds 13 information security certifications including the GSE, OSCE, and CISSP.----