DevOps software development presents a fundamental challenge to traditional software security practices. Multi-day static and dynamic analysis run by a small pool of security experts is not a tenable model when the business demands multiple software releases per day. Modern system administration and quality assurance roles have adapted by using automation to empower developers to elevate code safely and as often as possible. By operating within the DevOps culture and tooling, security experts can educate developers and instrument systems in much the same way as other stakeholders in the development process. Proper abuse case development, metrics, unit, and integration testing can minimize risk while still enabling the rapid software development that businesses demand. This presentation covers the process of creating and testing abuse cases to detect vulnerabilities in the OWASP Juice Shop application. Automated abuse case testing with the Mocha and Chai NodeJS libraries provides fast feedback so developers can fix bugs early in the software development lifecycle instead of waiting on traditional static analysis, dynamic analysis, and penetration testing.

Stephen Deck is an application security consultant with DirectDefense where he assesses applications for security vulnerabilities and works to enhance company's software development security practices. Stephen has spent the last 8 years in the application security field, but has also worked as an incident responder, security engineer, software developer, and infantry officer. He also holds several security certifications including the GSE, OSCE, and CISSP.

Back to Circle City Con 2018 Videos list