Hands-on Workshop: Integrating Automated Security Checks in CI/CD with OWASP Bay Area

Excited to host DevSecOps workshop in collaboration with OWASP Bay Area and Co-host Prashant KV. This workshop will equip participants with the knowledge and hands-on skills to integrate Security Testing into their DevSecOps pipelines.

The OWASP Bay Area chapter regularly meets in-person every month featuring dinner, a great speaker and opportunity for networking.

Integrating Automated Security Checks into the CI/CD Pipeline for DevSecOps

Hello AppSec teams and tech enthusiasts! We're thrilled to roll out an exceptional DevSecOps workshop. This workshop will equip participants with the knowledge and hands-on skills to integrate Static (SAST), Dynamic (DAST) and Interactive (IAST) Application Security Testing into their GitHub DevSecOps pipelines.

Event Details:

• Date: Oct 24, 2023

• Time: Tuesday, Oct 24, 5:30pm PDT to 8:30pm PDT

• Duration: 2.5 hours

• Location: Spaces Mission and 3rd, 95 3rd Street · San Francisco, CA

• Format: Hands-On Training Workshop

• Drinks and Food provided at the venue: Yes

Pre-requisites:

• A GitHub account.

• Basic understanding of application security.

• Attendees are required to bring their laptops with internet connectivity

Agenda:

Introduction (15 minutes)

1. The DevSecOps paradigm and its importance.

2. Understanding GitHub Actions.

3. The relevance of SAST and DAST in the CI/CD pipeline.

Overview of GitHub Actions for CI/CD (10 minutes)

1. Basic components: workflows, runners, actions.

2. Demonstration: A simple CI pipeline with GitHub Actions.

Hands-on: Integrating SAST with GitHub Actions (20 minutes)

1. Introduction to Static Application Security Testing.

2. Popular SAST tools and choosing one for demonstration.

3. Hands-on activity: a. Setting up the SAST tool on a sample GitHub repository. b. Writing a GitHub Actions workflow to automate SAST scans on every pull request or push. c. Analyzing and understanding the SAST report in the GitHub interface.

Hands-on: Integrating DAST and IAST with GitHub Actions (60 minutes)

1. Introduction to Dynamic Application Security Testing and Interactive application security testing.

2. Common DAST and IAST tools suitable for CI/CD integration.

3. Hands-on activity: a. Setting up a test environment (ideally a deployed version of the app). b. Configuring the DAST tool to scan the deployed application. c. Writing a GitHub Actions workflow to trigger DAST scans post-deployment. d. Analyzing and responding to DAST findings within GitHub.

What's in it for Participants?

1. Skill Enhancement: Mastery of integrating security checks within the popular GitHub Actions CI/CD framework.

2. Hands-on Experience: Directly apply workshop teachings in your organization.

3. Collaboration: Network and collaborate with peers facing similar challenges.

Speaker Bios:

Ankush Jain: Ankush is the co-founder & CTO at Akto (https://www.akto.io) - The open source API Security product. Prior to starting Akto he worked at CleverTap as VP of Engineering. He has also worked for 5 years as a Quant at Morgan Stanley. He holds Bachelors in Technology from IIT Bombay. He is also a speaker at Black Hat and Defcon.

Ankita Gupta: She is the co-founder and CEO of Akto.io - The open source API Security product. Prior to Akto she has experience working in VMware, LinkedIn and JP Morgan. She holds MBA from Dartmouth College and Bachelors in Technology from IIT Roorkee. She is also a speaker at Black Hat and Defcon.