Domo Arigato, Mr. Roboto: Security-Testing in a DevOps World
Security testing is difficult, no matter who is doing it or how it is performed. Both the security and development industries still struggle to find reliable solutions to identify vulnerabilities in custom code, but sometimes make things harder than they should be.
This talk will address the current limitations of security unit-testing applications with existing tools and various frameworks. It will introduce a generic framework for creating simple security unit-tests for any application. We will also cover review common strategies for building application security-specific unit-tests, including function identification, testing approaches, edge cases, regression testing, and payload generation. These techniques will be demonstrated in Java Spring and .Net MVC frameworks using intentionally-vulnerable applications and cover unit-testing, Test Driven Development (TDD) and Continuous Integration (CI) in security framework.
Seth Law is an experienced Application Security Professional with over 15 years of experience in the security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. His understanding of the software development lifecycle allows him to speak as a developer and to equate security issues to development tasks. In his spare time, Seth revels in deep-level analysis of programming languages and inherent flaws.