OWASP 2023 Global AppSec Washington, DC

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation. 




The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines. 




In this edition, we’re completely rebuilding our existing DevSecOps content to reflect the very bleeding edge of Application Security Automation and DevSecOps Approaches. These include, but not limited to: 

• Hands-on SAST for Apps and Infrastructure-as-Code, with a focus on Semgrep and CodeQL. Develop Custom SAST rules like a bawse!
  
• Supply-Chain Security Automation: SBOMs, Source Composition Analysis and Security Engineering techniques. This segment will additionally have several approaches to building secure base images for containers
  
• Supply-Chain Assurance and Provenance for artifacts. Supply-Chain Security attacks are largely caused by lack of assurance and poor provenance of software supply-chain artifacts. We’ll be diving into the SLSA (Supply-Chain Levels for Software Artifacts) Standard and how automation can help achieve levels of compliance. In addition we’ll be diving into Cosign from Project sigstore. This can be used to generate keyed/keyless signatures for container images and other build artifacts including packages and SBOMs. 
  
• Secret Management - This segment of the class will dive into Secrets Management and Encryption tools like Hashicorp Vault. This will have examples of advanced implementations for Encryption, Key Management and Dynamic Secrets
  
• DAST Automation with OWASP ZAP and Nuclei. We’ll be exploring API based scanning with OWASP ZAP and Test Automation Frameworks. In addition, we’ll explore using and building custom DAST automation with Nuclei. This will not only aid in integrating DAST into Automation Pipelines, but also be used for Security Regressions for more complex vulnerabilities
  
• Policy-As-Code with Open Policy-Agent (OPA). OPA is a powerful framework that can be used to create and enforce policies across a variety of deployment environments. From being used to perform Access Control and Input Validation in API Gateways, to be used in Container Registries and Operating Systems for deploying and enforcing security policies. You’ll learn OPA’s Domain Specific Language, rego in order to understand policy-as-code frameworks. 
  
• Integrating Security Automation with CI/CD tooling. Here we’ll be exploring integrating Security Automation with CI/CD tools including Github Actions, Gitlab and Jenkins. In addition, we’ll be leveraging Data Flow Automation tools like Robot Framework, Gaia and Prefect to provide alternatives to typical CI/CD tools for AppSec Automation. 
  

Each section of the training will contain a challenge section that will enable the trainees and the trainers to identify levels of student learning

Participants get a 2 month access to our online lab environment for DevSecOps training