Building an application vulnerability toolchain for DevSecOps
One of the key challenges for application security in DevOps, is that scaling vulnerability assessment, effectively is very challenging. Sure, some scanners come with plugins and integrations with CI tools, but with complex applications, API/Web services and complex business logic, vulnerability assessment without context, instrumentation and parameterisation leads to a large number of false-negatives, which is the worst kind of outcome. My talk draws from multiple implementations of application security in DevOps, where one can create powerful, automated vulnerability toolchains that are automatically triggered and managed, auto-scaled (with containers) and provide a much higher quality of results through effective instrumentation, parameterisation and context, oh and did I mention, completely automated. The talk also delves into some key success factors for automated, instrumented vulnerability scanning at scale for applications. I will showcase an internally developed tool (will be released open source) for instrumented scanning of API using popular scanners like OWASP ZAP, w3af and BurpSuite. The objective of this talk is give the audience a perspective of how they can unlock a higher quality of application vulnerability scanning at scale in their DevOps implementation.