Proactive Security Testing in Agile Projects
Web application security (AppSec) has become business critical given the fact that there is a significant increase in the number of breaches year over year. In the year 2019 the total number of breaches in US increased by 20% (from 1257 to 1506) compared to the number of breaches in 2018. We are at a junction where we need to focus on building secure applications and test them diligently to minimize the risk for breach.
Despite the critical need to have a coordinated approach to security testing, most organizations approach the problem in a fractured manner using Static Application Security Testing (SAST) and the Dynamic Application Security Testing (DAST) without a coordinated or planned approach that contextually synchronizes with their development cycle. As a consequence, when used independently or in some combination, disjointed security test approaches are highly unlikely to build a high level of confidence in the application security, nor have dependable and repeatable results. What is needed is a methodology and strategy to integrate these testing approaches into the SDLC and the Agile development facilitates this integration rather well.
This webinar discusses what type of security testing to apply and when to get the best results in an Agile development. It explains how to integrate security elements into the story backlog and analyze threat by examining stories under development in an iteration. Both SAST and DAST are applied in each iteration for the stories that show the potential for security breach as per the threat analysis. Then, prior to the release, a robust penetration testing provides a short of final check similar to the regression test of security testing.
The adoption of these methods sequentially at different stages of SDLC provides opportunities to find vulnerabilities early in the SDLC thereby reducing compounding of vulnerabilities as the development proceeds. It also facilitates the use of proper methodology at the right time to reduce the overall testing efforts. For example, testing for the buffer overflow can be quite cumbersome using penetration testing compared to testing with SAST. The approach results in an overall effective and efficient testing.
Additionally, the presentation will provide an analysis of strengths and weaknesses of each testing methodology and show when and why one should be preferred over the other. It will also discuss how to strengthen the test approach using these methods as you move through the software development life cycle. The audience will gain a clear understanding of each methodology and how to use it effectively with case studies and examples that have been garnered over the last few years.
Proven champion for quality and well-versed with software quality engineering, and a web application security researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. In application security (AppSec) his research areas are; infusing security in SDLC, OWASP Top10, Risk Analysis and Mitigation, Attack Surface Measurement, and Static and Dynamic Application Security Analysis. As a leader of Open Web Application Security Project (OWASP) Portland Chapter, he is dedicated to driving the web application security to higher levels via technical education and training. Bhushan often provides training workshops and presentation to corporations and non-profit organizations. He is also an invited speaker and a panelist in discussions for both application security and agile software development. Bhushan serves as a Program Team member for the Pacific Northwest Software Conference (PNSQC) and has been a member of the Program team for the Global AppSec Conference 2020 organized by OWASP.
Bhushan has been a Certified Six Sigma Black Belt (American Society for Quality and Hewlett Packard), and possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. Bhushan has a MS in Computer Science (1985) from New Mexico Tech and has worked at Hewlett-Packard and Nike in various roles. He was also a faculty member at the Oregon Institute of Technology, Software Engineering department, from 1985 to 1995 and is currently an Adjunct Faculty member.
