OWASP Helsinki chapter meeting #24
Tuesday, March 25, 2014 from 5:00 PM to 7:30 PM (EET)
San Francisco, California
London, United Kingdom
The next OWASP chapter meeting will be held on March 25th. Theme of this event is security testing in DevOps.
Location: F-Secure, Tammasaarenkatu 7, Ruoholahti, Helsinki. Parking space is limited, public transport is strongly recommended. Ruoholahti station for metro, Länsisatamankatu stop for tram 8, Länsiväylä stop for buses from Espoo.
17:00 Coffee and registration
17:20 Welcome /Petteri Arola, OWASP
17:30 Enhancing security through tight collaboration and automation /Kalle Hallivuori
18:00 Continuous Security Testing in a Devops World /Stephen de Vries
19:00 Demo of Burp Suite & HTTP API fuzzing automation with Python & Behave /Antti Vähä-Sipilä
19:30 Time to go to pub (Amsterdam) and continue discussion there
This event is open and free for all.
Please register by Friday March 21st.
Abstract: Continuous Security Testing in a Devops World
Devops and Continuous Integration practices present unique challenges to security testing. While functional testing is largely automated, in-depth application security testing is still largely a manual affair. Application security scanning can readily be automated, but relying only on "scanning" can provide a skewed and superficial security view of the application.
This talk will present the BDD-Security framework which is designed to address the challenge of scriptable and repeatable application security testing. The framework allows developers and security teams to:
a) Specify the security requirements in a human readable form up front
b) Make those same requirements executable tests that can be run against a target application
c) Record and test business logic vulnerabilities
c) Integrate these tests into continuous integration and continuous deployment environments so that security testing can be performed continuously and on-demand.
d) Get started with a pre-written baseline of security tests that can mostly run un-edited on the majority of web applications
The BDD-Security framework is a testing framework built on JBehave, Selenium and OWASP ZAP that translates the world of security requirements into something that developers understand: executable tests, written in a natural language.
The talk will include a live demonstration of configuring and running the BDD-Security framework to test a web application and will also show how to integrate it with the Jenkins CI server so that security tests are run after every new code commit.
When & Where
- OWASP: https://www.owasp.org
- OWASP Helsinki: https://www.owasp.org/index.php/Helsinki