Using IAST to Unlock the Benefits of DevSecOps • Jeff Williams • YOW! 2022

This presentation was recorded at YOW! 2022. #GOTOcon #YOW https://yowcon.com Jeff Williams - CTO & Co-founder at Contrast Security @ContrastSecurity RESOURCES https://twitter.com/planetlevel https://linkedin.com/in/planetlevel ABSTRACT The complexity of modern applications and APIs makes them extremely difficult to test for security vulnerabilities. Traditional tools like static (SAST) and dynamic (DAST) scanners are complex to run and produce far too many false positive and false negative results. This inevitably leads to siloed appsec testing teams, bottlenecks, long feedback loops, and large security backlogs. Fortunately, there’s a way out of this trap. Using interactive application security testing (IAST), we can get inside the running application and directly measure security. Anyone who can use a browser can find complex, critical vulnerabilities without scanning, without security expertise, and without changing anything about their development process. IAST runs in real time and merges highly accurate security testing into all your normal QA activity. In this talk, you’ll learn how IAST works and how it can unlock the benefits of DevSecOps. Jeff will share data showing how large real-world companies have transformed their application security programs, eliminated their security backlog, slashed their mean time to remediate vulnerabilities, and cut their new vulnerability rate. And more importantly, they’ve merged their quality and security testing infrastructures and aligned the interests of the development and security teams. These organizations are getting secure code moving and delivering value to customers at high velocity. [...] TIMECODES 00:00 Intro 02:04 Public expectations don't match reality 05:04 DevSecOps will fix everything 08:37 Instrumentation changes everything 12:10 Example: Detecting SQL injection 13:45 IAST 17:42 Runtime vulnerability snapshots 19:09 Runtime library analysis 21:07 Runtime route coverage 23:13 Runtime architecture diagrams 24:50 Deploying IAST at scale 25:55 DevSecOps - Getting secure code moving 29:33 Metrics that matter 32:53 Outro Download slides and read the full abstract here: https://yowlondon.com/2022/sessions/2430 RECOMMENDED BOOKS Liz Rice • Container Security • https://amzn.to/3oU4iJe Liz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075 Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3 Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6 https://twitter.com/GOTOcon https://www.linkedin.com/company/goto- https://www.facebook.com/GOTOConferences #DevSecOps #IAST #Security #ContrastSecurity #JeffWilliams #SAST #DAST #appsec Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at https://gotopia.tech Sign up for updates and specials at https://gotopia.tech/newsletter SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily. https://www.youtube.com/user/GotoConferences/?sub_confirmation=1