SlideShare a Scribd company logo

Interact Differently: Get More From Your Tools Through Exposed APIs

Download as PPTX, PDF
Kevin Fealey, profile picture
Kevin Fealey

This document summarizes a presentation about automating application security tools and customizing their outputs. It discusses automating simple tests that tools can detect quickly and accurately. It also discusses customizing dashboards and reports to track desired metrics and see results from different tools in one place. The presentation encourages attendees to integrate tools through their APIs and code their own plugins and parsers to solve problems with their workflows.

Technology
Related topics:
Application Security
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com Interact Differently: Get More from your Tools through Exposed APIs OWASP LASCON Austin, TX Nov. 4, 2016
Application security that just works ABOUT ME Kevin Fealey Principal Consultant & Practice Lead, Automation & Integration Services Never a “developer” Key Interests: • Process efficiency/effectiveness (Sec + Dev + Ops) • Learning about cool tools ©2015 Aspect Security. All Rights Reserved 2
Application security that just works SLIDES WILL BE AVAILABLE… ©2015 Aspect Security. All Rights Reserved 3 We may never finish… https://www.linkedin.com/in/kfealey http://www.slideshare.net/kfealey
Application security that just works APPLICATION SECURITY LANDSCAPE ©2015 Aspect Security. All Rights Reserved 4
Application security that just works APPLICATION SECURITY LANDSCAPE ©2015 Aspect Security. All Rights Reserved 5
COMMON PROBLEMS INVOLVING APPSEC TOOLS ©2015 Aspect Security. All Rights Reserved 6
Application security that just works FIRST WORLD PROBLEMS ©2015 Aspect Security. All Rights Reserved 7
Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 8 Cross-domain configurations vs policy: CSP, Framing, etc. HTTPS page accessible via HTTP File metadata (ex. Exif data) scanner Obviously verbose error messages (ex. ORA-#####) PII Displayed on Screen (ex. SSN, CCs) Cookie security flags, cache controls, autocomplete enabled Outdated [JavaScript] libraries Insecure encryption algorithm/mode detected Hard-Coded encryption key POST=GET
Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 9
Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 10 If a tool can find it quickly and with high accuracy, detection should be automated.
Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 11 Allows login.jsp?username=hacked&password=whocares
Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 12
Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 13
Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 14
Application security that just works AUTOMATE TOOL EXECUTION ©2015 Aspect Security. All Rights Reserved 15 • When evaluating tools, consider if there is a CLI/SDK – even if you don’t plan to automate today • Make integration as fool-proof as possible or
Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 16 Bulky installations Non-intuitive UIs Lack of flexibility for tracking metrics that matter to you Limited support for 3rd party tools Results from pen test and SAST don’t go in the same place •Unless it’s a huge, ugly, spreadsheet Most dashboards have:
Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 17
Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 18
Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 19
Application security that just works CUSTOM REPORTS/VIEWS ©2015 Aspect Security. All Rights Reserved 20 • If the dashboard/view you want does not exist, have you tried to create it?
GOTO: <CODE> ©2015 Aspect Security. All Rights Reserved 21
Application security that just works CUSTOM REPORTS/VIEWS ©2015 Aspect Security. All Rights Reserved 22 • If the dashboard/view you want does not exist, have you tried to create it?
Application security that just works CUSTOM TOOL INTEGRATIONS ©2015 Aspect Security. All Rights Reserved 23
GOTO: <CODE> ©2015 Aspect Security. All Rights Reserved 24
I’M ON BOARD.. HOW DO I BEGIN? ©2015 Aspect Security. All Rights Reserved 25
Application security that just works GETTING STARTED • Doesn’t have to be a good idea Have an idea • Use existing Parsers Clone an existing plugin/configuration • Vendor documentation • Mailing lists • Dev forums • Blog posts Use ©2015 Aspect Security. All Rights Reserved 26
Application security that just works KEY TAKEAWAYS You have the power to solve your own problems • It’s probably easier than you think Don’t start from scratch XPath is beastmode Contribute your stuff to GitHub so I can use it ©2015 Aspect Security. All Rights Reserved 27
Application security that just works CODE FROM TODAY https://github.com/aspectsecurity/ImageLocationScanner https://github.com/kevinfealey/PMDRuleForLASCON2016 https://github.com/kevinfealey/PMDCodeExampleForLASCON2016 https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin https://github.com/kevinfealey/ELK-for-AppSec https://github.com/kevinfealey/vagrant-ELK-stack https://github.com/kevinfealey/XSLT_AppScan_Standard_Report https://github.com/kevinfealey/Burp_Custom_Site_Exporter ©2015 Aspect Security. All Rights Reserved 28
Thank you! ©2015 Aspect Security. All Rights Reserved Kevin Fealey Kevin.Fealey@aspectsecurity.com @secfealz

More Related Content

PDF
Security as Code
Deborah Schalm
 
PPTX
Secrets to Realistic Load Testing
SOASTA
 
PPTX
Webinar - Success Factors Behind Successful Flash Sales
SOASTA
 
PPTX
Get Ready for Changes To Load Testing
SOASTA
 
PDF
SOASTA mPulse update webinar
CloudBees
 
PDF
7 steps to pragmatic mobile testing
SOASTA
 
PPTX
Real User Measurement: The Secret Weapon for Quality
SOASTA
 
PDF
Application Security Testing for a DevOps Mindset
Denim Group
 
Security as Code
Deborah Schalm
 
Secrets to Realistic Load Testing
SOASTA
 
Webinar - Success Factors Behind Successful Flash Sales
SOASTA
 
Get Ready for Changes To Load Testing
SOASTA
 
SOASTA mPulse update webinar
CloudBees
 
7 steps to pragmatic mobile testing
SOASTA
 
Real User Measurement: The Secret Weapon for Quality
SOASTA
 
Application Security Testing for a DevOps Mindset
Denim Group
 

What's hot (20)

PDF
AppSec is Eating Security
Alex Stamos
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
PPTX
Webinar: Are you ready for your peak season?
Jennifer Finney
 
PDF
Long-term Impact of Log4J
Denim Group
 
PPTX
Modern Load Testing: Move Your Load Testing from the Past to the Present
SOASTA
 
PPTX
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
PPT
Thriving in the Shark Tank: How Vebalizeit Load Tested with SOASTA
SOASTA
 
PPTX
Performance Warrior Tales: Cloud Load Testing the Retail Giants
SOASTA
 
PDF
I Love APIs 2015: The "State" of your API: Common Use Cases for Storing Data
Apigee | Google Cloud
 
PPTX
APIs: The New Security Layer
Apigee | Google Cloud
 
PPTX
The Four Hats of Load and Performance Testing with special guest Mentora
SOASTA
 
PPT
New Features in CloudTest & TouchTest
Jennifer Finney
 
ODP
Lyndsay Prewer - Smoothing the continuous delivery path - a tale of two teams
Agile Lietuva
 
PDF
Synthetic and rum webinar
SOASTA
 
PPTX
Smoothing the continuous delivery path – a tale of two teams - Lyndsay Prewer
JAXLondon_Conference
 
PDF
SC conference - Building AppSec Teams
Dinis Cruz
 
PDF
Data Driven Security
Apigee | Google Cloud
 
PPTX
Building a Performance A-Team
SOASTA
 
PDF
DPM Overview Soasta Partners.pptx
Jennifer Finney
 
PPTX
Security as Code
Ed Bellis
 
AppSec is Eating Security
Alex Stamos
 
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
Webinar: Are you ready for your peak season?
Jennifer Finney
 
Long-term Impact of Log4J
Denim Group
 
Modern Load Testing: Move Your Load Testing from the Past to the Present
SOASTA
 
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Thriving in the Shark Tank: How Vebalizeit Load Tested with SOASTA
SOASTA
 
Performance Warrior Tales: Cloud Load Testing the Retail Giants
SOASTA
 
I Love APIs 2015: The "State" of your API: Common Use Cases for Storing Data
Apigee | Google Cloud
 
APIs: The New Security Layer
Apigee | Google Cloud
 
The Four Hats of Load and Performance Testing with special guest Mentora
SOASTA
 
New Features in CloudTest & TouchTest
Jennifer Finney
 
Lyndsay Prewer - Smoothing the continuous delivery path - a tale of two teams
Agile Lietuva
 
Synthetic and rum webinar
SOASTA
 
Smoothing the continuous delivery path – a tale of two teams - Lyndsay Prewer
JAXLondon_Conference
 
SC conference - Building AppSec Teams
Dinis Cruz
 
Data Driven Security
Apigee | Google Cloud
 
Building a Performance A-Team
SOASTA
 
DPM Overview Soasta Partners.pptx
Jennifer Finney
 
Security as Code
Ed Bellis
 
Ad

Viewers also liked (20)

PPTX
Hunting powerpoint
KJRoss9
 
PDF
Mobile and Serverless : an Untold Story
Vidyasagar Machupalli
 
PDF
Orchestrating Docker in production - TIAD Camp Docker
The Incredible Automation Day
 
PDF
IM World presentation from Chris Swan: Application centric – how the cloud ha...
Cohesive Networks
 
PPTX
Writing New Relic Plugins: NSQ
lxfontes
 
DOCX
Kelompok 2
University of Andalas
 
PDF
Sunbrella Ottomans by Outdoor Elegance
OutdoorEleganceAus
 
PDF
Java standards in WCM
Paolo Mottadelli
 
PDF
Application Deployment at UC Riverside
Michael Kennedy
 
PPTX
MyHeritage backend group - build to scale
Ran Levy
 
PDF
Aws + Puppet = Dynamic Scale
Puppet
 
PPTX
CloudStack EU user group - Trillian
ShapeBlue
 
PDF
Human Capital in de 21e eeuw
han mesters
 
PDF
Advanced Microservices - Greach 2015
Steve Pember
 
PPTX
What does "monitoring" mean? (FOSDEM 2017)
Brian Brazil
 
PDF
Catálogo 15 16 elksport
Elk Sport
 
PPTX
Reversing malware analysis training part3 windows pefile formatbasics
Cysinfo Cyber Security Community
 
PPTX
Item analysis
Bimel Kottarathil
 
PPTX
Nagios Conference 2014 - Fernando Covatti - Nagios in Power Transmission Util...
Nagios
 
PDF
Evolution of OPNFV CI System: What already exists and what can be introduced
OPNFV
 
Hunting powerpoint
KJRoss9
 
Mobile and Serverless : an Untold Story
Vidyasagar Machupalli
 
Orchestrating Docker in production - TIAD Camp Docker
The Incredible Automation Day
 
IM World presentation from Chris Swan: Application centric – how the cloud ha...
Cohesive Networks
 
Writing New Relic Plugins: NSQ
lxfontes
 
Kelompok 2
University of Andalas
 
Sunbrella Ottomans by Outdoor Elegance
OutdoorEleganceAus
 
Java standards in WCM
Paolo Mottadelli
 
Application Deployment at UC Riverside
Michael Kennedy
 
MyHeritage backend group - build to scale
Ran Levy
 
Aws + Puppet = Dynamic Scale
Puppet
 
CloudStack EU user group - Trillian
ShapeBlue
 
Human Capital in de 21e eeuw
han mesters
 
Advanced Microservices - Greach 2015
Steve Pember
 
What does "monitoring" mean? (FOSDEM 2017)
Brian Brazil
 
Catálogo 15 16 elksport
Elk Sport
 
Reversing malware analysis training part3 windows pefile formatbasics
Cysinfo Cyber Security Community
 
Item analysis
Bimel Kottarathil
 
Nagios Conference 2014 - Fernando Covatti - Nagios in Power Transmission Util...
Nagios
 
Evolution of OPNFV CI System: What already exists and what can be introduced
OPNFV
 
Ad

Similar to Interact Differently: Get More From Your Tools Through Exposed APIs (20)

PPTX
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
PPTX
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
PDF
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PDF
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
PDF
Application security testing an integrated approach
Idexcel Technologies
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PDF
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
PDF
Application Security - Making It Work
IANS
 
PPTX
Building an application security program
Outpost24
 
PPTX
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
PPTX
Rational application-security-071411
Scott Althouse
 
PDF
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays
 
PPTX
Forget cyber, it's all about AppSec
Adrien de Beaupre
 
PDF
Unified application security analyser
Tim Youm
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PPTX
Application security
Hagar Alaa el-din
 
PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
PPTX
Web security – everything we know is wrong cloud version
Eoin Keary
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Application security testing an integrated approach
Idexcel Technologies
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
00. introduction to app sec v3
Eoin Keary
 
All You Need to Know About Application Security Testing.pdf
kalichargn70th171
 
Application Security - Making It Work
IANS
 
Building an application security program
Outpost24
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Rational application-security-071411
Scott Althouse
 
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays
 
Forget cyber, it's all about AppSec
Adrien de Beaupre
 
Unified application security analyser
Tim Youm
 
Application Security - Your Success Depends on it
WSO2
 
Application security
Hagar Alaa el-din
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Web security – everything we know is wrong cloud version
Eoin Keary
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Cloud computing and distributed systems.
kkkkkhan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 

Interact Differently: Get More From Your Tools Through Exposed APIs

  • 1. Aspect Security | 9175 Guilford Road, Suite 300 | Columbia, MD 21046 | www.aspectsecurity.com Interact Differently: Get More from your Tools through Exposed APIs OWASP LASCON Austin, TX Nov. 4, 2016
  • 2. Application security that just works ABOUT ME Kevin Fealey Principal Consultant & Practice Lead, Automation & Integration Services Never a “developer” Key Interests: • Process efficiency/effectiveness (Sec + Dev + Ops) • Learning about cool tools ©2015 Aspect Security. All Rights Reserved 2
  • 3. Application security that just works SLIDES WILL BE AVAILABLE… ©2015 Aspect Security. All Rights Reserved 3 We may never finish… https://www.linkedin.com/in/kfealey http://www.slideshare.net/kfealey
  • 4. Application security that just works APPLICATION SECURITY LANDSCAPE ©2015 Aspect Security. All Rights Reserved 4
  • 5. Application security that just works APPLICATION SECURITY LANDSCAPE ©2015 Aspect Security. All Rights Reserved 5
  • 6. COMMON PROBLEMS INVOLVING APPSEC TOOLS ©2015 Aspect Security. All Rights Reserved 6
  • 7. Application security that just works FIRST WORLD PROBLEMS ©2015 Aspect Security. All Rights Reserved 7
  • 8. Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 8 Cross-domain configurations vs policy: CSP, Framing, etc. HTTPS page accessible via HTTP File metadata (ex. Exif data) scanner Obviously verbose error messages (ex. ORA-#####) PII Displayed on Screen (ex. SSN, CCs) Cookie security flags, cache controls, autocomplete enabled Outdated [JavaScript] libraries Insecure encryption algorithm/mode detected Hard-Coded encryption key POST=GET
  • 9. Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 9
  • 10. Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 10 If a tool can find it quickly and with high accuracy, detection should be automated.
  • 11. Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 11 Allows login.jsp?username=hacked&password=whocares
  • 12. Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 12
  • 13. Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 13
  • 14. Application security that just works AUTOMATE SIMPLE TESTING ©2015 Aspect Security. All Rights Reserved 14
  • 15. Application security that just works AUTOMATE TOOL EXECUTION ©2015 Aspect Security. All Rights Reserved 15 • When evaluating tools, consider if there is a CLI/SDK – even if you don’t plan to automate today • Make integration as fool-proof as possible or
  • 16. Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 16 Bulky installations Non-intuitive UIs Lack of flexibility for tracking metrics that matter to you Limited support for 3rd party tools Results from pen test and SAST don’t go in the same place •Unless it’s a huge, ugly, spreadsheet Most dashboards have:
  • 17. Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 17
  • 18. Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 18
  • 19. Application security that just works CUSTOM DASHBOARDS ©2015 Aspect Security. All Rights Reserved 19
  • 20. Application security that just works CUSTOM REPORTS/VIEWS ©2015 Aspect Security. All Rights Reserved 20 • If the dashboard/view you want does not exist, have you tried to create it?
  • 21. GOTO: <CODE> ©2015 Aspect Security. All Rights Reserved 21
  • 22. Application security that just works CUSTOM REPORTS/VIEWS ©2015 Aspect Security. All Rights Reserved 22 • If the dashboard/view you want does not exist, have you tried to create it?
  • 23. Application security that just works CUSTOM TOOL INTEGRATIONS ©2015 Aspect Security. All Rights Reserved 23
  • 24. GOTO: <CODE> ©2015 Aspect Security. All Rights Reserved 24
  • 25. I’M ON BOARD.. HOW DO I BEGIN? ©2015 Aspect Security. All Rights Reserved 25
  • 26. Application security that just works GETTING STARTED • Doesn’t have to be a good idea Have an idea • Use existing Parsers Clone an existing plugin/configuration • Vendor documentation • Mailing lists • Dev forums • Blog posts Use ©2015 Aspect Security. All Rights Reserved 26
  • 27. Application security that just works KEY TAKEAWAYS You have the power to solve your own problems • It’s probably easier than you think Don’t start from scratch XPath is beastmode Contribute your stuff to GitHub so I can use it ©2015 Aspect Security. All Rights Reserved 27
  • 28. Application security that just works CODE FROM TODAY https://github.com/aspectsecurity/ImageLocationScanner https://github.com/kevinfealey/PMDRuleForLASCON2016 https://github.com/kevinfealey/PMDCodeExampleForLASCON2016 https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin https://github.com/kevinfealey/ELK-for-AppSec https://github.com/kevinfealey/vagrant-ELK-stack https://github.com/kevinfealey/XSLT_AppScan_Standard_Report https://github.com/kevinfealey/Burp_Custom_Site_Exporter ©2015 Aspect Security. All Rights Reserved 28
  • 29. Thank you! ©2015 Aspect Security. All Rights Reserved Kevin Fealey Kevin.Fealey@aspectsecurity.com @secfealz

Editor's Notes

  • #11: https://github.com/aspectsecurity/ImageLocationScanner
  • #12: https://github.com/aspectsecurity/ImageLocationScanner
  • #13: https://github.com/aspectsecurity/ImageLocationScanner
  • #15: https://github.com/kevinfealey/PMDRuleForLASCON2016 https://github.com/kevinfealey/PMDCodeExampleForLASCON2016
  • #16: https://github.com/jenkinsci/ibm-security-appscansource-scanner-plugin
  • #17: https://github.com/kevinfealey/ELK-for-AppSec https://github.com/kevinfealey/vagrant-ELK-stack
  • #18: https://github.com/kevinfealey/ELK-for-AppSec
  • #19: https://github.com/kevinfealey/ELK-for-AppSec
  • #20: https://github.com/kevinfealey/ELK-for-AppSec
  • #21: https://github.com/kevinfealey/XSLT_AppScan_Standard_Report
  • #23: https://github.com/kevinfealey/XSLT_AppScan_Standard_Report
  • #24: https://github.com/kevinfealey/Burp_Custom_Site_Exporter