OWASP Aarhus Chapter

 
 
 

Notice, that this is a virtual event running on Zoom. Please reach out if the event gets full and I will add room for more people.

19:00 - 19:10 – "Welcome" by OWASP Chapter Aarhus

19:10 - 19:55 – "Let's Write Security Unit Tests" by Eric Johnson, Principal Security Engineer at Puma Security and SANS Senior Instructor

About the presentation:
DevOps teams are test obsessed, often leveraging unit testing frameworks and continuous integration (CI) tools to automate test requirements. In this talk, we will explore how security unit testing fits into DevOps, a few unit testing frameworks, and several examples that can help security teams harden their applications. Live demonstrations will show how to write security unit tests, execute the tests in a GitHub Actions workflow, and evaluate the test results.

About the presenter:
Eric Johnson is co-founder and Principal Security Engineer at Puma Security focusing on cloud security, static code analysis, and DevSecOps automation. His experience includes performing cloud security reviews, infrastructure as code automation, application security automation, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is a Senior Instructor with the SANS Institute where he authors information security courses on cloud security, DevSecOps automation, and secure coding. He delivers security training globally for SANS, as well as presents security research at conferences including RSA, BlackHat, OWASP, BSides, DevOpsDays, fwd:cloudsec, and ISSA.

19:55 – 20:05 – Short break

20:05 – 20:55 – “A Fully Trained Jedi, You Are Not” by Adam Shostack, President, Shostack + Associates

About the presentation:
As software organizations try to bring security earlier in the development processes, what can or should regular software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands a shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they'll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.

About the presenter:
Adam is a leading expert on threat modeling, and a consultant, author and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. He helped to create the CVE, serves on the Blackhat Review Board, and is an affiliate professor at the University of Washington.

20:55 – 21:00 - "Closing notes and Goodbyes" by OWASP Chapter Aarhus