OWASP MSP Chapter Meeting

Welcome to Eric Johnson, he will be sharing insights into Security, DevOps and CI/CD.

Secure DevOps: A Puma’s Tail

DevOps is changing the way that organizations design, build, deploy and operate online systems. Engineering teams are making hundreds, or even thousands, of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world and take advantage of the opportunities provided by continuous integration and delivery pipelines.

In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve their security posture. After identifying the key security checkpoints in the pre-commit, commit, acceptance, and deployment lifecycle phases, we will explore how unit testing and static analysis fit into DevSecOps. Live demonstrations will show how to identify vulnerabilities pre-commit inside the Visual Studio development environment, and how to enforce security unit tests and static analysis in a Jenkins continuous integration (CI) build pipeline. Attendees will walk away with a better understanding of how security fits into DevOps, and an open source .NET static analysis engine to help secure your organization’s applications.

About the Speaker

Eric is a co-founder and principal security engineer at Puma Security focusing on static analysis product development and DevSecOps automation. His experience includes application security automation, cloud security reviews, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments.
Eric is also an instructor and author with the SANS Institute. He has presented his security research at conferences around the world including SANS, BlackHat, OWASP, BSides, JavaOne, UberConf, and ISSA.
Eric completed a bachelor's degree in computer engineering and a masters degree in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.