Monday 

Room 5 

09:00 - 17:00 

(UTC+01

2 Days

Building a High-Value AppSec Scanning Programme

Application security scanning tools such as SAST, DAST or SCA, have become a key part of most organizations' AppSec programmes. However, we repeatedly see that the effort they require is so high that it overshadows other important AppSec processes - without a comparable value benefit.

Security
DevOps
Tools
Testing
Application Security
People
Process
Security Tooling

Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress. If you use these tools in your organisation, this may sound familiar.

There are a lot of general resources about application security and automating application security testing. However, there is almost no guidance on how to actually make the tools work effectively within an organisation, and in particular the manual processes required to operationalize the automated tools.

In this unique course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:

  • The problems these tools should be solving for you?
  • Customising and optimising these tools effectively
  • Building tool processes which fit your business
  • Automating workflows using CI/CD without slowing it down.
  • Showing the value and improvements you are making
  • Faster and easier triage through smart filtering
  • How to focus on fixing what matters and cut down noise
  • Techniques for various alternative forms of remediation
  • Comparison of the different tool types covered.

To bring the course to life and let you apply what you learn, you will work in teams (or individually if you prefer) on table-top exercises where you design processes to cover specific scenarios and have the opportunity to explain and justify your decisions to simulated stakeholders. You will also practice evaluating real vulnerabilities to prioritise your remediation efforts and focus on what really matters.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Key Takeaways

Upon completion of this training, attendees will take away:

  • A deep understanding of how each tool really works, the differences between them, and how to build effective processes around each of them.
  • Efficient approaches to triaging application vulnerabilities, cutting down noise and addressing what matters most.
  • Sample process documents with guidance on the key pointers for evaluating, implementing, optimising, and operating these tools.

What Students Should Bring

  • Tablet or laptop with an internet connection.
  • Devices should be able to use Microsoft Office or Google Docs.
  • Preferred notetaking equipment.

What Students Will Be Provided With

  • Detailed process worksheet templates for each class of tool.
  • Vulnerability triage workflow for each class of tool.
  • Course slides and supporting materials used in the exercises.
  • Access to the sample projects/scripts used in the exercises.
  • Feedback on their responses to the exercises and further suggestions.
  • Dedicated chat channel to use during and after the course to discuss and ask questions.
  • Certificate of completion.

For lots more details including a full course outline and previous participant feedback, see the course page at https://appsecg.host/tools

Josh Grossman

Josh has worked as a consultant in IT/Application Security and Risk for 15 years now as well as a Software Developer. In that time he has seen the good, the bad and the stuff which is sadly/luckily still covered by an NDA. He is currently Chief Technology Officer for Bounce Security where he spends his time helping organisations improve and get better value from their Application Security processes and providing specialist Application Security advice. In his spare time he co-leads the OWASP Application Security Verification Standard project and is on the OWASP Israel chapter board.