Proven champion for quality and well-versed with software quality engineering, and a WebApp security researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. A Certified Six Sigma Black Belt (American Society for Quality, Hewlett Packard), he possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. As one of the leaders of Open Web Application Security Project (OWASP) Portland Chapter, he is dedicated to driving the WebApp security to higher levels via integration of security into Agile software development life cycle. His research areas are: elicitation of security requirements, comprehensive testing approaches beyond penetration testing and application of test tools in secure web application development. Bhushan is a member of the AppSec USA 2020, San Francisco and Pacific Northwest Software Quality Conference program team.
Web Application Security Testing – Which Path Should I Take?
The security breaches of the 21st century have frightened the software industry. The penetration testing (Pen Test) of a web application has now taken a foothold and organizations such as Open Web Application Security Project (OWASP) have developed and processes and tools to build a more secure application. OWASP Top Ten and ZAP have now become familiar names in reference to Web Application security. An analysis of some worst breaches of 2019 shows that there are no well-defined patterns to explain the root cause of these breaches. Therefore, it is necessary that we adopt a comprehensive web application development approach that will lead to a high confidence application security. This talk will discuss the shortcomings of Penetration Testing (Pen Test) and establish the need to integrate the security into the development cycle. With the help of exampled, it will discuss how to create a security story, perform threat analysis, build an acceptance criteria and develop a test suite. It will then expand upon static and dynamic testing and highlight how security test tool such as ZAP can be integrated into CI/CD pipeline and make security also an important component of DevOps.