Proven champion for quality and well-versed with software quality engineering, and a WebApp security researcher, Bhushan is the principal consultant at Gupta Consulting, LLC. A Certified Six Sigma Black Belt (American Society for Quality, Hewlett Packard), he possesses deep and broad experience in solving complex problems, change management, and coaching and mentoring. As one of the leaders of Open Web Application Security Project (OWASP) Portland Chapter, he is dedicated to driving the WebApp security to higher levels via integration of security into Agile software development life cycle. His research areas are: elicitation of security requirements, comprehensive testing approaches beyond penetration testing and application of test tools in secure web application development. Bhushan is a member of the AppSec USA 2020, San Francisco and Pacific Northwest Software Quality Conference program team.
Beating the Clock using AppSec Testing Tools and DevSecOps
With the rising number of security breaches, the IT industry is facing increasing pressure every day to develop more secure and robust web applications. The applications are developed in a complex environment involving frameworks, languages, and platforms and are often deployed in even more diverse hosting conditions. Industry’s appetite to first-to-market makes matters worst. The software industry has heavily leveraged automation to improve quality and beat the time-to-market clock. Web application security tools are now gaining momentum.
This presentation will focus on how the application security (AppSec) test tools can be utilized to develop a more secure product and gain development efficiencies. It will first layout tool selection criteria and then discuss the strengths and shortcomings of both static and dynamic test tools. The presentation will showcase the ZAP (Zed Attack Proxy), a widely used OWASP (Open Web Application Security Project) tool, highlighting its strengths. The presentation will also feature a demo of ZAP, both as a standalone tool and as its integrated form with the CI/CD pipeline with Jenkins.
• How to select an AppSec testing tool
• ZAP – strengths and usage
• How to run ZAP as a standalone tool
• How to integrate ZAP with Jenkins