Abstract
I am sure all of you have heard about "Shift Left Security" in many presentations, but how do you actually achieve this? Well, this is the talk for you - where I'll cover all the DevSecOps buzzwords and showcase a functional DevSecOps pipeline that can perform security testing such as SCA, SAST, and DAST.
Description
In this talk I'll cover how to build your first DevSecOps pipeline with Open Source tooling. I'll address various concepts and buzzwords related to DevSecOps to clear your doubts. I'll demonstrate a GitLab pipeline that has various open-source security tooling embedded to perform the following security tests against a vulnerable application:
Secrets Detection (tools such as TruffleHog, etc.)
Software Composition Analysis (SCA)
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
With this pipeline, our aim is to identify security issues as early as possible so that we can build "Secure by Default" products. This pipeline and demos will cover tools such as RetireJS, Safety, Bandit, TruffleHog, NMAP, SSLyze and ZAP.