Using IAST to Unlock the Benefits of DevSecOps • Jeff Williams • YOW! 2022

This presentation was recorded at YOW! 2022. #GOTOcon #YOW Jeff Williams - CTO & Co-founder at Contrast Security @ContrastSecurity RESOURCES ABSTRACT The complexity of modern applications and APIs makes them extremely difficult to test for security vulnerabilities. Traditional tools like static (SAST) and dynamic (DAST) scanners are complex to run and produce far too many false positive and false negative results. This inevitably leads to siloed appsec testing teams, bottlenecks, long feedback loops, and large security backlogs. Fortunately, there’s a way out of this trap. Using interactive application security testing (IAST), we can get inside the running application and directly measure security. Anyone who can use a browser can find complex, critical vulnerabilities without scanning, without security expertise, and without changing anything about their development process. IAST runs in real time and merges highly accurate security testing into all your normal QA activity. In this talk, you’ll learn how IAST works and how it can unlock the benefits of DevSecOps. Jeff will share data showing how large real-world companies have transformed their application security programs, eliminated their security backlog, slashed their mean time to remediate vulnerabilities, and cut their new vulnerability rate. And more importantly, they’ve merged their quality and security testing infrastructures and aligned the interests of the development and security teams. These organizations are getting secure code moving and delivering value to customers at high velocity. [...] TIMECODES 00:00 Intro 02:04 Public expectations don’t match reality 05:04 DevSecOps will fix everything 08:37 Instrumentation changes everything 12:10 Example: Detecting SQL injection 13:45 IAST 17:42 Runtime vulnerability snapshots 19:09 Runtime library analysis 21:07 Runtime route coverage 23:13 Runtime architecture diagrams 24:50 Deploying IAST at scale 25:55 DevSecOps - Getting secure code moving 29:33 Metrics that matter 32:53 Outro Download slides and read the full abstract here: RECOMMENDED BOOKS Liz Rice • Container Security • Liz Rice • Kubernetes Security • Aaron Parecki • OAuth 2.0 Simplified • Aaron Parecki • OAuth 2.0 Servers • Aaron Parecki • The Little Book of OAuth 2.0 RFCs • Erdal Ozkaya • Cybersecurity: The Beginner’s Guide • Richer & Sanso • OAuth 2 in Action • #DevSecOps #IAST #Security #ContrastSecurity #JeffWilliams #SAST #DAST #appsec Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at Sign up for updates and specials at SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.