Tag: tools

Tune your Toolbox – Building a high-value AppSec scanning programme.

Tune your Toolbox – Building a high-value AppSec scanning programme.

Updated: 27 July 2022

tl;dr

I am delivering training courses on how to build effective processes around application security scanning tools as part of my work for Bounce Security. The course’s official name is “Building a High-Value AppSec Scanning Programme” and it’s unofficial, more fun but less descriptive name is “Tune your Toolbox for Velocity and Value”. This post will serve as a way of getting more information about the course.

The easiest way to attend this course right now is to sign-up for the two day, public version which will be run in London in December as part of Black Hat EU. For more information and to register, see this page here.

You can see some feedback from the one day version which we ran in June, lower down this page.

Alternatively, you are welcome to get in touch with me to discuss private training by Bounce Security via email (info <at> bouncesecurity.com) or via Twitter.

Index of information

Text about the course

Background

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you and this course comes to try and address these issues

This is a topic I have had significant experience with over the last several years providing application security consulting and “on the ground” assistance to various organisations. This has exposed me to a variety of these tools and several ways of working with them, seeing what works and what does not in different contexts.

Being a consultant means I have no vendor allegiance or commitment and allows me to discuss useful war stories (both successful and less successful) without disclosing sensitive client/employer information.

From seeing these organisations and discussing in various forums, this problem certainly seems to resonate and training like this would fill a gap that urgently needs to be addressed. Companies are being told that they need to improve their application security posture and that more tools are the key to doing this efficiently. However, it is becoming clear that without effective processes and strategies for working with these tools, they quickly become a burden and a blocker.

Content summary

In this course you will learn how to address these problems and more (in a vendor-neutral way), with topics including:

  • What to expect from these tools?
  • Customising and optimising these tools effectively
  • Building tool processes which fit your business
  • Automating workflows using CI/CD without slowing it down.
  • Showing the value and improvements you are making
  • Faster and easier triage through smart filtering
  • How to focus on fixing what matters and cut down noise
  • Techniques for various alternative forms of remediation
  • Building similar processes for penetration testing activities.
  • Comparison of the different tool types covered.

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

Feedback so far

We ran a 1 day version of the course focussing on SCA and SAST virtually at OWASP Global AppSec EU 2022 and it went great. Feedback included everyone feeling they had achieved their desired learning outcomes, 100% satisfaction with the instructor (me 🥰) and 100% Net Promoter Score®. There was also significant positive feedback on the hands-on exercises.

Attendee comments included:

On target good advice on taking the next steps in SCA and SAST.

For me it was the perfect input to structure the ideas we already have in our sast introduction journey.

We are excited to expand with more content and broader exercises in upcoming longer versions!

Audio/Visual information about the course

For those of you who prefer to hear their information rather than read it, here are some useful resources.

Elevator pitch for the course ~2 minutes

In this short video, I give a quick explanation of the course and the ideas around it. Transcript in the original LinkedIn post.

https://www.linkedin.com/posts/joshcgrossman_owasp-globalappseceu-sca-activity-6912790798547742720-cdLm

Discussion of the background to the course – ~40 minutes

In this interview with the Application Security Podcast, I talk through the background to the course including where the idea came from and the key takeaways and ideas I want people to get from the course.

https://www.securityjourney.com/podcast-episode/josh-grossman-building-a-high-value-appsec-scanning-program

Sample 1 of the course material – SCA Deep Dive ~ 55 mins

This is an example of some of the course content albeit pushed together in a less interactive way. The course itself has more discussion and exercises interspersed. This particular session was a deep-dive on Software Composition Analysis (SCA).

https://open-security-summit.org/sessions/2022/mini-summits/mar/devsecops/tune-up-your-toolbox-for-better-appsec-value-sca-edition/

Sample 2 of the course material – Quick-fire tips ~ 40 mins

This was a talk I did at DevSecCon24 which was designed to be a few quick examples of efficiency tips for SCA and SAST. In the full training course there are far more suggestions and there is much more time to explain, discuss and practice them.

https://www.youtube.com/watch?v=5JOuRZoyc6o

How can I attend this training course?

Black Hat EU 2022 in London

https://www.blackhat.com/eu-22/

The easiest way right now is to sign-up for the full two day version of the course which will be delivered in-person at Black Hat EU on December 5th and 6th 2022 at ExCeL London. The specific details of the content to be covered in this course and registration information can be found on the conference website here. There is a big discount for signing up before 25th September!

Black Hat EU is one of the highlights of the cybersecurity conference calendar and I am really excited to be training there and attend the conference!

Manicode Training

I am honoured to be listed in the legendary Jim Manico’s training catalogue. Jim’s catalogue is primarily aimed at organisations arranging training for their employees and has a variety of top-class taught training courses. I strongly recommend that anyone looking for the best application and cloud security training takes a close look at what is on offer.

The full training catalogue can be found on the Manicode website and the extracts for my Tools course are below. (I also have an ASVS course available which you can see in the catalogue as well 😀!)

To find out more and how to arrange, you can get in touch with Jim via the Manicode website or get in touch with us directly via info <at> bouncesecurity.com.

Other venues

To be confirmed but stay tuned!