AppSec USA 2017 has ended
Back To Schedule
Friday, September 22 • 3:30pm - 4:15pm
Practical Dynamic Application Security Testing within an Enterprise

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

The incorporation of DevOps within a large enterprise is generally accomplished through strategic planning on the organizational level. Having a common pipeline for Continuous Integration (CI) and Continuous Deployment (CD) can enhance the security posture of an application and enable organizations to rapidly release applications into production. However, the insertion of application security in the pipeline is only one step of a multidimensional application security approach.


In this presentation, we will describe our implementation of two complementary methods, which have allowed us to provide the scalability and coverage required in order to meet the needs of a large enterprise. The first method utilizes a tool written in Java to allow for easy integration with your build. We will demonstrate how to deploy and use a dynamic scanner within a Continuous Integration (CI) and Continuous Deployment (CD) pipeline. The second method leverages the data collected from analytic tools such as Splunk, LogStash, Tealeaf and SiteCatalyst. Through the utilization of containers, we will demonstrate how a RESTful API service can be implemented to perform a quick analysis of applications to ensure basic security requirements are met on a large scale. An example will be presented utilizing a RESTful API service to enhance our continuous scanning platform with multiple scanning technologies.


Implementing these solutions has transformed the way we assess our applications. Using the first method we were able to present a dynamic scanning solution to all of our applications that support automated regression testing. Our second method has enabled us to effortlessly scan over 2000 urls in less than 2 hours to provide a quick look at the security of all of our exposed urls. It is essential to put security on the forefront of organizational structure and to ensure that dynamic analysis is part of all build cycles

avatar for Nicholas Doell

Nicholas Doell

Senior Application Security Engineer, Verizon
Nicholas Doell is a senior application security engineer at Verizon. He received his M.Sc. degree in System Security Engineering from Stevens Institute of Technology in 2012 and has nine years of experience working in multiple security fields. He has a passion for web and mobile security... Read More →
avatar for Nicholas Kenney

Nicholas Kenney

Application Security Engineer, Verizon
Nicholas Kenney is an application security engineer at Verizon. He received his B.Sc. degree in Computer Science from East Stroudsburg University in 2012 and has worked in IT for 7 years. Nick started out working as a freelance web developer while in college, until being hired by... Read More →

Friday September 22, 2017 3:30pm - 4:15pm EDT
Coronado H