In the Application Security Community, where we show the importance of keeping your application code secure.  We will run through practices on how to identify, fix, and prevent vulnerabilities in running applications and source code. In addition, we will show you how to evaluate your application security program, use common application security tools, and model threats to your applications.

What we will teach:

The AppSec community is back with more tools, more content, and more challenges!

We will guide attendees in the finding and fixing vulnerabilities, through manual processes and use of SAST, DAST, and SCA tools. Sample vulnerable repositories will be provided for attendees to learn and practice the use of these tools.

Static Application Security Testing (SAST): Use tools such as FluidAttacks and Snyk to identify vulnerabilities in code, and learn how to remediate them

Dynamic Application Security Testing (DAST): Use tools such as OWASP ZAP to analyze a running application for security misconfigurations

Software Composition Analysis (SCA): Use tools such as Google’s osv.dev to identify vulnerable third party components of an application

Once you’ve found a vulnerability, learn how to use Git to submit a fix through a pull request.

If you’ve never written any code in your life, don’t worry! We’ll have an introductory AppSec challenge for you to learn something about AppSec without having to learn how to write code.

What should I bring?

Participants will not need to bring any equipment to learn, we will have a limited number of workstations available to share.

For the best experience you should bring the following equipment when visiting the AppSec Community:

• Laptop
• Install Git
• Install Python
• Have a Linux virtual machine