AppSec Awareness Training - Day 3

4/6/2018 - 7:26 AM

AppSec Awareness Training - Day 3

Notes to Application Security awareness training in line with OWASP SAMM initial development team education effort according to Education and Guidance practice.

appsec_awareness_training_day4.md

Rendered
Source

Review OWASP Application Security Verification Standard as a methodology basis for security code review.

Install SonarQube or register for SonarCloud.io.

Analyze DVWA with SonarCloud

git clone https://github.com/ethicalhack3r/DVWA
Install Sonar Scanner client https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner
Create the organization and the project, generate token.
Run the scanner and demonstrate the results.

Sonar Cloud:

sonar-scanner \
  -Dsonar.projectKey=dvwa-me \
  -Dsonar.organization=dvwa \
  -Dsonar.sources=. \
  -Dsonar.host.url=https://sonarcloud.io \
  -Dsonar.login=<API_KEY>

Standalone SonarQube:

sonar-scanner \
  -Dsonar.projectKey=dvwa \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=<API_KEY>

Practice: exercise software security review on artificial cases (see handouts). Perform exercises in teams of 4 to 6 people. Review the results afterwards with on-screen demonstration.

Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

AppSec Awareness Training - Day 3