En utvecklares guide till säker programmering

During this seminar we will look at how integration to build servers can automate the SAST process thereby relieving the developer of the responsibility to initiate scans. How the use of Incremental Scans can reduce the scan time thus bringing it in line with Devops expectations and even allow them to ‘break the build’ if vulnerability thresholds break defined policies.

Agenda

  • ​How to use SAST tools to check for security vulnerabilities
  • Integration to the SDLC, get results in the tool of your choice:
    - IDE
    - Build Servers
    - SonarQube
    ​- Jira
  • False Positives and how to remove them at source
  • Open Source Libraries– they are free, but not necessarily safe (remember heartbleed?)
  • Education – how to learn on the job with Just in Time Training

​​Presenter Andy Portrait about his seminar:

A former CEO I worked for once said it does not matter how many static analysis tools you use, it is what you do with the results that count. With that in mind I will be talking about how to get the best out of your SAST tool through automation and distribution of results. Whilst this will be based around the Checkmarx tool, the concepts of what you should want to achieve will apply to many other tools.

We will look at how integration to build servers can automate the SAST process thereby relieving the developer of the responsibility to initiate scans. How the use of Incremental Scans can reduce the scan time thus bringing it in line with Devops expectations and even allow them to ‘break the build’ if vulnerability thresholds break defined policies.

So you have scan results, what next? Integration to Jira can allow you to raise tickets for vulnerabilities with minimal effort and then fix these as part of your regular workflow. Developers can review results within their IDE, increasing adoption of SAST tools as developers do not need to learn new tools. Using SonarQube? No problem, allow your developers to review SAST results in their favourite dashboard.

Learn how to remove False Positives at source by training the scanning engine to learn about your code base and remove these at source through greater understanding of your application.

Using third Party libraries? They are free, but not necessarily safe. We will look at how to easily scan your application with Composition Software Analysis and understand the risk these libraries may introduce.

Mer information och anmälan

Föreläsningen kommer att hållas på engelska. Du anmäler dig via formuläret nedan, dock senast den 26 oktober.

Vid förhinder avanmäler du dig till event@gsp.se.

En hel månad med fokus på informationssäkerhet

Under oktober månad är det fokus på Cyber Security, integritet- och informationssäkerhet i Gothia Science Park. En rad aktiviteter på temat informationssäkerhet kommer att anordnas, detta för att ge dig möjlighet att kompetensutvecklas och lära dig mer om området. Denna föreläsning är en av dessa spännande aktiviteter. Informationssäkerhetsmånaden är en aktivitet i den öppna innovationsmiljön Gothia Science Park och är ett samarbete mellan Gothia InnovationIDC West Sweden, Näringslivsforum, Almi Väst, Agroväst, Skaraborgs Kommunalförbund, Högskolan i Skövde samt företagen Combitech, Informator, Västgöta-Data, ATEA, Sigma, Checkmarx och Actea