Finding insecure third-party librarys in dependencies, containers, APIs (OWASP Top10 - A9)
2019-08-23, 15:15–17:15, Fireplace (Workshop)

The OWASP Top Ten project lists the top 10 (web) application security risks. In this Workshop we will take a close look at number 9: "Using Components With Known Vulnerabilities".

we will try to use (open source) tooling to find known vulnerabilities in 3rd party libraries, containers and APIs, then take a look at how we can automate those tools in our ci/cd pipelines
you don't need to know about security or vulnerability management to do the workshop, we will cover the basics and you can a lot on the way


Demo APP:
https://github.com/cy4n/broken/
workshop assignment: https://github.com/cy4n/broken/blob/master/workshop/assignment.md

workshop will feature the following Tools:
- OWASP dependency-check (workshop will focus on java/maven/gradle, but feel free bring your own languages and dependencies so i can learn something too:) )
- CoreOS Clair for container scanning
- OWASP Zap for API scanning (technically not A9, but many the others;) )

if we have time (or if you're interested after the actual workshop) we can further discuss how we can shape the process of fixing said vulnerabilities in our daily dev/ops/x jobs (or we can just rant about security over some beers)

we speak english and german, so dont be scared if your english is not too good. we will get along :-)

this workshop will be the hands-on counterpart to my talk on Thursday, 14:00 in Curie (Tent 1)
https://fahrplan.events.ccc.de/camp/2019/Fahrplan/events/10181.html