I am delivering training courses on how to build effective processes around application security scanning tools as part of my work for Bounce Security. The course's official name is “Building a High-Value AppSec Scanning Programme” and it's unofficial, more fun but less descriptive name is “Tune your Toolbox for Velocity and Value”. This post will serve as a way of getting more information about the course.
About the course
You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in “possible vulnerabilities”, struggling to streamline their processes and not sure how to measure their progress. If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you and this course comes to try and address these issues
This is a topic I have had significant experience with over the last several years providing application security consulting and “on the ground” assistance to various organisations. This has exposed me to a variety of these tools and several ways of working with them, seeing what works and what does not in different contexts. Being a consultant means I have no vendor allegiance or commitment and allows me to discuss useful war stories (both successful and less successful) without disclosing sensitive client/employer information.
From seeing these organisations and discussing in various forums, this problem certainly seems to resonate and training like this would fill a gap that urgently needs to be addressed. Companies are being told that they need to improve their application security posture and that more tools are the key to doing this efficiently. However, it is becoming clear that without effective processes and strategies for working with these tools, they quickly become a burden and a blocker.
Feedbacks
I ran a 1 day version of the course focussing on SCA and SAST virtually at OWASP Global AppSec EU 2022 and I have now run the 2 day in-person version of the course (which includes SCA, SAST, DAST and pen testing) twice at OWASP Global AppSec San Francisco 2022 and Dublin 2023.
Both sessions went great with very positive feedback.
"On target good advice on taking the next steps in SCA and SAST."
"Group exercises were awesome – everybody were involved, compensated each other’s knowledge gaps and shared experience and approaches."
"Good high level overview of the space and a primer on what to reasonably expect when one implements a program in their business."
"There were a few aspects of SCA and SAST that I haven’t considered before and that Josh brought up that were quite helpful. Josh is also a master of balance on how much time he spends in each topic and answering questions, which meant that the training felt very fluid."
"Very good, josh is higly (sic) skilled in the topic."
Audio/Visual information about the course
Elevator pitch for the course ~2 minutes Video
In this short video, I give a quick explanation of the course and the ideas around it.
Discussion of the background to the course ~40 minutes Video
In this interview with the Application Security Podcast, I talk through the background to the course including where the idea came from and the key takeaways and ideas I want people to get from the course.
Sample 1 of the course material – SCA Deep Dive ~55 minutes Video
This is an example of some of the course content albeit pushed together in a less interactive way. The course itself has more discussion and exercises interspersed. This particular session was a deep-dive on Software Composition Analysis (SCA).
Sample 2 of the course material – Quick-fire tips ~40 minutes Video
This was a talk I did at DevSecCon24 which was designed to be a few quick examples of efficiency tips for SCA and SAST. In the full training course there are far more suggestions and there is much more time to explain, discuss and practice them.