So last month Sharon Goldberg showed a big latent demand for more DevSecOps content. I am lucky to work with one of the OWASP founders, Jeff Williams and he agreed to do a talk on IAST and RASP technologies.

(zoom link come the day of)

Here is what he cooked up:

# DevSecOps: Why Aren’t IAST and RASP in Your Stack?

## Abstract

Software is incredibly hard to secure because it's a black box. We've spent decades trying to verify properties of software by analyzing the source code, scanning, fuzzing, pentesting, etc... But the lack of context always leads to false positives, manual effort, long feedback loops, large security backlogs, and MTTR measured in months not days. In this talk, Jeff will demonstrate the power of "security observability" by using instrumentation (similar to a performance tool) to expose critical security vulnerabilities and attacks from inside an application while it's running. First, Jeff will introduce Interactive Application Security Testing (IAST) and show you how *anyone* can quickly and accurately find complex vulnerabilities without scanning. Jeff will also show you how you can use Runtime Application Self-Protection (RASP) to prevent your application from being exploited in production. Finally, Jeff will provide practical advice on how you can use IAST and RASP to achieve DevSecOps and build bridges between development and security.

## Bio

He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.