Skip to main content

Battle-tested Code Without the Battle - Security Testing and Continuous Integration

James Wickett (Mentor Graphics), Gareth Rushgrove (Puppet Labs)
Grand Ballroom CD
Tutorial Please note: to attend, your registration must include Tutorials on Tuesday.
Average rating: ***..
(3.75, 59 ratings)


Everyone knows that we need to harden our code before it goes into production, but very few actually test for security flaws in their delivery pipeline. We will show a basic continuous delivery pipeline that should be familiar to anyone who has worked with continuous integration, and then proceed to add steps to identify security issues in a typical web application stack. We’ll demonstrate how to:

  • Make sure code commits are really coming from the person you think they are
  • Check build artifacts for viruses
  • Identify changes to sensitive components that probably require review
  • Scan source code for common security issues
  • Make sure dependencies don’t have known vulnerabilities
  • Use real penetration testing tools as part of integration testing
  • Develop security tests along-side unit and integration tests
  • and more!

We’ll also talk about practical considerations; like when to block the pipeline and when to just alert someone to the potential danger, and how to prevent your build time going through the roof.

Attendees will be able to follow along either online or by building the pipeline locally on their own computers. All of the source code will be open source and available for people to use for testing their own applications after the conference. We’ll use a range of open source technology including OWASP ZAP, Gauntlt, Jenkins, Vagrant, and more.

At the end, the attendee will:

  • Learn about common web application vulnerabilities and how to detect them
  • Be familiar with the security tools that can be used to testing
  • Be able to setup a security testing pipeline for themselves
  • Have a working sample architecture and design that you can take back to the office to start implementing


Attendees will need:

* a GitHub account
* a Travis CI account
* a computer with a web browser

QUESTIONS for the speaker?: Use the “Leave a Comment or Question” section at the bottom to address them.

Photo of James Wickett

James Wickett

Mentor Graphics

James is involved in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. From his work at Mentor Graphics, James helped launch four cloud based-products for the Embedded Software Division.

James is a dynamic speaker on topics in cloud computing, cloud security and Rugged DevOps. He is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He holds the following security certifications: CISSP, GWAPT, GCFW, GSEC and CCSK.

Photo of Gareth Rushgrove

Gareth Rushgrove

Puppet Labs

I’m a professional and experienced software developer based in
Cambridge, UK. By day I work for the UK Government fixing the internet. By night I curate the devops weekly email newsletter, hack on various open source projects, organise local meetups in London and write tutorials or articles about software development and web