DevOpsDays Zürich

Joseph Katsioloudes

31 May - 1 June 2022 | Alte Kaserne Winterthur

Developer Advocate @ GitHub

Joseph Katsioloudes makes cyber security easy for developers as part of his role at GitHub Security Lab. He chose this career path because cyber was his own way, from a very young age, to provide ethical and dedicated service to organisations and the society as a whole. Latest public contribution include his YouTube series “SecurityBites” where he educates developers on common software bugs.

Joseph holds 2 engineering degrees, including a MEng in Computing from Imperial College London and a MSc in Cyber Security Engineering from the University of Warwick. Other highlights include a zero-day vulnerability for a Top 10 Cryptocurrency in 2018, the Final of International Innovation Awards in 2016, and Open-source contributions to Intelligence & Blockchain.

joseph-katsioloudes.jpg
  • Twitter
  • LinkedIn

Workshop

Security as Code: A DevSecOps Approach

Room: “Gesang” / 2nd floor

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization.

In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline.
 

Prerequisites for the workshop

To attend the workshop, we would need your GitHub handle to provide you access. We also recommend to install the following pre-requisites that should take around 3 minutes.

Don’t worry if you don’t have time or you face technical difficulties because time will be provided during the workshop to go over the steps.
Prerequisites and setup instructions

Please complete this section before the workshop.

Install Visual Studio Code.

Install the CodeQL extension for Visual Studio Code by navigating on the left toolbar, click Extensions and search for CodeQL. Install the verified extension from GitHub. Full details here.

— You can stop here if you haven’t provided the organisers or the instructor with your GitHub handle because you will not have access to the workshop files.
Clone this repository:

git clone --recursive https://github.com/jkcso-workshops/codeql-workshop
Do not forget the --recursive flag which allows you to obtain the standard CodeQL query libraries, which are included as a Git submodule of this repository.
Open the repository in Visual Studio Code: File > Open (or Open Folder) > Browse to the checkout of codeql-workshop.

Connect the codebase

Click the [QL] rectangular icon on the left sidebar

Then click on the tab on top named "Databases"

Choose the 3rd option named "From a URL (as a zip file)" and Copy Paste: https://github.com/jkcso-workshops/db/releases/download/vuln-code/MobileSheperd-CSInjection.zip

Press Enter and the database should be downloaded in a few seconds

Hoover over the newly imported database called "MobileSheperd CSInjection" and click "Set Current Database". A "tick" should now appear to indicate that the database is connected