This repository contains resources and talks by James Pether Sörling, an experienced technology professional, open source contributor, and founder of Hack23. The talks focus on securing your development pipeline with static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) using SonarQube.

• Secure Development Pipeline Talk
• License Tools for Java Projects
• Security Testing Tools
• Examples

James Pether Sörling presented this talk at Javaforum Göteborg, where he discussed how to secure your development pipeline with static and dynamic application security tests, as well as software composition analysis using SonarQube. You can watch the video here.

James was also a guest on the "Shift Left Like A Boss" security podcast, which is available here.

Presentation slides are available in PowerPoint and OpenDocument formats.

A list of license tools for Java projects can be found here.

• For security testing of AWS CloudFormation templates, you can use cfn_nag and the SonarQube CloudFormation plugin.
• For security testing of Docker containers, you can use Trivy and the Container Check Sonar plugin.

The latest Jenkinsfile example can be found in the Hack23 CIA repository.

James Pether Sörling is an experienced technology professional with expertise in information security and delivery of secure cloud systems. He is a strong advocate for transparency in organizations and is committed to ensuring the security and reliability of his open source projects through the use of industry best practices such as OpenSSF and CII Best Practices.

You can learn more about James Pether Sörling and his work through the following resources:

• Hack23
• OpenHub profile
• Talks on GitHub
• LinkedIn profile

James has also been featured in various press coverage:

• Computer Sweden
• Riksdag och Departement
• Expressen
• National Democratic Institute: Strengthening Parliamentary Accountability, Citizen Engagement and Access to Information

Some of his past and current projects include:

• Citizen Intelligence Agency - A volunteer-driven, open-source intelligence (OSINT) project that provides a neutral and comprehensive dashboard focusing on political activity in Sweden. By monitoring key political figures and institutions, the platform offers valuable insights into financial performance, risk metrics, and political trends. Additionally, the dashboard features a ranking system, enabling users to objectively compare politicians based on performance.
• Sonar-CloudFormation-Plugin - A plugin for SonarQube that allows users to analyze CloudFormation templates written in YAML or JSON, developed in Java. The plugin uses the SonarQube API to perform code analysis on the templates and generate detailed reports on best practices, potential security issues, and other code quality metrics. The plugin integrates with cfn-nag and Checkov to provide additional security checks based on the CWE, NIST 800-53, and ISO 27001 standards.
• Lambda in Private VPC - A proof-of-concept (POC) showcasing a multi-region active/active site leveraging Resilience Hub policy compliance and runbooks to facilitate rapid recovery from failures.