Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Building an AppSec Pipeline:
Keeping your program, and
your life, sane
Aaron Weaver
Protiviti
Matt Tesauro
Pearson
Henry Ford: The sponsor of the
development of the assembly line
Assembly Lines
The Phoenix Project
3 Ways of DevOps
Strategies for Improving
Operations
#1 - Workflow
Look at your purpose and those
processes which aid it
#2 - Improve Feedback
Open yourself to upstream
and downstream information
#3 - Continual
Experimentation & Learning
Create a culture of innovation
and experimentation
AppSec Pipelines
Spending time
optimizing anything
other than the critical resource is
an illusion.
For AppSec
the critical resource is
the people.
Our Pipeline
Pipeline - Intake
▪ “First Impression”
▪Major categories of Intake
- Existing App
- New App
- Previously tested App
- App ...
Pipeline - Test
▪Inbound request triage
▪Ala Carte App Sec
- Dynamic Testing
- Static Testing
- Re-Testing mitigated findi...
Pipeline - Deliver
▪Source of truth for all AppSec Activities
▪ThreadFix is used to
- Dedup / Consolidate findings
- Norma...
Application Security Tools Orchestration
Automate Security Tooling
Integrating into the DevOps Pipeline
DevOps Pipeline AppSec Pipeline
Dev & AppSec Tool Integration
OWASP ZAP
Proxy
BuildManageCode Store
RAPTOR
Deploy
OWASP ZAP
Proxy
*Not a comprehensive lis...
Bag of Holding
aka BoH
github.com/PearsonEducation/bag-of-holding
Minimal Viable Product
What does BoH do?
▪Manages our Application Security Program
▪Application Repository
▪Engagement Tracking
▪Report Repositor...
Application Repository
Application Security Profile
Scheduling of Secure Software Activities
AppSec ChatOps
aka Will
Your command line where you have your conversations.
AppSec Help
AppSec Advice
Threadfix Integration
And more:
Create an Application
Get Summary Metrics for
AppSec Program
BOH/Threadfix/Static Integration
Setup recurring static analysis in about 1 minute!
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
Thanks!
Aaron Weaver
@weavera
aaron.weaver@owasp.org
aaron.weaver2@gmail.com
/in/aweaver
Matt Tesauro
@matt_tesauro
matt.t...
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Upcoming SlideShare
Loading in …5
×

AppSec Pipeline - Velcocity NY 2015

1,250 views

Published on

Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.

Published in: Technology

AppSec Pipeline - Velcocity NY 2015

  1. 1. Building an AppSec Pipeline: Keeping your program, and your life, sane Aaron Weaver Protiviti Matt Tesauro Pearson
  2. 2. Henry Ford: The sponsor of the development of the assembly line
  3. 3. Assembly Lines
  4. 4. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  5. 5. #1 - Workflow Look at your purpose and those processes which aid it
  6. 6. #2 - Improve Feedback Open yourself to upstream and downstream information
  7. 7. #3 - Continual Experimentation & Learning Create a culture of innovation and experimentation
  8. 8. AppSec Pipelines
  9. 9. Spending time optimizing anything other than the critical resource is an illusion.
  10. 10. For AppSec the critical resource is the people.
  11. 11. Our Pipeline
  12. 12. Pipeline - Intake ▪ “First Impression” ▪Major categories of Intake - Existing App - New App - Previously tested App - App to re-test findings ▪Key Concepts - Ask for data about Apps only once - Have data reviewed when an App returns - Adapt data collected based on broad categories of Apps
  13. 13. Pipeline - Test ▪Inbound request triage ▪Ala Carte App Sec - Dynamic Testing - Static Testing - Re-Testing mitigated findings - Mix and match based on risk ▪Key Concepts - Activities can be run in parallel - Automation on setup, configuration, data export - People focus on customization rather than
  14. 14. Pipeline - Deliver ▪Source of truth for all AppSec Activities ▪ThreadFix is used to - Dedup / Consolidate findings - Normalize scanner data - Generate Metrics - Push issues to bug trackers ▪Report and metrics automation - REST + tfclient ▪Source of many touch points with external teams
  15. 15. Application Security Tools Orchestration Automate Security Tooling
  16. 16. Integrating into the DevOps Pipeline DevOps Pipeline AppSec Pipeline
  17. 17. Dev & AppSec Tool Integration OWASP ZAP Proxy BuildManageCode Store RAPTOR Deploy OWASP ZAP Proxy *Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.
  18. 18. Bag of Holding aka BoH github.com/PearsonEducation/bag-of-holding
  19. 19. Minimal Viable Product
  20. 20. What does BoH do? ▪Manages our Application Security Program ▪Application Repository ▪Engagement Tracking ▪Report Repository ▪Comments on any application, engagement or activity ▪Data Classification and PII data ▪Time taken on secure software activities ▪Historical knowledge of past assessments ▪Credential repository ▪Environment details
  21. 21. Application Repository
  22. 22. Application Security Profile
  23. 23. Scheduling of Secure Software Activities
  24. 24. AppSec ChatOps aka Will
  25. 25. Your command line where you have your conversations.
  26. 26. AppSec Help
  27. 27. AppSec Advice
  28. 28. Threadfix Integration And more: Create an Application Get Summary Metrics for AppSec Program
  29. 29. BOH/Threadfix/Static Integration Setup recurring static analysis in about 1 minute!
  30. 30. https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
  31. 31. Thanks! Aaron Weaver @weavera aaron.weaver@owasp.org aaron.weaver2@gmail.com /in/aweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro

×