SlideShare a Scribd company logo
1 of 65
Download to read offline
Building an Open Source
AppSec Pipeline:
Keeping your program, and your life, sane.
6 months with Pearson
Application Security Lead Engineer
Prior to Pearson
● Rackspace - Lead Engineer, Product Security
● AppSec consulting
o VP Services, Praetorian
o Consultant Trustwave’s Spiderlabs
● TEA - Senior Security Engineer
● DIR - Penetration Tester
● Texas A&M University
o Systems Analyst, Sys Admin, Developer, DBA
o Lecturer in MIS department
● Viatel -
Internet App Developer
Who am I?
Other professional experience
● OWASP Live CD / OWASP WTE
o Project lead 2008 to present
o Over 300K downloads
o http://appseclive.org
● OWASP Foundation Board of Directors
o International charity focused on improving software security
● Multiple speaking engagements internationally
at AppSec, DHS, ISC2, SANS… conferences
● Application Security Training internationally
● B.S. Economics, M.S. in MIS
o Strong believer in the value of cross-
discipline study
Who am I?
Building an Open Source AppSec Pipeline
Assembly Lines...
The Phoenix Project
3 Ways of DevOps
Strategies for Improving Operations
Look at your purpose and those processes which aid it
Make sure the process is correct from beginning to the end
Then look at ways to speed up that process
Value Stream – the name a the process which provides value
to the business
Working from left to right – think of a time line:
business / development => customer / operations
Flow [rate] – the speed work goes through the process
#1 - Workflow
Making things repeatable
Remove all haphazard and ad hoc work from the process
Repeat until stable, I like doing the first couple times
manually with a 'run book'
Scripting languages are your friends
Config Mgmt – Puppet, Chef, Salt, Ansible, CFEngine, …
Creating deployable artifacts from a branch/release aka
.rpm / .deb / .msi
Make sure what you do can be done on 1 server or 10,000
servers
#1 - Workflow
Each Step Repeatable
Work left to right but don't pass on failures
Test early and often
Increase the rigor of testing as you work left to right
When a failure occurs, end that flow and start a new one after
corrections
The further right you are, the more expensive failure is
so concentrate your early work on left side (intake)
In AppSec, defects are false positives
#1 - Workflow
Never Pass on Defects
Your fix cannot be my new problem
Ensure no single-step optimizations degrade the overall
performance of the workflow
Spending time optimizing anything other than the critical
resource is an illusion.
Find the bottle neck in your workflow and start there
- Upstream changes will just back things up
- Downstream changes won't manifest since input is
limited
Each new optimization creates a new bottleneck
– iterate on this
#1 - Workflow
Local optimizations with a global view
AppSec Pipelines
Figuring out your workflow
Building an Open Source AppSec Pipeline
Our AppSec Pipeline
Key Features of AppSec Pipelines
● Designed for iterative improvement
● Provides a reusable path for AppSec activities to
follow
● Provides a consistent process for both the team and
our constituency
● One way flow with well-defined states
● Relies heavily on automation
● Has the ability to grow in functionality organically
over time
● Gracefully interconnects with the development
process
Spending time
optimizing anything
other than
the critical resource
is an illusion.
Key Goals of AppSec Pipelines
• Optimize the critical resource - AppSec personnel
● Automate all the things that don’t require a
human brain
● Drive up consistency
● Increase tracking of work status
● Increase flow through the system
● Increase visibility and metrics
● Reduce any dev team friction with
application security
Pipeline - Intake
• “First Impression”
• Major categories of Intake
• Existing App
• New App
• Previously tested App
• App to re-test findings
• Key Concepts
• Ask for data about Apps only
once
• Have data reviewed when an
App returns
• Adapt data collected based
on broad categories of Apps
Pipeline – the Middle
● Inbound request triage
● Ala Carte App Sec
● Dynamic Testing
● Static Testing
● Re-Testing mitigated
findings
● Mix and match based on risk
● Key Concepts
● Activities can be run in
parallel
● Automation on setup,
configuration, data export
● People focus on customization
rather than setup
Pipeline – the End
● Source of truth for all AppSec
activities
● ThreadFix is used to
● Dedup / Consolidate findings
● Normalize scanner data
● Generate Metrics
● Push issues to bug
trackers
● Report and metrics automation
● REST + tfclient
● Source of many touch points with
external teams
Spending time
optimizing anything
other than
the critical resource
is an illusion.
W. Edwards
Deming
Japan's post-war miracle
Why we like AppSec Pipelines
● Allow us to have visibility into WIP
● Better understand/track/optimize flow of engagements
● Average static test takes ...
● Great increase in consistency
● Easier re-allocation of engagements between staff
● Each step has a well defined interface
● Knowing who has what allows for more informed
“cost of switching” conversations
● Flexible enough for a range of skills and app maturity
Now go faster
Make sure you have a well-defined, repeatable process first
Look for manual steps that can be automated
Look for duplicate work that can be removed/eliminated
Measuring/tracking time taken at each step is crucial
Where does the flow ebb?
#1 - Workflow
Increase the flow of work
Bag of Holding
aka BOH
What does BoH do?
• Manages our Application Security Program
• Application Repository
• Engagement Tracking
• Report Repository
• Comments on any application, engagement
or activity
• Data Classification and PII data
• Time taken on secure software activities
• Historical knowledge of past assessments
• Credential repository
• Environment details
Building an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Open yourself to upstream and downstream information
Feedback loops occur when information is gathered from
- upstream (business / development)
- downstream (customer / operations)
Make visible problems, concerns, potential improvements
– share this publicly inside the company
Learn as you move left to right so improvements aren't lost
Requests are opportunities to better fulfill the needs of the
business
There is rarely enough feedback, capture and look for more
Feedback collected can be used to optimally improve the system
#2 – Improve Feedback
AppSec ChatOps
aka Will
Security Tool Vendors: If I
can do it with the UI, I want
to do it with an API.
- Matt Tesauro
Building an Open Source AppSec Pipeline
Your command line where you have
your conversations.
Will Bot
AppSec Help
AppSec Advice
Threadfix Integration
And more:
• Create an Application
• Get Summary Metrics for
AppSec Program
BOH/Threadfix/Static
Integration
Setup recurring static analysis in about 1 minute!
Create a culture of innovation and experimentation
The fundamentals are now solid, what can your new
knowledge buy you?
The business culture must allow for and embrace innovation /
experimentation
Two essential things must be understood by the business
- We can learn from the failed experiments / risks we take
- Mastery comes with repetition and practice
and you won't be a master the first N times you practice
#3 – Continual Experimentation & Learning
Building an Open Source AppSec Pipeline
Experimentation
kick things up a notch
"I fear not the man
who has practiced
ten thousand kicks
once,
but I fear the man
who has practiced
one kick ten
thousand times."
I have not failed.
I've just found 10,000
ways that won't work.
- Thomas A. Edison
Findings directly to bug trackers
• PDFs are great, bugs are better
• Work with developer teams to submit bugs
• Security category needs to exist
• Bonus points if the bug tracker has an API
• Security issues are now part of the normal work flow
• Beware of death by backlog - do security
sprints
• Learn how the team treats issues
•ThreadFix is nice for pumping issues into defect
trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag
• Attach a SLA to each severity level for findings
• Remediation plan vs Fixed
• “Age” all findings against these SLAs
• Politely warn when SLA dates are close
• Walk up the Org chart as
things get older
• Bonus points for
dashboards and defect
tracker APIs
• Get management sold first
Agent – one mole to rule them all
•Add an agent to the standard deploy
• Read-only helps sell to Ops
• Looks at the state of the system
• Reports the state to the “mothership”
• Add a dashboard to visualize state of infrastructure
• Change policy, servers go red
• Watch the board go green as patches roll-out
• Roll your own or find a vendor
Mozilla MIG
Turn Vuln scanning on its head
• Add value for your Ops teams
• Subscribe and parse vuln emails for key software
• Get this info during threat models or config mgmt
• Provide an early warning and remove panic from
software updates
• Roll your own or find a vendor
• Gmail + filters can work surprisingly well
• Secunia VIM covers 40K+ products
• Reverse the scan then report standard
• Automate, automate, automate
• Look for “paper cuts” and fix those first
• Finding workflow – your AppSec Pipeline
• Figure this out and standardize / optimize
• Create systems which can grow organically
• App is never done, its just created to easily
be added to over time
• e.g. Finding blocks become templates for
next report
• Learn to talk “dev”
Key Take Aways
Resources
Exercises left to the student...
Orchestration
• Integrate Security Tools and Workflow
• Example:
• Generic API for dynamic scanning
• URL
• Credentials
• Profile
• Call any Dynamic Scanner:
• OWASP ZAP
• BurpSuite
• AppScan
Gauntlt
●Open source, MIT License
●Gauntlt comes with pre-canned steps that hook
security testing tools
●Gauntlt does not install tools
●Gauntlt wants to be part of the CI/CD pipeline
●Be a good citizen of exit status and stdout/stderr
http://gauntlt.org/
Tiaga
• Project Management Software
– focused on usability and speed
●
Kanban / Scrum
●
Backlog
●
Tasks
●
Sprints
●
Issues
●
Wiki
• Open Source – Python / Django app
• Entire functionality is driven by a REST API !!
https://taiga.io/
Building an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Defect Dojo
DefectDojo is a tool created by the Security
Engineering team at Rackspace to track testing
efforts. It attempts to streamline the testing
process by offering features such as templating,
report generation, metrics, and baseline self-
service tools.
Though it was designed with security folks in
mind, there is nothing keeping QA/QE testers, or
any other testers for that matter, from using it
productively.
https://github.com/rackerlabs/django-DefectDojo
Building an Open Source AppSec Pipeline
Related Presentations
● AppSec EU 2015 – Ops Track Keynote
● Deck:
http://www.slideshare.net/mtesauro/mtesauro-
keynote-appseceu
● Video:
https://www.youtube.com/watch?v=tDnyFitE0y4
Related Presentations
● AppSec EU 2015 – Building an AppSec Pipeline
● Deck:
http://www.slideshare.net/weaveraaaron/building-
an-appsec-pipeline-keeping-your-program-and-
your-life-sane
● Video:
https://www.youtube.com/watch?v=1CDSOSl4DQU
The Phoenix Project
The Practice of Cloud System
Administration
Gene Kim, Kevin Behr and
George Spafford
Books to read
Thomas A. Limoncelli, Strata R. Chalup,
Christina J. Hogan
Thank you !
Keep in touch
@matt_tesauro
matt.tesauro@owasp.org
mtesauro@gmail.com
/in/matttesauro
github.com/mtesauro
Image References
Henry Ford in a field:
http://henryfordgiantdifferenceaward.weebly.com/works-cited.html
Assembly Lines:
http://www.pictofcar.website/henry-ford-assembly-line-diagram/
http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html
http://en.wikipedia.org/wiki/Assembly_line
http://actionspeaksradio.org/tag/henry-ford/
http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the
W. Edward Deming
http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html
Japan's Post War Miracle
http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm
http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/
http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
Image References
Thomas Edison:
http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm
Food line:
http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-pr
Phoenix Project Book Cover:
https://puppetlabs.com/blog/why-we-need-devops-now

More Related Content

What's hot

Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset  Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
Making operations visible - devopsdays tokyo 2013
Making operations visible  - devopsdays tokyo 2013Making operations visible  - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsDeborah Schalm
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsQASymphony
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsC4Media
 

What's hot (20)

Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset  Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Making operations visible - devopsdays tokyo 2013
Making operations visible  - devopsdays tokyo 2013Making operations visible  - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 

Viewers also liked

Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management -  How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management -  How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1Neil Matatall
 
Varnish http accelerator
Varnish http acceleratorVarnish http accelerator
Varnish http acceleratorno no
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016SecuRing
 
Is Orchestration the Next Big Thing in DevOps
Is Orchestration the Next Big Thing in DevOpsIs Orchestration the Next Big Thing in DevOps
Is Orchestration the Next Big Thing in DevOpsNati Shalom
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application SecurityJames Wickett
 
2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at TwitterNeil Matatall
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks   v1.0 - owasp app sec eu - june 2016Using jira to manage risks   v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Stefan Streichsbier
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 

Viewers also liked (20)

Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management -  How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management -  How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1Putting to your Robots to Work V1.1
Putting to your Robots to Work V1.1
 
Varnish http accelerator
Varnish http acceleratorVarnish http accelerator
Varnish http accelerator
 
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
Internet banking safeguards vulnerabilities - OWASP AppSec EU 2016
 
Is Orchestration the Next Big Thing in DevOps
Is Orchestration the Next Big Thing in DevOpsIs Orchestration the Next Big Thing in DevOps
Is Orchestration the Next Big Thing in DevOps
 
Epistemological Problem of Application Security
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application Security
 
2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks   v1.0 - owasp app sec eu - june 2016Using jira to manage risks   v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 

Similar to Building an Open Source AppSec Pipeline

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...PROIDEA
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarXBOSoft
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous DeploymentBrian Henerey
 
Cloud Academy Webinar: Recipe for DevOps Success: Capital One Style
Cloud Academy Webinar: Recipe for DevOps Success: Capital One StyleCloud Academy Webinar: Recipe for DevOps Success: Capital One Style
Cloud Academy Webinar: Recipe for DevOps Success: Capital One StyleMark Andersen
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAdam Stephensen
 
AfterTest Madrid March 2016 - DevOps and Testing Introduction
AfterTest Madrid March 2016 - DevOps and Testing IntroductionAfterTest Madrid March 2016 - DevOps and Testing Introduction
AfterTest Madrid March 2016 - DevOps and Testing IntroductionPeter Marshall
 
Ncerc rlmca202 adm m1 ssm
Ncerc rlmca202 adm m1 ssmNcerc rlmca202 adm m1 ssm
Ncerc rlmca202 adm m1 ssmssmarar
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test AutomationSauce Labs
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Peter Marshall
 
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDBWebinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDBMongoDB
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 

Similar to Building an Open Source AppSec Pipeline (20)

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Dev ops
Dev opsDev ops
Dev ops
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Defect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft WebinarDefect Prevention & Predictive Analytics - XBOSoft Webinar
Defect Prevention & Predictive Analytics - XBOSoft Webinar
 
Continuous Deployment
Continuous DeploymentContinuous Deployment
Continuous Deployment
 
Cloud Academy Webinar: Recipe for DevOps Success: Capital One Style
Cloud Academy Webinar: Recipe for DevOps Success: Capital One StyleCloud Academy Webinar: Recipe for DevOps Success: Capital One Style
Cloud Academy Webinar: Recipe for DevOps Success: Capital One Style
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
 
AfterTest Madrid March 2016 - DevOps and Testing Introduction
AfterTest Madrid March 2016 - DevOps and Testing IntroductionAfterTest Madrid March 2016 - DevOps and Testing Introduction
AfterTest Madrid March 2016 - DevOps and Testing Introduction
 
Ncerc rlmca202 adm m1 ssm
Ncerc rlmca202 adm m1 ssmNcerc rlmca202 adm m1 ssm
Ncerc rlmca202 adm m1 ssm
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"
 
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDBWebinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
Webinar: Keep Calm and Scale Out - A proactive guide to Monitoring MongoDB
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My!  Security Gone AgileDevOps, CLI, APIs, Oh My!  Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Matt Tesauro
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012Matt Tesauro
 

More from Matt Tesauro (15)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My!  Security Gone AgileDevOps, CLI, APIs, Oh My!  Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 

Recently uploaded

UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 

Recently uploaded (20)

UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 

Building an Open Source AppSec Pipeline

  • 1. Building an Open Source AppSec Pipeline: Keeping your program, and your life, sane.
  • 2. 6 months with Pearson Application Security Lead Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
  • 3. Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
  • 6. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  • 7. Look at your purpose and those processes which aid it Make sure the process is correct from beginning to the end Then look at ways to speed up that process Value Stream – the name a the process which provides value to the business Working from left to right – think of a time line: business / development => customer / operations Flow [rate] – the speed work goes through the process #1 - Workflow
  • 8. Making things repeatable Remove all haphazard and ad hoc work from the process Repeat until stable, I like doing the first couple times manually with a 'run book' Scripting languages are your friends Config Mgmt – Puppet, Chef, Salt, Ansible, CFEngine, … Creating deployable artifacts from a branch/release aka .rpm / .deb / .msi Make sure what you do can be done on 1 server or 10,000 servers #1 - Workflow Each Step Repeatable
  • 9. Work left to right but don't pass on failures Test early and often Increase the rigor of testing as you work left to right When a failure occurs, end that flow and start a new one after corrections The further right you are, the more expensive failure is so concentrate your early work on left side (intake) In AppSec, defects are false positives #1 - Workflow Never Pass on Defects
  • 10. Your fix cannot be my new problem Ensure no single-step optimizations degrade the overall performance of the workflow Spending time optimizing anything other than the critical resource is an illusion. Find the bottle neck in your workflow and start there - Upstream changes will just back things up - Downstream changes won't manifest since input is limited Each new optimization creates a new bottleneck – iterate on this #1 - Workflow Local optimizations with a global view
  • 14. Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
  • 15. Spending time optimizing anything other than the critical resource is an illusion.
  • 16. Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
  • 17. Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  • 18. Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
  • 19. Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
  • 20. Spending time optimizing anything other than the critical resource is an illusion.
  • 23. Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
  • 24. Now go faster Make sure you have a well-defined, repeatable process first Look for manual steps that can be automated Look for duplicate work that can be removed/eliminated Measuring/tracking time taken at each step is crucial Where does the flow ebb? #1 - Workflow Increase the flow of work
  • 26. What does BoH do? • Manages our Application Security Program • Application Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
  • 33. Open yourself to upstream and downstream information Feedback loops occur when information is gathered from - upstream (business / development) - downstream (customer / operations) Make visible problems, concerns, potential improvements – share this publicly inside the company Learn as you move left to right so improvements aren't lost Requests are opportunities to better fulfill the needs of the business There is rarely enough feedback, capture and look for more Feedback collected can be used to optimally improve the system #2 – Improve Feedback
  • 35. Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
  • 37. Your command line where you have your conversations. Will Bot
  • 40. Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
  • 42. Create a culture of innovation and experimentation The fundamentals are now solid, what can your new knowledge buy you? The business culture must allow for and embrace innovation / experimentation Two essential things must be understood by the business - We can learn from the failed experiments / risks we take - Mastery comes with repetition and practice and you won't be a master the first N times you practice #3 – Continual Experimentation & Learning
  • 45. "I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
  • 46. I have not failed. I've just found 10,000 ways that won't work. - Thomas A. Edison
  • 47. Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues •ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
  • 48. For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and defect tracker APIs • Get management sold first
  • 49. Agent – one mole to rule them all •Add an agent to the standard deploy • Read-only helps sell to Ops • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
  • 50. Turn Vuln scanning on its head • Add value for your Ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  • 51. • Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • e.g. Finding blocks become templates for next report • Learn to talk “dev” Key Take Aways
  • 52. Resources Exercises left to the student...
  • 53. Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
  • 54. Gauntlt ●Open source, MIT License ●Gauntlt comes with pre-canned steps that hook security testing tools ●Gauntlt does not install tools ●Gauntlt wants to be part of the CI/CD pipeline ●Be a good citizen of exit status and stdout/stderr http://gauntlt.org/
  • 55. Tiaga • Project Management Software – focused on usability and speed ● Kanban / Scrum ● Backlog ● Tasks ● Sprints ● Issues ● Wiki • Open Source – Python / Django app • Entire functionality is driven by a REST API !! https://taiga.io/
  • 58. Defect Dojo DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. It attempts to streamline the testing process by offering features such as templating, report generation, metrics, and baseline self- service tools. Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. https://github.com/rackerlabs/django-DefectDojo
  • 60. Related Presentations ● AppSec EU 2015 – Ops Track Keynote ● Deck: http://www.slideshare.net/mtesauro/mtesauro- keynote-appseceu ● Video: https://www.youtube.com/watch?v=tDnyFitE0y4
  • 61. Related Presentations ● AppSec EU 2015 – Building an AppSec Pipeline ● Deck: http://www.slideshare.net/weaveraaaron/building- an-appsec-pipeline-keeping-your-program-and- your-life-sane ● Video: https://www.youtube.com/watch?v=1CDSOSl4DQU
  • 62. The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
  • 63. Thank you ! Keep in touch @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro
  • 64. Image References Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
  • 65. Image References Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-pr Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now

Editor's Notes

  1. http://www.mikealeckson.com/2011/12/christianity-and-continuous-improvement.html http://christianfaithatwork.com/are-you-committed-to-continuous-learning/