Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Building an Open Source
AppSec Pipeline:
Keeping your program, and your life, sane.
6 months with Pearson
Senior Software Security Engineer
Prior to Pearson
● Rackspace - Lead Engineer, Product Security
● A...
Other professional experience
● OWASP Live CD / OWASP WTE
o Project lead 2008 to present
o Over 300K downloads
o http://ap...
Assembly Lines...
The Phoenix Project
3 Ways of DevOps
Strategies for Improving Operations
AppSec Pipelines
Figuring out your workflow
Our AppSec Pipeline
Key Features of AppSec Pipelines
● Designed for iterative improvement
● Provides a reusable path for AppSec activities to
...
Spending time
optimizing anything
other than
the critical resource
is an illusion.
Key Goals of AppSec Pipelines
• Optimize the critical resource - AppSec personnel
● Automate all the things that don’t req...
Pipeline - Intake
• “First Impression”
• Major categories of Intake
• Existing App
• New App
• Previously tested App
• App...
Pipeline – the Middle
● Inbound request triage
● Ala Carte App Sec
● Dynamic Testing
● Static Testing
● Re-Testing mitigat...
Pipeline – the End
● Source of truth for all AppSec
activities
● ThreadFix is used to
● Dedup / Consolidate findings
● Nor...
Why we like AppSec Pipelines
● Allow us to have visibility into WIP
● Better understand/track/optimize flow of engagements...
Bag of Holding
aka BOH
What does BoH do?
• Manages our Application Security Program
• Application Inventory/ Meta data Repository
• Engagement Tr...
AppSec ChatOps
aka Will
Security Tool Vendors: If I
can do it with the UI, I want
to do it with an API.
- Matt Tesauro
Your new command line where you
have your conversations.
Will Bot
AppSec Help
AppSec Advice
Threadfix Integration
And more:
• Create an Application
• Get Summary Metrics for
AppSec Program
BOH/Threadfix/Static
Integration
Setup recurring static analysis in about 1 minute!
Experimentation
kick things up a notch
"I fear not the man
who has practiced
ten thousand kicks
once,
but I fear the man
who has practiced
one kick ten
thousand ...
I have not failed.
I've just found 10,000
ways that won't work.
- Thomas A. Edison
Findings directly to bug trackers
• PDFs are great, bugs are better
• Work with developer teams to submit bugs
• Security ...
For the reticent: nag, nag, nag
• Attach a SLA to each severity level for findings
• Remediation plan vs Fixed
• “Age” all...
Agent – one mole to rule them all
•Add an agent to the standard deploy
• Read-only helps sell to Ops
• Looks at the state ...
Turn Vuln scanning on its head
• Add value for your Ops teams
• Subscribe and parse vuln emails for key software
• Get thi...
• Automate, automate, automate
• Look for “paper cuts” and fix those first
• Finding workflow – your AppSec Pipeline
• Fig...
Resources
Exercises left to the student...
Orchestration
• Integrate Security Tools and Workflow
• Example:
• Generic API for dynamic scanning
• URL
• Credentials
• ...
Gauntlt
●Open source, MIT License
●Gauntlt comes with pre-canned steps that hook
security testing tools
●Gauntlt does not ...
Tiaga
• Project Management Software
– focused on usability and speed
●
Kanban / Scrum
●
Backlog
●
Tasks
●
Sprints
●
Issues...
Defect Dojo
DefectDojo is a tool created by the Security
Engineering team at Rackspace to track testing
efforts. It attemp...
Related Presentations
● AppSec EU 2015 – Ops Track Keynote
● Deck:
http://www.slideshare.net/mtesauro/mtesauro-
keynote-ap...
Related Presentations
● AppSec EU 2015 – Building an AppSec Pipeline
● Deck:
http://www.slideshare.net/weaveraaaron/buildi...
The Phoenix Project
The Practice of Cloud System
Administration
Gene Kim, Kevin Behr and
George Spafford
Books to read
Tho...
Thank you !
Keep in touch
@matt_tesauro
matt.tesauro@owasp.org
mtesauro@gmail.com
/in/matttesauro
github.com/mtesauro
Image References
Henry Ford in a field:
http://henryfordgiantdifferenceaward.weebly.com/works-cited.html
Assembly Lines:
h...
Image References
Thomas Edison:
http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm
Food line:
http://www.sl...
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Upcoming SlideShare
Loading in …5
×

of

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 1 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 2 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 3 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 4 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 5 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 6 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 7 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 8 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 9 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 10 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 11 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 12 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 13 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 14 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 15 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 16 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 17 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 18 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 19 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 20 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 21 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 22 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 23 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 24 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 25 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 26 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 27 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 28 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 29 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 30 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 31 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 32 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 33 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 34 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 35 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 36 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 37 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 38 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 39 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 40 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 41 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 42 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 43 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 44 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 45 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 46 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 47 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 48 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 49 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 50 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 51 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 52 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 53 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 54 Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest Slide 55
Upcoming SlideShare
Building a Secure DevOps Pipeline - for your AppSec Program
Next
Download to read offline and view in fullscreen.

4 Likes

Share

Download to read offline

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

Download to read offline

Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

  1. 1. Building an Open Source AppSec Pipeline: Keeping your program, and your life, sane.
  2. 2. 6 months with Pearson Senior Software Security Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
  3. 3. Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
  4. 4. Assembly Lines...
  5. 5. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  6. 6. AppSec Pipelines Figuring out your workflow
  7. 7. Our AppSec Pipeline
  8. 8. Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
  9. 9. Spending time optimizing anything other than the critical resource is an illusion.
  10. 10. Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
  11. 11. Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  12. 12. Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
  13. 13. Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
  14. 14. Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
  15. 15. Bag of Holding aka BOH
  16. 16. What does BoH do? • Manages our Application Security Program • Application Inventory/ Meta data Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
  17. 17. AppSec ChatOps aka Will
  18. 18. Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
  19. 19. Your new command line where you have your conversations. Will Bot
  20. 20. AppSec Help
  21. 21. AppSec Advice
  22. 22. Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
  23. 23. BOH/Threadfix/Static Integration Setup recurring static analysis in about 1 minute!
  24. 24. Experimentation kick things up a notch
  25. 25. "I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
  26. 26. I have not failed. I've just found 10,000 ways that won't work. - Thomas A. Edison
  27. 27. Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues •ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
  28. 28. For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and defect tracker APIs • Get management sold first
  29. 29. Agent – one mole to rule them all •Add an agent to the standard deploy • Read-only helps sell to Ops • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
  30. 30. Turn Vuln scanning on its head • Add value for your Ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  31. 31. • Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • e.g. Finding blocks become templates for next report • Learn to talk “dev” Key Take Aways
  32. 32. Resources Exercises left to the student...
  33. 33. Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
  34. 34. Gauntlt ●Open source, MIT License ●Gauntlt comes with pre-canned steps that hook security testing tools ●Gauntlt does not install tools ●Gauntlt wants to be part of the CI/CD pipeline ●Be a good citizen of exit status and stdout/stderr http://gauntlt.org/
  35. 35. Tiaga • Project Management Software – focused on usability and speed ● Kanban / Scrum ● Backlog ● Tasks ● Sprints ● Issues ● Wiki • Open Source – Python / Django app • Entire functionality is driven by a REST API !! https://taiga.io/
  36. 36. Defect Dojo DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. It attempts to streamline the testing process by offering features such as templating, report generation, metrics, and baseline self- service tools. Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. https://github.com/rackerlabs/django-DefectDojo
  37. 37. Related Presentations ● AppSec EU 2015 – Ops Track Keynote ● Deck: http://www.slideshare.net/mtesauro/mtesauro- keynote-appseceu ● Video: https://www.youtube.com/watch?v=tDnyFitE0y4
  38. 38. Related Presentations ● AppSec EU 2015 – Building an AppSec Pipeline ● Deck: http://www.slideshare.net/weaveraaaron/building- an-appsec-pipeline-keeping-your-program-and- your-life-sane ● Video: https://www.youtube.com/watch?v=1CDSOSl4DQU
  39. 39. The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
  40. 40. Thank you ! Keep in touch @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro
  41. 41. Image References Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
  42. 42. Image References Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-pr Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now
  • Elias_Hagos

    Mar. 13, 2019
  • TaoWei

    Feb. 13, 2016
  • HarishThanneer

    Nov. 13, 2015
  • tahersb

    Aug. 25, 2015

Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.

Views

Total views

707

On Slideshare

0

From embeds

0

Number of embeds

12

Actions

Downloads

20

Shares

0

Comments

0

Likes

4

×