Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
2. I am Matt Tesauro
I think AppSec needs to change and
I’m going to tell you how I see it changing
matt.tesauro@10Security.com / @matt_tesauro
2
3. Who is this guy?
✖ Reformed programmer and AppSec Engineer
✖ 11+ years in the OWASP community
○ OWASP AppSec Pipeline
○ OWASP DefectDojo
○ OWASP WTE
✖ 20+ years using Floss and Linux
✖ Currently a Go language fanbox
✖ Ee Dan in Tang Soo Do Mi Guk Kwan
(2nd degree black belt)
3
10. 10
The purpose of an
AppSec program is to
evaluate the security
status of the suite of
apps for a business
Basically, to provide a
map to guide business
decisions.
11. Do you have a full view of
your Application landscape?
11
15. There’s never enough people or time...
✖ AppSec team size is small vs Dev team
✖ Automate all those things that don’t take
a human brain
✖ DefectDojo (and the rest API) is the heart
of your automation efforts - your single
source of truth
16. OWASP DefectDojo
An open-source application vulnerability
correlation and security orchestration tool.
The source of truth for a security program that
manages to make vulnerability management work
✖ Consolidating and dedup’ing findings
○ 66+ different tools supported
✖ Maintain product and app info/metadata
✖ Push findingst to defect trackers
✖ Automation with a REST API
16
17. The “Three Ways of DevOps”
1. Workflow
“Look at your purpose and those processes which aid it”
2. Improve Feedback
“Open yourself to upstream & downstream info”
3. Continual Experimentation and Learning
“Create a culture of innovation and experimentation”
17
18. AppSec Personnelle
They are the critical resource so
optimize their work
✖ Automate the non-human brain things
✖ Drive up consistency
✖ Increase tracking of work status
✖ Increase flow through the system
✖ Increase visibility and metrics
✖ Reduce any friction with dev teams
18
24. What’s this AppSec pipeline all about?
✖ Better visibility into WIP
✖ Better understand/track/optimize flow of
DevSecOps work
✖ Significant increase in consistency
○ Each step has a well defined interface
✖ Understanding the cost of switching
✖ Flexible enough for a range of skills &
program maturity
24
25. Remember that DevOps stuff?
For better or worse, DevOps is changing IT
✖ Smaller quicker iterations
○ CI/CD, Cloud, Serverless, Microservices
✖ More agility to meet customer needs and
keep up with competitors
✖ Cost of experimentation goes down
25
26. Gen 1 AppSec Pipelines
Look at your team’s purpose and
those processes which aid it
26
32. Gen 3 AppSec Pipelines
Scale your teams reach and
dramatically increase
speed and visibility
32
33. ✖ A way to conduct automated testing
✖ Run by the AppSec team to
○ Provide visibility of software posture
○ Provide findings to the dev teams
✖ Means to scale AppSec team coverage
○ No in-depth testing, breadth
○ Pre-calculate testing
✖ Creates a security baseline
33
What does a Gen3 AppSec Pipeline get me?
34. ✖ The one thing that will fix all your problems
✖ A gate that blocks deploys
(especially at first)
✖ Pipeline create artifacts
○ CI/CD => deployed apps
○ AppSec Pipelines =>
Security Findings
34
What an AppSec Pipeline isn’t
50. 50
REferences
● Confused panda: https://openclipart.org/detail/69289/confusedpanda
● Jousting Snails - a random twitter post I lost the URL for, sorry
● Map image: https://openclipart.org/detail/823/two-harbours-map
● Gandoff “Shall pass”:
https://shirt.woot.com/offers/halfling-height-requirement
● Pixie dust:
http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-neck
lace/
● Iceberg of Ignorance:
https://corporate-rebels.com/iceberg-of-ignorance/