SlideShare a Scribd company logo

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

Download as PPTX, PDF
M
Matt Tesauro

This document discusses how to incorporate Agile, DevOps, and CI/CD principles into an application security (AppSec) program through the use of AppSec pipelines. It describes how Pearson created an AppSec pipeline to help optimize their AppSec team's resources, drive consistency, increase visibility, and reduce friction between development and security teams. The document advocates experimenting with AppSec pipelines to continuously improve processes through techniques like integrating Docker containers and writing security tests.

Technology
1 of 43
AppSec++ Taking the best of Agile, DevOps, and CI/CD into your AppSec Program
AppSec++ Taking the best of Agile, DevOps, and CI/CD into your AppSec Program Matt Tesauro matt.tesauro@owasp.org
Hello! I am Matt Tesauro I think AppSec needs to change And I’m going to tell you how matt.tesauro@owasp.org / @matt_tesauro
Custom Coachwork and Bespoke AppSec
Who is This Guy?
The Phoenix Project 3 Ways of DevOps
#1 Workflow Look at your purpose and those processes which aid it
AppSec Pipelines Using CI/CD as inspiration, figure out your AppSec workflow
Custom Made With finite Options
Key Features of AppSec Pipelines ◈Designed for iterative improvement ◈Provides a reusable path for AppSec activities to follow ◈Provides a consistent process for both the team and our constituency ◈One way flow with well-defined states ◈Relies heavily on automation ◈Grow in functionality organically over time ◈Gracefully interconnects with the development process
Pearson’s AppSec Pipeline
DevOps Pipeline AppSec Pipeline Pearson’s AppSec Pipeline
“Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
Key Goals of AppSec Pipelines ◈Optimize the critical resource - AppSec personnel Automate the things that don’t require a human brain Drive up consistency Increase tracking of work status Increase flow through the system Increase visibility and metrics Reduce any dev team friction with application security
Why we like AppSec Pipelines ◈Allow us to have visibility into WIP Better understand/track/optimize flow of engagements Average static test takes ... ◈Great increase in consistency Each step has a well defined interface ◈Easier moving of engagements between staff Knowing who has what allows for more informed “cost of switching” conversations ◈Flexible enough for a range of skills and app maturity
What can an AppSec Pipeline do for you?
2014 ◈ 44 assessments ~5x increase 2015 ◈ ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015
#2 Improve Feedback Open yourself up to upstream and downstream information
A call to action...
AppSec Chat Ops Making chat the way you do security
Advice for Devs - 24x7
FYI: You’re being attacked
CAMS / CALMS ◈Culture, Automation, Measurement, Sharing CALMS = CAMS + Lean ◈Measurement = Metrics => Visibility ◈Automate the drudgery Allows meaningful personal interactions ◈What would you want if you were the dev you’re talking to?
#3 Continual Experimentation and learning Create a culture of innovation and experimentation
What’s next? Experiments in AppSec Pipelines
Weaponizing Jenkins ◈ Zero false positives Anaphylactic shock ◈ Health Checks vs Scanning Run these all the time ◈ Home of specific issue tests Find a vuln, write a test ◈ Cadence for longer running tests These NEVER break the build Every X builds or every Y days
Scaling with Docker Containers
docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
Docker Security Tool Launch (python, Go) ZAP Nikto Return ZAP IP Run Scan, Push Results to S3
Benefits ◈ Effectively Scales ◈ Build security tools once, run anywhere ◈ Ease of deployment
Pull in or scale out, your choice Pull in Docker containers to your build server ZAP Nikto Scale out to Docker Swarm ZAP Nikto
AppSec Pipeline for Open Source
Jenkins Pipeline
Pipeline as Code
OWASP’s AppSec Pipeline for Projects ◈Create an AppSec Pipeline of OWASP Projects to assess OWASP Projects Use OWASP Zap to scan OWASP Security Shepherd and store the results in OWASP Defect Dojo
Thanks! Any questions? Aaron Weaver @weavera aaron.weaver@owasp.org /in/aweaver github.com/aaronweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org /in/matttesauro github.com/mtesauro
Credits Special thanks to all the people who made and released these awesome resources for free: ◈ Presentation template by SlidesCarnival ◈ Photographs by Unsplash ◈ Backgrounds by SubtlePatterns
Presentation design This presentations uses the following typographies and colors: ◈ Titles: Playfair Display ◈ Body copy: Droid Sans You can download the fonts on this page: https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,7 00,400italic,700italic Click on the “arrow button” that appears on the top right ◈ Yellow #ffd900 ◈ Light gray #f3f3f3 ◈ Black #000000 You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create new slides or download the fonts to edit the presentation in PowerPoint®
SlidesCarnival icons are editable shapes. This means that you can: ● Resize them without losing quality. ● Change line color, width and style. Isn’t that nice? :) Examples:
Now you can use any emoji as an icon! And of course it resizes without losing quality and you can change the color. How? Follow Google instructions https://twitter.com/googledocs/status/730087240156643328 ✋👆👉👍👤👦👧👨👩👪💃🏃💑❤😂 😉😋😒😭👶😸🐟🍒🍔💣📌📖🔨🎃🎈 🎨🏈🏰🌏🔌🔑 and many more... 😉

Recommended

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 

Recommended

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
Alex Stamos
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
Dynatrace
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference Architecture
Aaron Weaver
 
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
QASymphony
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
rkadayam
 
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
QASymphony
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Deborah Schalm
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
Dynatrace
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
Metrics-Driven Devops: Delivering High Quality Software Faster!
Metrics-Driven Devops: Delivering High Quality Software Faster! Metrics-Driven Devops: Delivering High Quality Software Faster!
Metrics-Driven Devops: Delivering High Quality Software Faster!
Dynatrace
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
Continuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudContinuous Delivery in the AWS Cloud
Continuous Delivery in the AWS Cloud
Nigel Fernandes
 
Scaling Up Continuous Deployment
Scaling Up Continuous DeploymentScaling Up Continuous Deployment
Scaling Up Continuous Deployment
Timothy Fitz
 

More Related Content

What's hot

Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
Alex Stamos
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
Dynatrace
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference Architecture
Aaron Weaver
 
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
QASymphony
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
rkadayam
 
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
QASymphony
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Deborah Schalm
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
Dynatrace
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
Metrics-Driven Devops: Delivering High Quality Software Faster!
Metrics-Driven Devops: Delivering High Quality Software Faster! Metrics-Driven Devops: Delivering High Quality Software Faster!
Metrics-Driven Devops: Delivering High Quality Software Faster!
Dynatrace
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 

What's hot (20)

Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference Architecture
 
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Metrics-Driven Devops: Delivering High Quality Software Faster!
Metrics-Driven Devops: Delivering High Quality Software Faster! Metrics-Driven Devops: Delivering High Quality Software Faster!
Metrics-Driven Devops: Delivering High Quality Software Faster!
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
 

Viewers also liked

Continuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudContinuous Delivery in the AWS Cloud
Continuous Delivery in the AWS Cloud
Nigel Fernandes
 
Scaling Up Continuous Deployment
Scaling Up Continuous DeploymentScaling Up Continuous Deployment
Scaling Up Continuous Deployment
Timothy Fitz
 
Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP World
Binu Ramakrishnan
 
The Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentThe Hard Problems of Continuous Deployment
The Hard Problems of Continuous Deployment
Timothy Fitz
 
Infrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormationInfrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormation
joehack3r
 
Continuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous DeliveryContinuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous Delivery
Timothy Fitz
 
Deep Dive: Infrastructure as Code
Deep Dive: Infrastructure as CodeDeep Dive: Infrastructure as Code
Deep Dive: Infrastructure as Code
Amazon Web Services
 
Infrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormationInfrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormation
Justyna Janczyszyn
 
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
Mirco Hering
 
Dod is not done
Dod is not doneDod is not done
Dod is not done
Kris Buytaert
 
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
XebiaLabs
 
CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016
Paolo latella
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
Mike Brittain
 
The Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial InstitutionThe Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial Institution
Kris Buytaert
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
Binu Ramakrishnan
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
Christopher Read
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
Daniel Bryant
 
AWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as CodeAWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as Code
Amazon Web Services
 
Infrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormationInfrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormation
Amazon Web Services
 
Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016
Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016
Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016
Amazon Web Services
 

Viewers also liked (20)

Continuous Delivery in the AWS Cloud
Continuous Delivery in the AWS CloudContinuous Delivery in the AWS Cloud
Continuous Delivery in the AWS Cloud
 
Scaling Up Continuous Deployment
Scaling Up Continuous DeploymentScaling Up Continuous Deployment
Scaling Up Continuous Deployment
 
Analysis of TLS in SMTP World
Analysis of TLS in SMTP WorldAnalysis of TLS in SMTP World
Analysis of TLS in SMTP World
 
The Hard Problems of Continuous Deployment
The Hard Problems of Continuous DeploymentThe Hard Problems of Continuous Deployment
The Hard Problems of Continuous Deployment
 
Infrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormationInfrastructure Continuous Delivery using CloudFormation
Infrastructure Continuous Delivery using CloudFormation
 
Continuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous DeliveryContinuous Deployment: Beyond Continuous Delivery
Continuous Deployment: Beyond Continuous Delivery
 
Deep Dive: Infrastructure as Code
Deep Dive: Infrastructure as CodeDeep Dive: Infrastructure as Code
Deep Dive: Infrastructure as Code
 
Infrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormationInfrastructure as Code with AWS CloudFormation
Infrastructure as Code with AWS CloudFormation
 
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
IBM Innovate - Adoption of Continuous Delivery at Scale at a large telco v0 3
 
Dod is not done
Dod is not doneDod is not done
Dod is not done
 
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
Jenkins CI + XebiaLabs for Release Orchestration: A Recipe for Continuous Del...
 
CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016CI&CD on AWS - Meetup Roma Oct 2016
CI&CD on AWS - Meetup Roma Oct 2016
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
 
The Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial InstitutionThe Journey of devops and continuous delivery in a Large Financial Institution
The Journey of devops and continuous delivery in a Large Financial Institution
 
Securing application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environmentsSecuring application deployments in multi-tenant CI/CD environments
Securing application deployments in multi-tenant CI/CD environments
 
Continuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous DeploymentContinuous Integration, Build Pipelines and Continuous Deployment
Continuous Integration, Build Pipelines and Continuous Deployment
 
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
 
AWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as CodeAWS May Webinar Series - Deep Dive: Infrastructure as Code
AWS May Webinar Series - Deep Dive: Infrastructure as Code
 
Infrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormationInfrastructure Continuous Delivery Using AWS CloudFormation
Infrastructure Continuous Delivery Using AWS CloudFormation
 
Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016
Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016
Enterprise DevOps at Scale with AWS | AWS Public Sector Summit 2016
 

Similar to AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

StackEngine Problem Space Demo
StackEngine Problem Space DemoStackEngine Problem Space Demo
StackEngine Problem Space Demo
Boyd Hemphill
 
Azure DevOps työkalut - Roundtable 14.3.2019
Azure DevOps työkalut - Roundtable 14.3.2019Azure DevOps työkalut - Roundtable 14.3.2019
Azure DevOps työkalut - Roundtable 14.3.2019
Janne Mattila
 
How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...
How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...
How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...
Simplilearn
 
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
Amazon Web Services
 
State of Infrastructure as Code - AutomaCon 2016
State of Infrastructure as Code - AutomaCon 2016State of Infrastructure as Code - AutomaCon 2016
State of Infrastructure as Code - AutomaCon 2016
Amazon Web Services
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeConfoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Steve Mercier
 
Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...
Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...
Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...
Hugo Messer
 
Getting Started with DevOps
Getting Started with DevOpsGetting Started with DevOps
Getting Started with DevOps
Ahmed Misbah
 
Tour of Azure DevOps
Tour of Azure DevOpsTour of Azure DevOps
Tour of Azure DevOps
Callon Campbell
 
Keep calms and Docker On ... Innotech
Keep calms and Docker On ... InnotechKeep calms and Docker On ... Innotech
Keep calms and Docker On ... Innotech
Boyd Hemphill
 
Azure DevOps in Action
Azure DevOps in ActionAzure DevOps in Action
Azure DevOps in Action
Callon Campbell
 
Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...
Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...
Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...
Boyd Hemphill
 
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...
Edureka!
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
Ganesh Samarthyam
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
CodeOps Technologies LLP
 
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Amazon Web Services
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
PROIDEA
 
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
Amazon Web Services
 
DevExForPlatformEngineers, introducing Kratix
DevExForPlatformEngineers, introducing KratixDevExForPlatformEngineers, introducing Kratix
DevExForPlatformEngineers, introducing Kratix
Abigail Bangser
 
提到 DevOps 到底在談些什麼玩意兒?
提到 DevOps 到底在談些什麼玩意兒?提到 DevOps 到底在談些什麼玩意兒?
提到 DevOps 到底在談些什麼玩意兒?
Chen Cheng-Wei
 

Similar to AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program (20)

StackEngine Problem Space Demo
StackEngine Problem Space DemoStackEngine Problem Space Demo
StackEngine Problem Space Demo
 
Azure DevOps työkalut - Roundtable 14.3.2019
Azure DevOps työkalut - Roundtable 14.3.2019Azure DevOps työkalut - Roundtable 14.3.2019
Azure DevOps työkalut - Roundtable 14.3.2019
 
How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...
How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...
How To Become A DevOps Engineer | Who Is A DevOps Engineer? | DevOps Engineer...
 
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
 
State of Infrastructure as Code - AutomaCon 2016
State of Infrastructure as Code - AutomaCon 2016State of Infrastructure as Code - AutomaCon 2016
State of Infrastructure as Code - AutomaCon 2016
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeConfoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
 
Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...
Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...
Practical DevOps & Continuous Delivery – A Webinar to learn in depth on DevO...
 
Getting Started with DevOps
Getting Started with DevOpsGetting Started with DevOps
Getting Started with DevOps
 
Tour of Azure DevOps
Tour of Azure DevOpsTour of Azure DevOps
Tour of Azure DevOps
 
Keep calms and Docker On ... Innotech
Keep calms and Docker On ... InnotechKeep calms and Docker On ... Innotech
Keep calms and Docker On ... Innotech
 
Azure DevOps in Action
Azure DevOps in ActionAzure DevOps in Action
Azure DevOps in Action
 
Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...
Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...
Docker Enables DevOps - Keep C.A.L.M.S. and Docker on ...
 
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...
Who Is A DevOps Engineer? | DevOps Skills You Must Master | DevOps Engineer M...
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
 
DevOps - A Gentle Introduction
DevOps - A Gentle IntroductionDevOps - A Gentle Introduction
DevOps - A Gentle Introduction
 
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
Building a DevOps Culture in Public Sector | AWS Public Sector Summit 2017
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
 
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
DevOps as a Pathway to AWS | AWS Public Sector Summit 2016
 
DevExForPlatformEngineers, introducing Kratix
DevExForPlatformEngineers, introducing KratixDevExForPlatformEngineers, introducing Kratix
DevExForPlatformEngineers, introducing Kratix
 
提到 DevOps 到底在談些什麼玩意兒?
提到 DevOps 到底在談些什麼玩意兒?提到 DevOps 到底在談些什麼玩意兒?
提到 DevOps 到底在談些什麼玩意兒?
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
Matt Tesauro
 

More from Matt Tesauro (18)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 

Recently uploaded

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 

Recently uploaded (20)

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

  • 1. AppSec++ Taking the best of Agile, DevOps, and CI/CD into your AppSec Program
  • 2. AppSec++ Taking the best of Agile, DevOps, and CI/CD into your AppSec Program Matt Tesauro matt.tesauro@owasp.org
  • 3. Hello! I am Matt Tesauro I think AppSec needs to change And I’m going to tell you how matt.tesauro@owasp.org / @matt_tesauro
  • 6. The Phoenix Project 3 Ways of DevOps
  • 7. #1 Workflow Look at your purpose and those processes which aid it
  • 8. AppSec Pipelines Using CI/CD as inspiration, figure out your AppSec workflow
  • 10.
  • 11. Key Features of AppSec Pipelines ◈Designed for iterative improvement ◈Provides a reusable path for AppSec activities to follow ◈Provides a consistent process for both the team and our constituency ◈One way flow with well-defined states ◈Relies heavily on automation ◈Grow in functionality organically over time ◈Gracefully interconnects with the development process
  • 13. DevOps Pipeline AppSec Pipeline Pearson’s AppSec Pipeline
  • 14. “Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
  • 15. Key Goals of AppSec Pipelines ◈Optimize the critical resource - AppSec personnel Automate the things that don’t require a human brain Drive up consistency Increase tracking of work status Increase flow through the system Increase visibility and metrics Reduce any dev team friction with application security
  • 16. Why we like AppSec Pipelines ◈Allow us to have visibility into WIP Better understand/track/optimize flow of engagements Average static test takes ... ◈Great increase in consistency Each step has a well defined interface ◈Easier moving of engagements between staff Knowing who has what allows for more informed “cost of switching” conversations ◈Flexible enough for a range of skills and app maturity
  • 17. What can an AppSec Pipeline do for you?
  • 18. 2014 ◈ 44 assessments ~5x increase 2015 ◈ ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015
  • 19. #2 Improve Feedback Open yourself up to upstream and downstream information
  • 20. A call to action...
  • 21. AppSec Chat Ops Making chat the way you do security
  • 22. Advice for Devs - 24x7
  • 24. CAMS / CALMS ◈Culture, Automation, Measurement, Sharing CALMS = CAMS + Lean ◈Measurement = Metrics => Visibility ◈Automate the drudgery Allows meaningful personal interactions ◈What would you want if you were the dev you’re talking to?
  • 25. #3 Continual Experimentation and learning Create a culture of innovation and experimentation
  • 26. What’s next? Experiments in AppSec Pipelines
  • 27. Weaponizing Jenkins ◈ Zero false positives Anaphylactic shock ◈ Health Checks vs Scanning Run these all the time ◈ Home of specific issue tests Find a vuln, write a test ◈ Cadence for longer running tests These NEVER break the build Every X builds or every Y days
  • 29. docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
  • 30. Docker Security Tool Launch (python, Go) ZAP Nikto Return ZAP IP Run Scan, Push Results to S3
  • 31. Benefits ◈ Effectively Scales ◈ Build security tools once, run anywhere ◈ Ease of deployment
  • 32. Pull in or scale out, your choice Pull in Docker containers to your build server ZAP Nikto Scale out to Docker Swarm ZAP Nikto
  • 36. OWASP’s AppSec Pipeline for Projects ◈Create an AppSec Pipeline of OWASP Projects to assess OWASP Projects Use OWASP Zap to scan OWASP Security Shepherd and store the results in OWASP Defect Dojo
  • 37.
  • 38.
  • 39. Thanks! Any questions? Aaron Weaver @weavera aaron.weaver@owasp.org /in/aweaver github.com/aaronweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org /in/matttesauro github.com/mtesauro
  • 40. Credits Special thanks to all the people who made and released these awesome resources for free: ◈ Presentation template by SlidesCarnival ◈ Photographs by Unsplash ◈ Backgrounds by SubtlePatterns
  • 41. Presentation design This presentations uses the following typographies and colors: ◈ Titles: Playfair Display ◈ Body copy: Droid Sans You can download the fonts on this page: https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,7 00,400italic,700italic Click on the “arrow button” that appears on the top right ◈ Yellow #ffd900 ◈ Light gray #f3f3f3 ◈ Black #000000 You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create new slides or download the fonts to edit the presentation in PowerPoint®
  • 42. SlidesCarnival icons are editable shapes. This means that you can: ● Resize them without losing quality. ● Change line color, width and style. Isn’t that nice? :) Examples:
  • 43. Now you can use any emoji as an icon! And of course it resizes without losing quality and you can change the color. How? Follow Google instructions https://twitter.com/googledocs/status/730087240156643328 ✋👆👉👍👤👦👧👨👩👪💃🏃💑❤😂 😉😋😒😭👶😸🐟🍒🍔💣📌📖🔨🎃🎈 🎨🏈🏰🌏🔌🔑 and many more... 😉