The document discusses the evolution of application security (AppSec) towards automation and integration within DevOps practices, emphasizing the need to improve efficiency and visibility in security processes. It highlights the importance of leveraging tools like OWASP Defectdojo for vulnerability management, automation, and collaboration between AppSec and development teams. The presentation outlines strategies for developing different generations of AppSec pipelines to enhance security coverage, streamline workflows, and support continuous learning and experimentation.

1. Continuous Security:
Using Automation to
Expand Security’s Reach

2. I am Matt Tesauro
I think AppSec needs to change and
I’m going to tell you how I see it changing
matt.tesauro@10Security.com / @matt_tesauro
2

3. Who is this guy?
✖ Reformed programmer and AppSec Engineer
✖ 11+ years in the OWASP community
○ OWASP AppSec Pipeline
○ OWASP DefectDojo
○ OWASP WTE
✖ 20+ years using Floss and Linux
✖ Currently a Go language fanbox
✖ Ee Dan in Tang Soo Do Mi Guk Kwan
(2nd degree black belt)
3

4. The money shot
4

5. Not everything
about completing
a goal is sunshine
and roses...
The Anti-money shot
5

6. Quick Survey
Raise your hand if you work in:
✖ AppSec
✖ Product Security
✖ Security Engineering
✖ DevOps
aka DevSecOps,
SecDevOps, DevOpsSec,
OpsDevSec, OpsDevSecOpsDev...

7. Traditional AppSec
Where all this started not so long ago
7

8. What Traditional AppSec Tooling feels like:
8

9. 9

10. 10
The purpose of an
AppSec program is to
evaluate the security
status of the suite of
apps for a business
Basically, to provide a
map to guide business
decisions.

11. Do you have a full view of
your Application landscape?
11

12. DevSecOps Automation
What are the key things to be aware of
12

13. W Edward DemIng
Spending time
optimizing
anything other than
the critical resource
is an illusion
13

14. Your people are the
critical resource
14

15. There’s never enough people or time...
✖ AppSec team size is small vs Dev team
✖ Automate all those things that don’t take
a human brain
✖ DefectDojo (and the rest API) is the heart
of your automation efforts - your single
source of truth

16. OWASP DefectDojo
An open-source application vulnerability
correlation and security orchestration tool.
The source of truth for a security program that
manages to make vulnerability management work
✖ Consolidating and dedup’ing findings
○ 66+ different tools supported
✖ Maintain product and app info/metadata
✖ Push findingst to defect trackers
✖ Automation with a REST API
16

17. The “Three Ways of DevOps”
1. Workflow
“Look at your purpose and those processes which aid it”
2. Improve Feedback
“Open yourself to upstream & downstream info”
3. Continual Experimentation and Learning
“Create a culture of innovation and experimentation”
17

18. AppSec Personnelle
They are the critical resource so
optimize their work
✖ Automate the non-human brain things
✖ Drive up consistency
✖ Increase tracking of work status
✖ Increase flow through the system
✖ Increase visibility and metrics
✖ Reduce any friction with dev teams
18

19. Let’s be honest for a minute...
19

20. 20
Talk to your constituency
in the language
that THEY speak,
not the one you speak.

21. As as exercise for the student
21

22. AppSec Pipelines
Why let dev teams own all the good ideas
22

24. What’s this AppSec pipeline all about?
✖ Better visibility into WIP
✖ Better understand/track/optimize flow of
DevSecOps work
✖ Significant increase in consistency
○ Each step has a well defined interface
✖ Understanding the cost of switching
✖ Flexible enough for a range of skills &
program maturity
24

25. Remember that DevOps stuff?
For better or worse, DevOps is changing IT
✖ Smaller quicker iterations
○ CI/CD, Cloud, Serverless, Microservices
✖ More agility to meet customer needs and
keep up with competitors
✖ Cost of experimentation goes down
25

26. Gen 1 AppSec Pipelines
Look at your team’s purpose and
those processes which aid it
26

28. Real-World AppSec Pipeline example

29. 29
Get your house in order

30. Gen 2 AppSec Pipelines
Look outside team’s purpose and
those processes which aid it
30

31. Integrate with DevOpsTeams
DevOps Pipeline AppSec Pipeline
Drop tool(s)
into their
pipeline

32. Gen 3 AppSec Pipelines
Scale your teams reach and
dramatically increase
speed and visibility
32

33. ✖ A way to conduct automated testing
✖ Run by the AppSec team to
○ Provide visibility of software posture
○ Provide findings to the dev teams
✖ Means to scale AppSec team coverage
○ No in-depth testing, breadth
○ Pre-calculate testing
✖ Creates a security baseline
33
What does a Gen3 AppSec Pipeline get me?

34. ✖ The one thing that will fix all your problems
✖ A gate that blocks deploys
(especially at first)
✖ Pipeline create artifacts
○ CI/CD => deployed apps
○ AppSec Pipelines =>
Security Findings
34
What an AppSec Pipeline isn’t

37. 37
So why should you build an
AppSec Pipeline?

38. Another
Real-World
AppSec Pipeline

39. 39
AppSec Pipeline Stats
15 Repos
4 Months
5,100 Runs
25,000+
Container Executions

40. Remember me?

41. 2014 2015 2016
Number of
Assessments 44 224 414
Headcount N/A -3.5 -2
Percentage
Increase N/A 450% 107%
41

42. 42
840.91%
Percentage Increase

43. 43

44. 44

45. 45

46. 46
https://github.com/appsecpipeline/gasp-docker

47. 47

48. 48
Create an AppSec Pipeline and push visibility north
Visibility

49. Thanks!
Any questions?
You can find me at:
@matt_tesauro
matt.tesauro@10Security.com
49

50. 50
REferences
● Confused panda: https://openclipart.org/detail/69289/confusedpanda
● Jousting Snails - a random twitter post I lost the URL for, sorry
● Map image: https://openclipart.org/detail/823/two-harbours-map
● Gandoff “Shall pass”:
https://shirt.woot.com/offers/halfling-height-requirement
● Pixie dust:
http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-neck
lace/
● Iceberg of Ignorance:
https://corporate-rebels.com/iceberg-of-ignorance/