The document outlines the development of an application security (appsec) pipeline, emphasizing the importance of optimizing human resources within the process. It discusses key stages of the pipeline, including intake, testing, and delivery, and highlights tools like Threadfix for managing appsec activities and metrics. Additionally, it introduces orchestration strategies to integrate appsec into DevOps workflows effectively.

1. Building an AppSec Pipeline:
Keeping your program, and
your life, sane
Aaron Weaver
Protiviti
Matt Tesauro
Pearson

2. Henry Ford: The sponsor of the
development of the assembly line

3. Assembly Lines

4. The Phoenix Project
3 Ways of DevOps
Strategies for Improving
Operations

5. #1 - Workflow
Look at your purpose and those
processes which aid it

6. #2 - Improve Feedback
Open yourself to upstream
and downstream information

7. #3 - Continual
Experimentation & Learning
Create a culture of innovation
and experimentation

8. AppSec Pipelines

9. Spending time
optimizing anything
other than the critical resource is
an illusion.

10. For AppSec
the critical resource is
the people.

12. Our Pipeline

13. Pipeline - Intake
▪ “First Impression”
▪Major categories of Intake
- Existing App
- New App
- Previously tested App
- App to re-test findings
▪Key Concepts
- Ask for data about Apps only once
- Have data reviewed when an App returns
- Adapt data collected based on broad
categories of Apps

14. Pipeline - Test
▪Inbound request triage
▪Ala Carte App Sec
- Dynamic Testing
- Static Testing
- Re-Testing mitigated findings
- Mix and match based on risk
▪Key Concepts
- Activities can be run in parallel
- Automation on setup, configuration, data
export
- People focus on customization rather than

15. Pipeline - Deliver
▪Source of truth for all AppSec Activities
▪ThreadFix is used to
- Dedup / Consolidate findings
- Normalize scanner data
- Generate Metrics
- Push issues to bug trackers
▪Report and metrics automation
- REST + tfclient
▪Source of many touch points with external
teams

18. Application Security Tools Orchestration
Automate Security Tooling

19. Integrating into the DevOps Pipeline
DevOps Pipeline AppSec Pipeline

20. Dev & AppSec Tool Integration
OWASP ZAP
Proxy
BuildManageCode Store
RAPTOR
Deploy
OWASP ZAP
Proxy
*Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.

21. Bag of Holding
aka BoH
github.com/PearsonEducation/bag-of-holding

22. Minimal Viable Product

23. What does BoH do?
▪Manages our Application Security Program
▪Application Repository
▪Engagement Tracking
▪Report Repository
▪Comments on any application, engagement or activity
▪Data Classification and PII data
▪Time taken on secure software activities
▪Historical knowledge of past assessments
▪Credential repository
▪Environment details

24. Application Repository

25. Application Security Profile

26. Scheduling of Secure Software Activities

27. AppSec ChatOps
aka Will

28. Your command line where you have your conversations.

29. AppSec Help

30. AppSec Advice

31. Threadfix Integration
And more:
Create an Application
Get Summary Metrics for
AppSec Program

32. BOH/Threadfix/Static Integration
Setup recurring static analysis in about 1 minute!

33. https://www.owasp.org/index.php/OWASP_AppSec_Pipeline

34. Thanks!
Aaron Weaver
@weavera
aaron.weaver@owasp.org
aaron.weaver2@gmail.com
/in/aweaver
Matt Tesauro
@matt_tesauro
matt.tesauro@owasp.org
mtesauro@gmail.com
/in/matttesauro
github.com/mtesauro