This document discusses the fundamentals and evolution of DevSecOps. It begins by introducing the author and their background. It then outlines key DevSecOps concepts like reducing complexity, managing dependencies, shared understanding, enabling default security controls, fully utilizing frameworks, embracing cloud-native principles, codifying processes, treating servers as cattle, and automating workflows. The document also discusses the importance of DefectDojo and generating AppSec pipelines to integrate security testing into development pipelines in order to scale efforts and increase visibility, consistency, and flow. It emphasizes automating non-human tasks to optimize security personnel.

1. DevSecOps Fundamentals
And Scars to Prove It

2. I am Matt Tesauro
I think Dev(App)SecOps needs to change and
I’m going to tell you how I see it changing
matt.tesauro@10Security.com / @matt_tesauro
2

3. Who is this guy?
✖ Reformed programmer and AppSec Engineer
✖ 11+ years in the OWASP community
○ OWASP AppSec Pipeline
○ OWASP DefectDojo
○ OWASP WTE
✖ 20+ years using Floss and Linux
✖ Currently a Go language fanboy
✖ Ee Dan in Tang Soo Do Mi Guk Kwan
(2nd degree black belt)
3

4. The money shot
4

5. Not everything
about completing
a goal is sunshine
and roses...
The Anti-money shot
5

6. Traditional AppSec
Where all this started not so long ago
6

7. Traditional AppSec
Where all this started not so long ago
7
Security

8. What Traditional Tooling feels like:
8

9. 9

10. Let’s be honest for a minute...
10

11. 11

12. 12
The purpose of an
AppSec program is to
evaluate the security
status of the suite of
apps for a business
Basically, to provide a
map to guide business
decisions.

13. Do you have a full view of
your Application landscape?
13

14. There’s one more thing
DevSecOps should do...
14

15. 15
Provide a clear and direct path for teams to follow

16. DevSecOps Concepts
What you should have in mind going forward
16

17. 17
#1 Drive Down Complexity
VS

18. 18
#2 Dependency Management
Balance what you
rely on vs what you
interact with -
things disappear...

19. 19
#3 Shared Clear Understanding
How many assumptions
are hiding in your
whiteboards?
whiteboard != design
whiteboard != shared
understanding

20. 20
#4 Default Security Controls to On
There’s a reason you
have to turn OFF
airbags
Caddy server +
Let’s Encrypt

21. 21
#5 Utilize Frameworks Fully
Do you really
KNOW the
framework
you’re using
and the
security
features it has?

22. 22
#6 Embrace 12 Factor Apps
Cloud-Native before Cloud-Native was cool

23. 23
#7 Codify & Checklist-ify your processes
Makes work:
● Easy to
repeat
● Consistent
● Future
Automation
Friendly
FAF™

24. 24
#8 Servers like Cattle not Pets

25. 25
#8a Servers like Cattle not Pets
Kleenex Handkerchiefs

26. 26
#9 Explode Your Processes
Break existing work into pieces
● Think EAR™
○ Event
○ Action (function)
○ Result / Inform (chatops?)
● Pick a checklist item &
automate (repeat until done)
● Pre-Compute Future Security
Work

27. DevSecOps Automation
What are the key things to be aware of
27

28. W Edward DemIng
Spending time
optimizing
anything other than
the critical resource
is an illusion
28

29. Your people are the
critical resource
29

30. There’s never enough people or time...
✖ AppSec team size is small vs Dev team
✖ Automate all those things that don’t take
a human brain
✖ DefectDojo (and the rest API) is the heart
of your automation efforts - your single
source of truth

31. OWASP DefectDojo
An open-source application vulnerability
correlation and security orchestration tool.
The source of truth for a security program that
manages to make vulnerability management work
✖ Consolidating and dedup’ing findings
○ 68+ different tools supported
✖ Maintain product and app info/metadata
✖ Push findingst to defect trackers
✖ Automation with a REST API
31

32. The “Three Ways of DevOps”
1. Workflow
“Look at your purpose and those processes which aid it”
2. Improve Feedback
“Open yourself to upstream & downstream info”
3. Continual Experimentation and Learning
“Create a culture of innovation and experimentation”
32

33. AppSec Personnelle
They are the critical resource so
optimize their work
✖ Automate the non-human brain things
✖ Drive up consistency
✖ Increase tracking of work status
✖ Increase flow through the system
✖ Increase visibility and metrics
✖ Reduce any friction with dev teams
33
Security

34. 34
Talk to your constituency
in the language
that THEY speak,
not the one you speak.

35. As as exercise for the student
35

36. AppSec Pipelines
Why let dev teams own all the good ideas
36

38. What’s this AppSec pipeline all about?
✖ Better visibility into WIP
✖ Better understand/track/optimize flow of
DevSecOps work
✖ Significant increase in consistency
○ Each step has a well defined interface
✖ Understanding the cost of switching
✖ Flexible enough for a range of skills &
program maturity
38

39. Gen 1 AppSec Pipelines
Look at your team’s purpose and
those processes which aid it
39

41. Real-World AppSec Pipeline example

42. 42
Get your house in order

43. Gen 2 AppSec Pipelines
Look outside team’s purpose and
those processes which aid it
43

44. Integrate with DevOpsTeams
DevOps Pipeline AppSec Pipeline
Drop tool(s)
into their
pipeline

45. Gen 3 AppSec Pipelines
Scale your teams reach and
dramatically increase
speed and visibility
45

46. ✖ A way to conduct automated testing
✖ Run by the AppSec team to
○ Provide visibility of software posture
○ Provide findings to the dev teams
✖ Means to scale Security team coverage
○ No in-depth testing, breadth
○ Pre-calculate testing
✖ Creates a security baseline
46
What does a Gen3 AppSec Pipeline get me?

47. ✖ The one thing that will fix all your problems
✖ A gate that blocks deploys
(especially at first)
✖ Pipeline create artifacts
○ CI/CD => deployed apps
○ AppSec Pipelines =>
Security Findings
47
What an AppSec Pipeline isn’t

48. 48
First get the Cake then do the icing

50. 50
So why should you build an
AppSec Pipeline?

51. Another
Real-World
AppSec Pipeline

52. 52
AppSec Pipeline Stats
15 Repos
4 Months
5,100 Runs
25,000+
Container Executions

53. Remember me?

54. 2014 2015 2016
Number of
Assessments 44 224 414
Headcount N/A -3.5 -2
Percentage
Increase N/A 450% 107%
54

55. 55
840.91%
Percentage Increase

56. 56

57. 57

58. 58
DevSecOps can help push visibility north
Visibility

59. 59

60. Thanks!
Any questions?
You can find me at:
@matt_tesauro
matt.tesauro@10Security.com
60

61. 61
REferences
● Confused panda: https://openclipart.org/detail/69289/confusedpanda
● Jousting Snails - a random twitter post I lost the URL for, sorry
● Map image: https://openclipart.org/detail/823/two-harbours-map
● Gandoff “Shall pass”:
https://shirt.woot.com/offers/halfling-height-requirement
● Pixie dust:
http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-neck
lace/
● Iceberg of Ignorance:
https://corporate-rebels.com/iceberg-of-ignorance/