Building an AppSec Pipeline: Keeping your program, and your life, sane

weaveraaaron
May. 28, 2015
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
1 of 46

Building an AppSec Pipeline: Keeping your program, and your life, sane

May. 28, 2015
Download to read offline
Technology

Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible? The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.

weaveraaaron

Recommended

Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro6.1K views46 slides
devops devops
devops Somkiat Puisungnoen440 views75 slides
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie1.2K views11 slides
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!1.6K views14 slides
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon641 views17 slides
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro2K views54 slides

More Related Content

Slideshows for you

Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran3.4K views19 slides
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash777 views37 slides
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier835 views40 slides
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi717 views14 slides
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb551 views14 slides
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad172 views13 slides

Slideshows for you(20)

Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran3.4K views
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash777 views
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier835 views
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi717 views
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb551 views
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad172 views
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
What is Continuous Integration? | Continuous Integration with Jenkins | DevOp...
Edureka!524 views
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group801 views
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk7.9K views
DevOps introDevOps intro
DevOps intro
Abdelrhman Shawky136 views
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic 9.9K views
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
Khairul Zebua346 views
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran776 views
Transforming Organizations with CI/CDTransforming Organizations with CI/CD
Transforming Organizations with CI/CD
Cprime11K views
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services1.5K views
DevOps avec Ansible et DockerDevOps avec Ansible et Docker
DevOps avec Ansible et Docker
Stephane Manciot21.3K views
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif9043421.8K views
DevOps Approach (Point of View by Ravi Tadwalkar)DevOps Approach (Point of View by Ravi Tadwalkar)
DevOps Approach (Point of View by Ravi Tadwalkar)
Ravi Tadwalkar14K views
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype 4.8K views
Nagios Monitoring Tool Tutorial | Server Monitoring with Nagios | DevOps Trai...Nagios Monitoring Tool Tutorial | Server Monitoring with Nagios | DevOps Trai...
Nagios Monitoring Tool Tutorial | Server Monitoring with Nagios | DevOps Trai...
Edureka!618 views

Similar to Building an AppSec Pipeline: Keeping your program, and your life, sane

Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro783 views55 slides
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro2.5K views70 slides
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro3.7K views73 slides
Forward5 Auxis VMwareForward5 Auxis VMware
Forward5 Auxis VMwareAuxis Consulting & Outsourcing297 views14 slides
Freedom and ResponsibilityFreedom and Responsibility
Freedom and ResponsibilityMike Ruangutai823 views57 slides
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson45 views61 slides

Similar to Building an AppSec Pipeline: Keeping your program, and your life, sane(20)

Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro783 views
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro2.5K views
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro3.7K views
Forward5 Auxis VMwareForward5 Auxis VMware
Forward5 Auxis VMware
Auxis Consulting & Outsourcing297 views
Freedom and ResponsibilityFreedom and Responsibility
Freedom and Responsibility
Mike Ruangutai823 views
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson45 views
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon Way
Amazon Web Services140 views
Achieve Scale & Velocity with AWS OpsWorks for Chef AutomateAchieve Scale & Velocity with AWS OpsWorks for Chef Automate
Achieve Scale & Velocity with AWS OpsWorks for Chef Automate
Amazon Web Services914 views
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0
Pivotal korea transformation_strategy_seminar_enterprise_dev_ops_20160630_v1.0
minseok kim304 views
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
Adam Stephensen342 views
Lights-Out Testing for Lights-On BusinessLights-Out Testing for Lights-On Business
Lights-Out Testing for Lights-On Business
Worksoft869 views
Keys to Continuous Delivery Success - Mark Warren, Product Director, Perforc...Keys to Continuous Delivery Success - Mark Warren, Product Director, Perforc...
Keys to Continuous Delivery Success - Mark Warren, Product Director, Perforc...
Perforce1.4K views
SplunkLive! London 2016 Splunk for DevopsSplunkLive! London 2016 Splunk for Devops
SplunkLive! London 2016 Splunk for Devops
Splunk652 views
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar
TEST Huddle885 views
Moving to Agile Methods and DevOps on IBM i with ARCAD Pack for Rational 1479...Moving to Agile Methods and DevOps on IBM i with ARCAD Pack for Rational 1479...
Moving to Agile Methods and DevOps on IBM i with ARCAD Pack for Rational 1479...
Philippe Krief4.8K views
Continuous Performance Testing and Monitoring in Agile DevelopmentContinuous Performance Testing and Monitoring in Agile Development
Continuous Performance Testing and Monitoring in Agile Development
Neotys44 views
Compliance Automation with Inspec Part 1Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1
Chef1.1K views
Deployment Automation for Hybrid Cloud and Multi-Platform EnvironmentsDeployment Automation for Hybrid Cloud and Multi-Platform Environments
Deployment Automation for Hybrid Cloud and Multi-Platform Environments
IBM UrbanCode Products4.4K views
The Need for AppOps in the Dynamic Data Center and CloudThe Need for AppOps in the Dynamic Data Center and Cloud
The Need for AppOps in the Dynamic Data Center and Cloud
AppFirst859 views
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey2.1K views

Recently uploaded

A new era of Wi-Fi has arrivedA new era of Wi-Fi has arrived
A new era of Wi-Fi has arrivedAdtran67 views11 slides
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptxAshishChanchal136 views15 slides
ECE ANURANAN 2023ECE ANURANAN 2023
ECE ANURANAN 2023Bishal20Hazarika103448 views70 slides
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For BusinessPaul Nguyen56 views25 slides
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptxKumar Iyer19 views30 slides
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsNoSQL Database Migration Masterclass - Session 3: Migration Logistics
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsScyllaDB27 views32 slides

Recently uploaded(20)

A new era of Wi-Fi has arrivedA new era of Wi-Fi has arrived
A new era of Wi-Fi has arrived
Adtran67 views
GDSC INFO.pptxGDSC INFO.pptx
GDSC INFO.pptx
AshishChanchal136 views
ECE ANURANAN 2023ECE ANURANAN 2023
ECE ANURANAN 2023
Bishal20Hazarika103448 views
An Introduction To Using ChatGPT For BusinessAn Introduction To Using ChatGPT For Business
An Introduction To Using ChatGPT For Business
Paul Nguyen56 views
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptx
Kumar Iyer19 views
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsNoSQL Database Migration Masterclass - Session 3: Migration Logistics
NoSQL Database Migration Masterclass - Session 3: Migration Logistics
ScyllaDB27 views
FewShotExamples.pptxFewShotExamples.pptx
FewShotExamples.pptx
Alok Ranjan20 views
CloudStack Object Storage Framework & DemoCloudStack Object Storage Framework & Demo
CloudStack Object Storage Framework & Demo
ShapeBlue109 views
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdfDiogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
Diogo Monteiro- KAMK Certificate - Demola Global Project 2023.pdf
DiogoMonteiro78696022 views
Welcome and State of Apache CloudStack CommunityWelcome and State of Apache CloudStack Community
Welcome and State of Apache CloudStack Community
ShapeBlue149 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
Workshop on IoT and Basic Home Automation_BAIUST.pptxWorkshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptx
Redwan Ferdous27 views
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
[KCD GT 2023] Demystifying etcd failure scenarios for Kubernetes.pdf
William Caban45 views
How SACCOs can increase their memberships AD_compressed (1).pdfHow SACCOs can increase their memberships AD_compressed (1).pdf
How SACCOs can increase their memberships AD_compressed (1).pdf
CoretecDigital75 views
Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptx
Alok Ranjan51 views
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
AI and ML Series - Leveraging Generative AI and LLMs Using the UiPath Platfor...
DianaGray1048 views
CloudStack Managed User-data & DemoCloudStack Managed User-data & Demo
CloudStack Managed User-data & Demo
ShapeBlue107 views
GDSC SRMCEM Info Session 2023GDSC SRMCEM Info Session 2023
GDSC SRMCEM Info Session 2023
HariOM Dwivedi56 views
dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views
Stanford AI Report 2023Stanford AI Report 2023
Stanford AI Report 2023
Kapil Khandelwal (KK)19 views

Building an AppSec Pipeline: Keeping your program, and your life, sane

  1. Aaron Weaver Application Security Manager, Pearson plc Building an AppSec Pipeline: Keeping your program, and your life, sane
  2. 189 seconds is the average time in a drive-thru
  3. Instrumentation
  4. Standardization of products and processes. A Big Mac is a Big Mac wherever you purchase it in the U.S., and this emphasis on reliable and highly standardized product offerings, as well as uniform production processes, is something fast-food companies have perfected. Source: ValueStreamGuru.com
  5. A production process approach Different work cells within an individual restaurant combine to make the finished product, allowing for maximum efficiency in each work unit. Source: ValueStreamGuru.com
  6. A flexible and multi-skilled workforce Each employee specializing within a role but also being trained to step into other areas whenever needed. Source: ValueStreamGuru.com
  7. Lean production Maximizes the use of a facility's space. Fast- food kitchens are rarely large, but their output is tremendous, meaning they get the most from the limited space available. Source: ValueStreamGuru.com
  8. What would it look like if AppSec ran fast food?
  9. AppSec Pipeline
  10. Your front door
  11. minimal viable product [MVP] product
  12. Polled the Team ?
  13. Bag of Holding (BoH)
  14. What does BoH do? • Manages our Application Security Program • Application Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
  15. Length of Activities
  16. 24
  17. 25 Social, erm Yes.
  18. 26
  19. Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
  20. | Open Source Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
  21. Automate False Positive Reduction 2+ 3+ 4+ 5+
  22. 34 Scheduling Application Assessments • PCI every quarter • Compliance policy requirement to manually assess twice a year
  23. Watch a Code Branch or the doAuth() method Change Exceeds Threshold Trigger a Review | Open Source 1 2 3 Automate Assessment Requests
  24. Your command line where you have your conversations. Will Bot
  25. AppSec Help
  26. AppSec Advice
  27. Threadfix Integration And more: • Create an Application • Get Summary Metrics for Application Program
  28. Threadfix/Static Integration
  29. Go build. Make it better.
  30. Q&A Thank you!
  31. @weavera aaron.weaver2@gmail.com /in/aweaver
  32. Photo Credits • Chicago street photography - The One That Got Away https://goo.gl/I6FLgl • Silos https://goo.gl/3g9M38 • Kid https://goo.gl/NlwmBW • Hipster https://goo.gl/52VUyV 46

Editor's Notes

  1. AppSec tools tend to be their own silo
  2. Instead of send around curl commands or distributing runtimes deploy it to your chatops server!