SlideShare a Scribd company logo

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

M
Matt Tesauro

The document outlines the development of an open-source application security (AppSec) pipeline designed to optimize security processes while integrating with existing development workflows. Key features include automation, iterative improvement, and a well-defined process that enhances visibility and communication among development and security teams. Tools mentioned, such as ThreadFix and Gauntlt, aim to streamline testing, reporting, and issue management to reduce friction in application security practices.

Software
1 of 55
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Building an Open Source AppSec Pipeline: Keeping your program, and your life, sane.
6 months with Pearson Senior Software Security Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Assembly Lines...
The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
AppSec Pipelines Figuring out your workflow
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Our AppSec Pipeline
Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
Spending time optimizing anything other than the critical resource is an illusion.
Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
Bag of Holding aka BOH
What does BoH do? • Manages our Application Security Program • Application Inventory/ Meta data Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
AppSec ChatOps aka Will
Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Your new command line where you have your conversations. Will Bot
AppSec Help
AppSec Advice
Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
BOH/Threadfix/Static Integration Setup recurring static analysis in about 1 minute!
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Experimentation kick things up a notch
"I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
I have not failed. I've just found 10,000 ways that won't work. - Thomas A. Edison
Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues •ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and defect tracker APIs • Get management sold first
Agent – one mole to rule them all •Add an agent to the standard deploy • Read-only helps sell to Ops • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
Turn Vuln scanning on its head • Add value for your Ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
• Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • e.g. Finding blocks become templates for next report • Learn to talk “dev” Key Take Aways
Resources Exercises left to the student...
Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
Gauntlt ●Open source, MIT License ●Gauntlt comes with pre-canned steps that hook security testing tools ●Gauntlt does not install tools ●Gauntlt wants to be part of the CI/CD pipeline ●Be a good citizen of exit status and stdout/stderr http://gauntlt.org/
Tiaga • Project Management Software – focused on usability and speed ● Kanban / Scrum ● Backlog ● Tasks ● Sprints ● Issues ● Wiki • Open Source – Python / Django app • Entire functionality is driven by a REST API !! https://taiga.io/
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Defect Dojo DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. It attempts to streamline the testing process by offering features such as templating, report generation, metrics, and baseline self- service tools. Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. https://github.com/rackerlabs/django-DefectDojo
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Related Presentations ● AppSec EU 2015 – Ops Track Keynote ● Deck: http://www.slideshare.net/mtesauro/mtesauro- keynote-appseceu ● Video: https://www.youtube.com/watch?v=tDnyFitE0y4
Related Presentations ● AppSec EU 2015 – Building an AppSec Pipeline ● Deck: http://www.slideshare.net/weaveraaaron/building- an-appsec-pipeline-keeping-your-program-and- your-life-sane ● Video: https://www.youtube.com/watch?v=1CDSOSl4DQU
The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
Thank you ! Keep in touch @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro
Image References Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
Image References Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-pr Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now

More Related Content

What's hot (18)

ODP
Making security-agile matt-tesauro
Matt Tesauro
 
ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
PDF
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
PDF
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PDF
AppSec is Eating Security
Alex Stamos
 
ODP
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
PPTX
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
Gene Kim
 
PDF
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
PDF
Security as Code: DOES15
Ed Bellis
 
PPTX
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Andreas Grabner
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
PPTX
How to explain DevOps to your mom
Andreas Grabner
 
PPTX
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
PDF
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Making security-agile matt-tesauro
Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
AppSec is Eating Security
Alex Stamos
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
Gene Kim
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
Security as Code: DOES15
Ed Bellis
 
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Andreas Grabner
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
How to explain DevOps to your mom
Andreas Grabner
 
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 

Similar to Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest (20)

ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
PPTX
Performance monitoring in a DevOps World
Solidify
 
PPTX
Continuous Performance Testing and Monitoring in Agile Development
Neotys
 
PPTX
Neev QA Offering
Neev Technologies
 
PDF
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
AppDynamics
 
PPTX
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
PPTX
Compliance Automation with Inspec Part 1
Chef
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PPTX
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
PPTX
Keeping up with PHP
Zend by Rogue Wave Software
 
PDF
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...
TriNimbus
 
PPTX
SplunkLive! London 2016 Splunk for Devops
Splunk
 
PPT
The QA/Testing Process
Synerzip
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
PDF
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
PDF
Journey to the center of DevOps - v6
Venkat Janardhanam, MS, MBA
 
PDF
Preparing for DevOps
Eklove Mohan
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
AppSec in an Agile World
David Lindner
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Performance monitoring in a DevOps World
Solidify
 
Continuous Performance Testing and Monitoring in Agile Development
Neotys
 
Neev QA Offering
Neev Technologies
 
Monitoring and Instrumentation Strategies: Tips and Best Practices - AppSphere16
AppDynamics
 
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Compliance Automation with Inspec Part 1
Chef
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Keeping up with PHP
Zend by Rogue Wave Software
 
Chris Munns, DevOps @ Amazon: Microservices, 2 Pizza Teams, & 50 Million Depl...
TriNimbus
 
SplunkLive! London 2016 Splunk for Devops
Splunk
 
The QA/Testing Process
Synerzip
 
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
Journey to the center of DevOps - v6
Venkat Janardhanam, MS, MBA
 
Preparing for DevOps
Eklove Mohan
 
Ad

More from Matt Tesauro (11)

PDF
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
PDF
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
PDF
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
PDF
Landmines in the API Landscape
Matt Tesauro
 
PDF
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
PDF
Running FaaS with Scissors
Matt Tesauro
 
ODP
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
ODP
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
 
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Landmines in the API Landscape
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Running FaaS with Scissors
Matt Tesauro
 
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
 
Ad

Recently uploaded (20)

PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PDF
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PPTX
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Tally software_Introduction_Presentation
AditiBansal54083
 
PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PDF
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
PDF
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
PDF
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
PDF
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
PPTX
Migrating Millions of Users with Debezium, Apache Kafka, and an Acyclic Synch...
MD Sayem Ahmed
 
PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PDF
Online Queue Management System for Public Service Offices in Nepal [Focused i...
Rishab Acharya
 
PPTX
Human Resources Information System (HRIS)
Amity University, Patna
 
PDF
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
PDF
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Tally software_Introduction_Presentation
AditiBansal54083
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
Migrating Millions of Users with Debezium, Apache Kafka, and an Acyclic Synch...
MD Sayem Ahmed
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
Online Queue Management System for Public Service Offices in Nepal [Focused i...
Rishab Acharya
 
Human Resources Information System (HRIS)
Amity University, Patna
 
HiHelloHR – Simplify HR Operations for Modern Workplaces
HiHelloHR
 
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

  • 1. Building an Open Source AppSec Pipeline: Keeping your program, and your life, sane.
  • 2. 6 months with Pearson Senior Software Security Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
  • 3. Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
  • 6. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  • 10. Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
  • 11. Spending time optimizing anything other than the critical resource is an illusion.
  • 12. Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
  • 13. Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  • 14. Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
  • 15. Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
  • 16. Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
  • 18. What does BoH do? • Manages our Application Security Program • Application Inventory/ Meta data Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
  • 26. Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
  • 28. Your new command line where you have your conversations. Will Bot
  • 31. Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
  • 35. "I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
  • 36. I have not failed. I've just found 10,000 ways that won't work. - Thomas A. Edison
  • 37. Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues •ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
  • 38. For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and defect tracker APIs • Get management sold first
  • 39. Agent – one mole to rule them all •Add an agent to the standard deploy • Read-only helps sell to Ops • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
  • 40. Turn Vuln scanning on its head • Add value for your Ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  • 41. • Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • e.g. Finding blocks become templates for next report • Learn to talk “dev” Key Take Aways
  • 42. Resources Exercises left to the student...
  • 43. Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
  • 44. Gauntlt ●Open source, MIT License ●Gauntlt comes with pre-canned steps that hook security testing tools ●Gauntlt does not install tools ●Gauntlt wants to be part of the CI/CD pipeline ●Be a good citizen of exit status and stdout/stderr http://gauntlt.org/
  • 45. Tiaga • Project Management Software – focused on usability and speed ● Kanban / Scrum ● Backlog ● Tasks ● Sprints ● Issues ● Wiki • Open Source – Python / Django app • Entire functionality is driven by a REST API !! https://taiga.io/
  • 48. Defect Dojo DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. It attempts to streamline the testing process by offering features such as templating, report generation, metrics, and baseline self- service tools. Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. https://github.com/rackerlabs/django-DefectDojo
  • 50. Related Presentations ● AppSec EU 2015 – Ops Track Keynote ● Deck: http://www.slideshare.net/mtesauro/mtesauro- keynote-appseceu ● Video: https://www.youtube.com/watch?v=tDnyFitE0y4
  • 51. Related Presentations ● AppSec EU 2015 – Building an AppSec Pipeline ● Deck: http://www.slideshare.net/weaveraaaron/building- an-appsec-pipeline-keeping-your-program-and- your-life-sane ● Video: https://www.youtube.com/watch?v=1CDSOSl4DQU
  • 52. The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
  • 53. Thank you ! Keep in touch @matt_tesauro [email protected] [email protected] /in/matttesauro github.com/mtesauro
  • 54. Image References Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
  • 55. Image References Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-pr Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now