Abstract image of a woman sitting on books and studying on a laptop

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better

M
Matt Tesauro

This document summarizes Matt Tesauro's presentation on improving application security (AppSec) through the use of AppSec pipelines and DevOps strategies. The key points are: 1. AppSec pipelines are designed to optimize AppSec personnel by automating tasks and increasing consistency, tracking, flow and visibility of work. This allows AppSec teams to focus on custom work rather than setup. 2. Integrating AppSec tools and workflows into development pipelines can help drive up consistency, reduce friction with developers, and increase the number of assessments an AppSec team can complete without increasing headcount. 3. Continual experimentation and optimizing the critical resource - in this case AppSec personnel - is important for

1 of 70
Downloaded 56 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
Taking AppSec to 11 AppSec Pipelines, DevOps, and Making Things Better. AppSec California 2016 Matt Tesauro, Infinitiv
Assembly Lines
The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
#1 - Workflow Look at your purpose and those processes which aid it
Timeline Business Operations Customer Flow [rate] – the speed work goes through the process Development
#1 Workflow First of the three ways - Each Step Repeatable - Never Pass on Defects - Local optimizations with a global view
AppSec Pipelines Figuring out your workflow
AppSec Pipelines
Key Features of AppSec Pipelines ◇ Designed for iterative improvement ◇ Provides a reusable path for AppSec activities to follow ◇ Provides a consistent process for both the team and our constituency ◇ One way flow with well-defined states ◇ Relies heavily on automation ◇ Grow in functionality organically over time ◇ Gracefully interconnects with the development process
Pearson AppSec Pipeline
Integrating into the DevOps Pipeline DevOps Pipeline AppSec Pipeline
“ Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
Key Goals of AppSec Pipelines ◇ Optimize the critical resource - AppSec personnel ■ Automate all the things that don’t require a human brain ■ Drive up consistency ■ Increase tracking of work status ■ Increase flow through the system ■ Increase visibility and metrics ■ Reduce any dev team friction with application security
Pipeline - Intake ◇ “First Impression” ◇ Major categories of Intake ■ Existing App ■ New App ■ Previously tested App ■ App to re-test findings ◇ Key Concepts ■ Ask for data about Apps only once ■ Have data reviewed when an App returns ■ Adapt data collected based on broad categories of Apps
Pipeline - Testing ◇ Inbound request triage ◇ Ala Carte App Sec ■ Dynamic Testing ■ Static Testing ■ Re-Testing mitigated findings ■ Mix and match based on risk ◇ Key Concepts ■ Activities can be run in parallel ■ Automation on setup, configuration, data export ◇ People focus on customization rather than setup
Pipeline - Testing ◇ Results from your CI/CD could flow into Threadfix from build Pipeline ◇ Gauntlt runs results could also flow into the AppSec Pipeline ◇ Choose the tools that make sense for you organization
Pipeline - Deliver ◇ Source of truth for all AppSec activities ◇ ThreadFix is used to ■ Dedup / Consolidate findings ■ Normalize scanner data ■ Generate Metrics ■ Push issues to bug trackers ◇ Report and metrics automation ■ REST + tfclient ◇ Source of many touch points with external teams
◇ Allow us to have visibility into WIP ◇ Better understand/track/optimize flow of engagements ◇ Average static test takes ... ◇ Great increase in consistency ◇ Easier re-allocation of engagements between staff ◇ Each step has a well defined interface ◇ Knowing who has what allows for more informed “cost of switching” conversations ◇ Flexible enough for a range of skills and app maturity Why we like AppSec Pipelines
~5x increase 2014 44 assessments 2015 ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015
Bag of Holding aka BoH github.com/PearsonEducation/bag-of-holding
◇ Manages the Application Security Program ◇ Application Repository ◇ Engagement Tracking ◇ Report Repository ◇ Comments on any application, engagement or activity ◇ Data Classification and PII data ◇ Time taken on secure software activities ◇ Historical knowledge of past assessments ◇ Credential repository ◇ Environment details What does BoH do?
Scheduling of Secure Software Activities
Application Repository
Application Security Profile
Defect Dojo ◇ DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
Open yourself to upstream and downstream information #2 - Improve Feedback
AppSec ChatOps aka Will
Your command line where you have your conversations.
AppSec Help
AppSec Advice
Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
BOH/Threadfix/Static Integration Setup recurring static analysis in about 1 minute!
Create a culture of innovation and experimentation #3 - Continual Experimentation & Learning
“I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times.”
Dev & AppSec Tool Integration OWASP ZAP Proxy BuildManageCode Store RAPTOR Deploy OWASP ZAP Proxy *Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.
Demo Time A quick bit of show and tell...
Key Take Aways ◇ Automate, automate, automate ■ Look for “paper cuts” and fix those first ◇ Finding workflow – your AppSec Pipeline ■ Figure this out and standardize / optimize ◇ Create systems which can grow organically ■ App is never done, it’s just created to easily be added to over time ■ e.g. Finding blocks become templates for next report ◇ Learn to talk “dev”
Thanks! Matt Tesauro @matt_tesauro matt.tesauro@infinitiv.io matt.tesauro@owasp.org /in/matttesauro github.com/mtesauro
Resources Exercises left to the student
Orchestration ◇ Integrate Security Tools and Workflow Example: ◇ Generic API for dynamic scanning ■ URL ■ Credentials ■ Profile ■ Call any Dynamic Scanner: ○ OWASP ZAP ○ BurpSuite ○ AppScan
Gauntlt ◇ Open source, MIT License ◇ Gauntlt comes with pre-canned steps that hook security testing tools ◇ Gauntlt does not install tools ◇ Gauntlt wants to be part of the CI/CD pipeline ◇ Be a good citizen of exit status and stdout/stderr
Tiaga ◇ Project Management Software ■ Focused on usability and speed ■ Kanban / Scrum ■ Backlog ■ Tasks ■ Sprints ■ Issues ■ Wiki ◇ Open Source – Python / Django app ■ Entire functionality is driven by a REST API !! ■ https://taiga.io/
Defect Dojo ◇ DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
Experimentation Kick things up a notch
Findings directly to bug trackers ◇ PDFs are great, bugs are better ◇ Security issues are now part of the normal work flow ◇ ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag ◇ Attach a SLA to each severity level for findings ◇ Walk up the Org chart as things get older ◇ Bonus points for dashboards and defect tracker APIs ◇ Get management sold first
Agent – one mole to rule them all ◇ Add an agent to the standard deploy ◇ Add a dashboard to visualize state of infrastructure ◇ Roll your own or find a vendor Mozilla MIG
Turn Vuln Scanning on its Head ◇ Add value for your Ops teams ◇ Roll your own or find a vendor ◇ Reverse the scan then report standard
Related Presentations AppSec EU 2015 – Ops Track Keynote http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu https://www.youtube.com/watch?v=tDnyFitE0y4 AppSec EU 2015 – Building an AppSec Pipeline http://www.slideshare.net/weaveraaaron/building-an-appsec- pipeline-keeping-your-program-and-your-life-sane https://www.youtube.com/watch?v=1CDSOSl4DQU
Books to Read
#1 Workflow Each Step Repeatable ◇ Remove all haphazard and ad hoc work from the process ◇ Scripting languages are your friends ◇ Config Mgmt – Puppet, Chef, Salt, Ansible, CFEngine ◇ Make sure what you do can be done on 1 server or 10,000 servers
#1 Workflow Never Pass on Defects ◇ Test early and often ◇ Increase the rigor of testing as you work left to right ◇ When a failure occurs end that flow and start a new one after corrections ◇ The further right you are, the more expensive failure is so concentrate your early work on left side (intake) ◇ In AppSec, defects are false positives
#1 Workflow Local optimizations with a global view ◇ Ensure no single-step optimizations degrade the overall performance of the workflow ◇ Find the bottleneck in your workflow and start there ■ Upstream changes will just back things up ■ Downstream changes won't manifest since input is limited ◇ Each new optimization creates a new bottleneck ■ Iterate on this!
“ Spending time optimizing anything other than the critical resource is an illusion.
W. Edwards Deming
Japan's post-war miracle
Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the-assembly-line- ransom-e-olds-did/index.html W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle Image References
Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-program-and-your-life- sane Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now Goes to 11: https://arturogalletti.files.wordpress.com/2010/12/spinaltap.jpg Image References
What’s this? This is a free presentation template for Google Slides designed by SlidesCarnival. We believe that good design serves to better communicate ideas, so we create free quality presentation templates for you to focus on the content. Enjoy them at will and share with us your results at: twitter.com/SlidesCarnival facebook.com/slidescarnival About this template How can I use it? Open this document in Google Slides (if you are at slidescarnival. com use the button below this presentation) You have to be signed in to your Google account ◇ Edit in Google Slides Go to the File menu and select Make a copy. You will get a copy of this document on your Google Drive and will be able to edit, add or delete slides. ◇ Edit in Microsoft PowerPoint® Go to the File menu and select Download as Microsoft PowerPoint. You will get a .pptx file that you can edit in PowerPoint. Remember to download and install the fonts used in this presentation (you’ll find the links to the font files needed in the Presentation design slide) This template is free to use under Creative Commons Attribution license. If you use the graphic assets (photos, icons and typographies) provided with this presentation you must keep the Credits slide.

More Related Content

ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
PDF
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
PDF
AppSec Pipelines and Event based Security
Matt Tesauro
 
PPTX
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
PPTX
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
ODP
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
ODP
Making security-agile matt-tesauro
Matt Tesauro
 
ODP
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
AppSec Pipelines and Event based Security
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Making security-agile matt-tesauro
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Matt Tesauro
 

What's hot(20)

PDF
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
PDF
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
ODP
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
PDF
AppSec is Eating Security
Alex Stamos
 
PDF
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
PDF
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
PDF
Security as Code: DOES15
Ed Bellis
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
PDF
Automating OWASP Tests in your CI/CD
rkadayam
 
PDF
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
PDF
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
PDF
Merging Security with DevOps - An AppSec Perspective
Abhay Bhargav
 
PPTX
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
AppSec is Eating Security
Alex Stamos
 
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
Security as Code: DOES15
Ed Bellis
 
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Automating OWASP Tests in your CI/CD
rkadayam
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
Merging Security with DevOps - An AppSec Perspective
Abhay Bhargav
 
Where Testers & QA Fit in the Story of DevOps
QASymphony
 

Similar to Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better(20)

PPT
DevOps Pipeline for Liferay Application
Maruti Gollapudi
 
PPTX
Agile & DevOps - It's all about project success
Adam Stephensen
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
PDF
DevOps Deconstructed
Jeremy Pullen
 
PDF
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
PDF
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Steve Mercier
 
PPTX
DevOps with Microsoft Stack
Deepti Jain
 
PDF
DevOps Foundations
Amr Fawzy
 
PPTX
Testing in the new age of DevOps
Moataz Mahmoud
 
PPTX
Rapise Overview Presentation (2021)
Inflectra
 
PDF
Exercising and Scaling Up Mobile DevOps in the Enterprise
Bitbar
 
PPTX
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
PDF
Getting to Walk with DevOps
Eklove Mohan
 
PPTX
Harman deepak v - agile on steriod - dev ops led transformation
Xebia India
 
PDF
Forward5 Auxis VMware
Auxis Consulting & Outsourcing
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PDF
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
AnikeyRoy
 
PPTX
SoCal DevOps Meetup 1/26/2017 - Habitat by Chef
Trevor Hess
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
PDF
OpsWorks for Chef Automate - Auckland AWS
Matt Ray
 
DevOps Pipeline for Liferay Application
Maruti Gollapudi
 
Agile & DevOps - It's all about project success
Adam Stephensen
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
DevOps Deconstructed
Jeremy Pullen
 
DevSecOps: Bringing security to the DevOps pipeline
Aarno Aukia
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Steve Mercier
 
DevOps with Microsoft Stack
Deepti Jain
 
DevOps Foundations
Amr Fawzy
 
Testing in the new age of DevOps
Moataz Mahmoud
 
Rapise Overview Presentation (2021)
Inflectra
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Bitbar
 
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
Getting to Walk with DevOps
Eklove Mohan
 
Harman deepak v - agile on steriod - dev ops led transformation
Xebia India
 
Forward5 Auxis VMware
Auxis Consulting & Outsourcing
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
AnikeyRoy
 
SoCal DevOps Meetup 1/26/2017 - Habitat by Chef
Trevor Hess
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
OpsWorks for Chef Automate - Auckland AWS
Matt Ray
 

More from Matt Tesauro(12)

PDF
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
PDF
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
PDF
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
PDF
Landmines in the API Landscape
Matt Tesauro
 
PDF
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
PDF
Running FaaS with Scissors
Matt Tesauro
 
ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
ODP
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
ODP
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
ODP
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
 
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Landmines in the API Landscape
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
Running FaaS with Scissors
Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
 

Recently uploaded(20)

PDF
Canva Desktop App With Crack Free Download 2025?
henryc1122g
 
PPTX
Hexagone difital twin solution in the desgining
aesdinhduong
 
PDF
SBOM Document Quality Guide - OpenChain SBOM Study Group
Shane Coughlan
 
PDF
OpenTimelineIO Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
PDF
Difference Between Website and Web Application.pdf
Secuodsoft
 
PPTX
SIH2024_IDEA_dy_dx_deepfakedetection.pptx
namiichan101108
 
PDF
Enscape 3D Crack + With 2025 Activation Key free
bobykhan786g
 
PPTX
UNIT II: Software design, software .pptx
SriSamyukthaSethuram
 
PDF
OpenColorIO Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
PDF
How to Write Automated Test Scripts Using Selenium.pdf
kalichargn70th171
 
PPT
chapter01_java_programming_object_oriented
mjmansoori54
 
PDF
WhatsApp Chatbots The Key to Scalable Customer Support.pdf
Quick Message
 
PPTX
SAP Business AI_L1 Overview_EXTERNAL.pptx
AAlam20
 
PDF
IObit Driver Booster Pro Crack Latest Version Download
henryc1122g
 
PPTX
Phoenix Marketo User Group: Building Nurtures that Work for Your Audience. An...
bbedford2
 
PPTX
opentower introduction and the digital twin
aesdinhduong
 
PDF
10 Mistakes Agile Project Managers Still Make
Sahil Aggarwal
 
PPTX
SQL introduction and commands, SQL joining
Rukhmanisahu5
 
PPTX
Independent Consultants’ Biggest Challenges in ERP Projects – and How Apagen ...
SatishKumar2651
 
PDF
Multiverse AI Review 2025_ The Ultimate All-in-One AI Platform.pdf
THEMESMO
 
Canva Desktop App With Crack Free Download 2025?
henryc1122g
 
Hexagone difital twin solution in the desgining
aesdinhduong
 
SBOM Document Quality Guide - OpenChain SBOM Study Group
Shane Coughlan
 
OpenTimelineIO Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
Difference Between Website and Web Application.pdf
Secuodsoft
 
SIH2024_IDEA_dy_dx_deepfakedetection.pptx
namiichan101108
 
Enscape 3D Crack + With 2025 Activation Key free
bobykhan786g
 
UNIT II: Software design, software .pptx
SriSamyukthaSethuram
 
OpenColorIO Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
How to Write Automated Test Scripts Using Selenium.pdf
kalichargn70th171
 
chapter01_java_programming_object_oriented
mjmansoori54
 
WhatsApp Chatbots The Key to Scalable Customer Support.pdf
Quick Message
 
SAP Business AI_L1 Overview_EXTERNAL.pptx
AAlam20
 
IObit Driver Booster Pro Crack Latest Version Download
henryc1122g
 
Phoenix Marketo User Group: Building Nurtures that Work for Your Audience. An...
bbedford2
 
opentower introduction and the digital twin
aesdinhduong
 
10 Mistakes Agile Project Managers Still Make
Sahil Aggarwal
 
SQL introduction and commands, SQL joining
Rukhmanisahu5
 
Independent Consultants’ Biggest Challenges in ERP Projects – and How Apagen ...
SatishKumar2651
 
Multiverse AI Review 2025_ The Ultimate All-in-One AI Platform.pdf
THEMESMO
 

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better

  • 1.
    Taking AppSec to11 AppSec Pipelines, DevOps, and Making Things Better. AppSec California 2016 Matt Tesauro, Infinitiv
  • 3.
  • 5.
    The Phoenix Project 3 Waysof DevOps Strategies for Improving Operations
  • 6.
    #1 - Workflow Lookat your purpose and those processes which aid it
  • 7.
    Timeline Business Operations Customer Flow[rate] – the speed work goes through the process Development
  • 8.
    #1 Workflow First ofthe three ways - Each Step Repeatable - Never Pass on Defects - Local optimizations with a global view
  • 9.
  • 11.
  • 13.
    Key Features of AppSecPipelines ◇ Designed for iterative improvement ◇ Provides a reusable path for AppSec activities to follow ◇ Provides a consistent process for both the team and our constituency ◇ One way flow with well-defined states ◇ Relies heavily on automation ◇ Grow in functionality organically over time ◇ Gracefully interconnects with the development process
  • 14.
  • 15.
    Integrating into theDevOps Pipeline DevOps Pipeline AppSec Pipeline
  • 16.
    “ Spending time optimizing anything otherthan the critical resource is an illusion. W. Edwards Deming
  • 17.
    Key Goals of AppSecPipelines ◇ Optimize the critical resource - AppSec personnel ■ Automate all the things that don’t require a human brain ■ Drive up consistency ■ Increase tracking of work status ■ Increase flow through the system ■ Increase visibility and metrics ■ Reduce any dev team friction with application security
  • 18.
    Pipeline - Intake ◇“First Impression” ◇ Major categories of Intake ■ Existing App ■ New App ■ Previously tested App ■ App to re-test findings ◇ Key Concepts ■ Ask for data about Apps only once ■ Have data reviewed when an App returns ■ Adapt data collected based on broad categories of Apps
  • 19.
    Pipeline - Testing ◇Inbound request triage ◇ Ala Carte App Sec ■ Dynamic Testing ■ Static Testing ■ Re-Testing mitigated findings ■ Mix and match based on risk ◇ Key Concepts ■ Activities can be run in parallel ■ Automation on setup, configuration, data export ◇ People focus on customization rather than setup
  • 20.
    Pipeline - Testing ◇Results from your CI/CD could flow into Threadfix from build Pipeline ◇ Gauntlt runs results could also flow into the AppSec Pipeline ◇ Choose the tools that make sense for you organization
  • 21.
    Pipeline - Deliver ◇Source of truth for all AppSec activities ◇ ThreadFix is used to ■ Dedup / Consolidate findings ■ Normalize scanner data ■ Generate Metrics ■ Push issues to bug trackers ◇ Report and metrics automation ■ REST + tfclient ◇ Source of many touch points with external teams
  • 22.
    ◇ Allow usto have visibility into WIP ◇ Better understand/track/optimize flow of engagements ◇ Average static test takes ... ◇ Great increase in consistency ◇ Easier re-allocation of engagements between staff ◇ Each step has a well defined interface ◇ Knowing who has what allows for more informed “cost of switching” conversations ◇ Flexible enough for a range of skills and app maturity Why we like AppSec Pipelines
  • 23.
    ~5x increase 2014 44 assessments 2015 ~200assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015
  • 24.
    Bag of Holding akaBoH github.com/PearsonEducation/bag-of-holding
  • 25.
    ◇ Manages theApplication Security Program ◇ Application Repository ◇ Engagement Tracking ◇ Report Repository ◇ Comments on any application, engagement or activity ◇ Data Classification and PII data ◇ Time taken on secure software activities ◇ Historical knowledge of past assessments ◇ Credential repository ◇ Environment details What does BoH do?
  • 26.
  • 27.
  • 28.
  • 29.
    Defect Dojo ◇ DefectDojois a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
  • 31.
    Open yourself toupstream and downstream information #2 - Improve Feedback
  • 33.
  • 34.
    Your command linewhere you have your conversations.
  • 35.
  • 36.
  • 37.
    Threadfix Integration And more: •Create an Application • Get Summary Metrics for AppSec Program
  • 38.
  • 39.
    Create a cultureof innovation and experimentation #3 - Continual Experimentation & Learning
  • 41.
    “I fear notthe man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times.”
  • 43.
    Dev & AppSecTool Integration OWASP ZAP Proxy BuildManageCode Store RAPTOR Deploy OWASP ZAP Proxy *Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.
  • 44.
    Demo Time A quickbit of show and tell...
  • 45.
    Key Take Aways ◇Automate, automate, automate ■ Look for “paper cuts” and fix those first ◇ Finding workflow – your AppSec Pipeline ■ Figure this out and standardize / optimize ◇ Create systems which can grow organically ■ App is never done, it’s just created to easily be added to over time ■ e.g. Finding blocks become templates for next report ◇ Learn to talk “dev”
  • 46.
  • 47.
  • 48.
    Orchestration ◇ Integrate SecurityTools and Workflow Example: ◇ Generic API for dynamic scanning ■ URL ■ Credentials ■ Profile ■ Call any Dynamic Scanner: ○ OWASP ZAP ○ BurpSuite ○ AppScan
  • 49.
    Gauntlt ◇ Open source,MIT License ◇ Gauntlt comes with pre-canned steps that hook security testing tools ◇ Gauntlt does not install tools ◇ Gauntlt wants to be part of the CI/CD pipeline ◇ Be a good citizen of exit status and stdout/stderr
  • 50.
    Tiaga ◇ Project ManagementSoftware ■ Focused on usability and speed ■ Kanban / Scrum ■ Backlog ■ Tasks ■ Sprints ■ Issues ■ Wiki ◇ Open Source – Python / Django app ■ Entire functionality is driven by a REST API !! ■ https://taiga.io/
  • 53.
    Defect Dojo ◇ DefectDojois a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
  • 55.
  • 56.
    Findings directly to bugtrackers ◇ PDFs are great, bugs are better ◇ Security issues are now part of the normal work flow ◇ ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
  • 57.
    For the reticent:nag, nag, nag ◇ Attach a SLA to each severity level for findings ◇ Walk up the Org chart as things get older ◇ Bonus points for dashboards and defect tracker APIs ◇ Get management sold first
  • 58.
    Agent – onemole to rule them all ◇ Add an agent to the standard deploy ◇ Add a dashboard to visualize state of infrastructure ◇ Roll your own or find a vendor Mozilla MIG
  • 59.
    Turn Vuln Scanningon its Head ◇ Add value for your Ops teams ◇ Roll your own or find a vendor ◇ Reverse the scan then report standard
  • 60.
    Related Presentations AppSec EU2015 – Ops Track Keynote http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu https://www.youtube.com/watch?v=tDnyFitE0y4 AppSec EU 2015 – Building an AppSec Pipeline http://www.slideshare.net/weaveraaaron/building-an-appsec- pipeline-keeping-your-program-and-your-life-sane https://www.youtube.com/watch?v=1CDSOSl4DQU
  • 61.
  • 62.
    #1 Workflow Each StepRepeatable ◇ Remove all haphazard and ad hoc work from the process ◇ Scripting languages are your friends ◇ Config Mgmt – Puppet, Chef, Salt, Ansible, CFEngine ◇ Make sure what you do can be done on 1 server or 10,000 servers
  • 63.
    #1 Workflow Never Passon Defects ◇ Test early and often ◇ Increase the rigor of testing as you work left to right ◇ When a failure occurs end that flow and start a new one after corrections ◇ The further right you are, the more expensive failure is so concentrate your early work on left side (intake) ◇ In AppSec, defects are false positives
  • 64.
    #1 Workflow Local optimizationswith a global view ◇ Ensure no single-step optimizations degrade the overall performance of the workflow ◇ Find the bottleneck in your workflow and start there ■ Upstream changes will just back things up ■ Downstream changes won't manifest since input is limited ◇ Each new optimization creates a new bottleneck ■ Iterate on this!
  • 65.
    “ Spending time optimizing anything otherthan the critical resource is an illusion.
  • 66.
  • 67.
  • 68.
    Henry Ford ina field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the-assembly-line- ransom-e-olds-did/index.html W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle Image References
  • 69.
    Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-program-and-your-life- sane PhoenixProject Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now Goes to 11: https://arturogalletti.files.wordpress.com/2010/12/spinaltap.jpg Image References
  • 70.
    What’s this? This isa free presentation template for Google Slides designed by SlidesCarnival. We believe that good design serves to better communicate ideas, so we create free quality presentation templates for you to focus on the content. Enjoy them at will and share with us your results at: twitter.com/SlidesCarnival facebook.com/slidescarnival About this template How can I use it? Open this document in Google Slides (if you are at slidescarnival. com use the button below this presentation) You have to be signed in to your Google account ◇ Edit in Google Slides Go to the File menu and select Make a copy. You will get a copy of this document on your Google Drive and will be able to edit, add or delete slides. ◇ Edit in Microsoft PowerPoint® Go to the File menu and select Download as Microsoft PowerPoint. You will get a .pptx file that you can edit in PowerPoint. Remember to download and install the fonts used in this presentation (you’ll find the links to the font files needed in the Presentation design slide) This template is free to use under Creative Commons Attribution license. If you use the graphic assets (photos, icons and typographies) provided with this presentation you must keep the Credits slide.