View
204
Download
3
Category
Preview:
Citation preview
AppSec++Taking the best of Agile, DevOps, and CI/CD into your AppSec Program
AppSec++Taking the best of Agile, DevOps, and CI/CD into your AppSec Program
Matt Tesauromatt.tesauro@owasp.org
Hello!
I am Matt TesauroI think AppSec needs to changeAnd I’m going to tell you how
matt.tesauro@owasp.org / @matt_tesauro
Custom Coachwork and Bespoke AppSec
Who is This Guy?
The Phoenix Project 3 Ways of DevOps
#1 WorkflowLook at your purpose and those
processes which aid it
AppSec Pipelines
Using CI/CD as inspiration, figure out your AppSec workflow
Custom Made
With finiteOptions
Key Features of AppSec Pipelines
◈Designed for iterative improvement ◈Provides a reusable path for AppSec activities to follow
◈Provides a consistent process for both the team and our constituency
◈One way flow with well-defined states◈Relies heavily on automation◈Grow in functionality organically over time
◈Gracefully interconnects with the development process
Pearson’sAppSecPipeline
DevOps Pipeline AppSec Pipeline
Pearson’sAppSecPipeline
“Spending time optimizing anything other than the critical resource is an illusion.
W. Edwards Deming
Key Goals of AppSec Pipelines
◈Optimize the critical resource - AppSec personnel
Automate the things that don’t require a human brain
Drive up consistencyIncrease tracking of work statusIncrease flow through the systemIncrease visibility and metricsReduce any dev team friction with application
security
Why we like AppSec Pipelines
◈Allow us to have visibility into WIPBetter understand/track/optimize flow of
engagementsAverage static test takes ...
◈Great increase in consistencyEach step has a well defined interface
◈Easier moving of engagements between staff
Knowing who has what allows for more informed “cost of switching” conversations
◈Flexible enough for a range of skills and app maturity
What can an AppSec Pipeline
do for you?
2014◈44 assessments
~5x increase2015
◈~200 assessments
Changes from 2014 to 2015:- Created the AppSec Pipeline - initial launch in March 2015- AppSec team numbers dropped - lost a couple of key people approx
3.5 FTEs- Two of the AppSec team members went meta for most of 2015
#2 Improve Feedback
Open yourself up to upstream and downstream information
A call to action...
AppSec Chat Ops
Making chat the way you do security
Advice for Devs - 24x7
FYI: You’re being attacked
CAMS / CALMS◈Culture, Automation, Measurement, Sharing
CALMS = CAMS + Lean
◈Measurement = Metrics => Visibility◈Automate the drudgery
Allows meaningful personal interactions
◈What would you want if you were the dev you’re talking to?
#3 Continual Experimentation
and learningCreate a culture of innovation
and experimentation
What’s next?Experiments in AppSec
Pipelines
Weaponizing Jenkins◈ Zero false positives
Anaphylactic shock
◈ Health Checks vs ScanningRun these all the time
◈ Home of specific issue testsFind a vuln, write a test
◈ Cadence for longer running testsThese NEVER break the buildEvery X builds or every Y days
Scaling withDocker Containers
docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
Docker Security Tool Launch(python, Go)
ZAP
Nikto
Return ZAP IP
Run Scan, Push Results to S3
Benefits◈ Effectively Scales
◈ Build security tools once, run anywhere
◈ Ease of deployment
Pull in or scale out, your choice
Pull in Docker containersto your build server
ZAP
Nikto
Scale out to Docker SwarmZAP
Nikto
AppSec Pipeline for Open Source
Jenkins Pipeline
Pipeline as Code
OWASP’s AppSec Pipeline for Projects
◈Create an AppSec Pipeline of OWASP Projects to assess OWASP Projects
Use OWASP Zap to scan OWASP Security Shepherd and store the results in OWASP Defect Dojo
Thanks!
Any questions?Aaron Weaver@weavera
aaron.weaver@owasp.org
/in/aweaver
github.com/aaronweaver
Matt Tesauro@matt_tesauro
matt.tesauro@owasp.org
/in/matttesauro
github.com/mtesauro
Credits
Special thanks to all the people who made and released these awesome resources for free:◈ Presentation template by SlidesCarnival◈ Photographs by Unsplash◈ Backgrounds by SubtlePatterns
Presentation design
This presentations uses the following typographies and colors:◈ Titles: Playfair Display◈ Body copy: Droid Sans
You can download the fonts on this page:https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,700,400italic,700italicClick on the “arrow button” that appears on the top right
◈ Yellow #ffd900◈ Light gray #f3f3f3◈ Black #000000
You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create new slides or download the fonts to edit the presentation in PowerPoint®
SlidesCarnival icons are editable shapes.
This means that you can:● Resize them without losing
quality.● Change line color, width and
style.
Isn’t that nice? :)
Examples:
Now you can use any emoji as an icon!And of course it resizes without losing quality and you can change the color.
How? Follow Google instructions https://twitter.com/googledocs/status/730087240156643328
✋👆👉👍👤👦👧👨👩👪💃❤😂😉😋😒😭 😸🏃💑 👶 🐟🍒
🍔💣📌📖🔨🎃🎈🎨🏈🏰🌏🔌🔑 and many more...
��
Recommended