SlideShare a Scribd company logo

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

M
Matt Tesauro

The document outlines the development of an open-source application security (AppSec) pipeline designed to optimize security processes while integrating with existing development workflows. Key features include automation, iterative improvement, and a well-defined process that enhances visibility and communication among development and security teams. Tools mentioned, such as ThreadFix and Gauntlt, aim to streamline testing, reporting, and issue management to reduce friction in application security practices.

Software
1 of 55
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Building an Open Source AppSec Pipeline: Keeping your program, and your life, sane.
6 months with Pearson Senior Software Security Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Assembly Lines...
The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
AppSec Pipelines Figuring out your workflow
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Our AppSec Pipeline
Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
Spending time optimizing anything other than the critical resource is an illusion.
Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
Bag of Holding aka BOH
What does BoH do? • Manages our Application Security Program • Application Inventory/ Meta data Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
AppSec ChatOps aka Will
Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Your new command line where you have your conversations. Will Bot
AppSec Help
AppSec Advice
Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
BOH/Threadfix/Static Integration Setup recurring static analysis in about 1 minute!
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Experimentation kick things up a notch
"I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
I have not failed. I've just found 10,000 ways that won't work. - Thomas A. Edison
Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues •ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and defect tracker APIs • Get management sold first
Agent – one mole to rule them all •Add an agent to the standard deploy • Read-only helps sell to Ops • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
Turn Vuln scanning on its head • Add value for your Ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
• Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • e.g. Finding blocks become templates for next report • Learn to talk “dev” Key Take Aways
Resources Exercises left to the student...
Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
Gauntlt ●Open source, MIT License ●Gauntlt comes with pre-canned steps that hook security testing tools ●Gauntlt does not install tools ●Gauntlt wants to be part of the CI/CD pipeline ●Be a good citizen of exit status and stdout/stderr http://gauntlt.org/
Tiaga • Project Management Software – focused on usability and speed ● Kanban / Scrum ● Backlog ● Tasks ● Sprints ● Issues ● Wiki • Open Source – Python / Django app • Entire functionality is driven by a REST API !! https://taiga.io/
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Defect Dojo DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. It attempts to streamline the testing process by offering features such as templating, report generation, metrics, and baseline self- service tools. Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. https://github.com/rackerlabs/django-DefectDojo
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Related Presentations ● AppSec EU 2015 – Ops Track Keynote ● Deck: http://www.slideshare.net/mtesauro/mtesauro- keynote-appseceu ● Video: https://www.youtube.com/watch?v=tDnyFitE0y4
Related Presentations ● AppSec EU 2015 – Building an AppSec Pipeline ● Deck: http://www.slideshare.net/weaveraaaron/building- an-appsec-pipeline-keeping-your-program-and- your-life-sane ● Video: https://www.youtube.com/watch?v=1CDSOSl4DQU
The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
Thank you ! Keep in touch @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro
Image References Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
Image References Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-pr Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now

More Related Content

PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
PPTX
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
PDF
AppSec Pipelines and Event based Security
Matt Tesauro
 
ODP
Building an Open Source AppSec Pipeline
Matt Tesauro
 
ODP
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
ODP
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
PPTX
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
PDF
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Matt Tesauro
 
AppSec Pipelines and Event based Security
Matt Tesauro
 
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 

What's hot (18)

ODP
Making security-agile matt-tesauro
Matt Tesauro
 
ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
PDF
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
PDF
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PDF
AppSec is Eating Security
Alex Stamos
 
ODP
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
PPTX
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
Gene Kim
 
PDF
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
PDF
Security as Code: DOES15
Ed Bellis
 
PPTX
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Andreas Grabner
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
PPTX
How to explain DevOps to your mom
Andreas Grabner
 
PPTX
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
PDF
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Making security-agile matt-tesauro
Matt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
Matt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
AppSec is Eating Security
Alex Stamos
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
Matt Tesauro
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
Gene Kim
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
Security as Code: DOES15
Ed Bellis
 
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Andreas Grabner
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
How to explain DevOps to your mom
Andreas Grabner
 
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
Ad

Similar to Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest (20)

PDF
AppSec in an Agile World
David Lindner
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
ODP
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
PROIDEA
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
PDF
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
PPTX
Application Security from the Inside Out
Ulisses Albuquerque
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PDF
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
PDF
Year Zero
leifdreizler
 
PPTX
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
PPTX
Building an AppSec Program From the Ground Up: An Honest Retrospective
jtmelton
 
PPTX
Application Security within Agile
Netlight Consulting
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
Rich Mills
 
AppSec in an Agile World
David Lindner
 
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
PROIDEA
 
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
ProdSec: A Technical Approach
Jeremy Brown
 
Application Security from the Inside Out
Ulisses Albuquerque
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Year Zero
leifdreizler
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Building an AppSec Program From the Ground Up: An Honest Retrospective
jtmelton
 
Application Security within Agile
Netlight Consulting
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
Rich Mills
 
Ad

More from Matt Tesauro (11)

PDF
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
PDF
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
PDF
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
PDF
Landmines in the API Landscape
Matt Tesauro
 
PDF
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
PDF
Running FaaS with Scissors
Matt Tesauro
 
ODP
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
ODP
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
 
DefectDojo at Global AppSec San Fran 2024
Matt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Matt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Landmines in the API Landscape
Matt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Running FaaS with Scissors
Matt Tesauro
 
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Matt Tesauro
 

Recently uploaded (20)

PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Introduction Database Management System for Course Database
ReinertYosua
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 

Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest

  • 1. Building an Open Source AppSec Pipeline: Keeping your program, and your life, sane.
  • 2. 6 months with Pearson Senior Software Security Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer Who am I?
  • 3. Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving software security ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences ● Application Security Training internationally ● B.S. Economics, M.S. in MIS o Strong believer in the value of cross- discipline study Who am I?
  • 6. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  • 10. Key Features of AppSec Pipelines ● Designed for iterative improvement ● Provides a reusable path for AppSec activities to follow ● Provides a consistent process for both the team and our constituency ● One way flow with well-defined states ● Relies heavily on automation ● Has the ability to grow in functionality organically over time ● Gracefully interconnects with the development process
  • 11. Spending time optimizing anything other than the critical resource is an illusion.
  • 12. Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel ● Automate all the things that don’t require a human brain ● Drive up consistency ● Increase tracking of work status ● Increase flow through the system ● Increase visibility and metrics ● Reduce any dev team friction with application security
  • 13. Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  • 14. Pipeline – the Middle ● Inbound request triage ● Ala Carte App Sec ● Dynamic Testing ● Static Testing ● Re-Testing mitigated findings ● Mix and match based on risk ● Key Concepts ● Activities can be run in parallel ● Automation on setup, configuration, data export ● People focus on customization rather than setup
  • 15. Pipeline – the End ● Source of truth for all AppSec activities ● ThreadFix is used to ● Dedup / Consolidate findings ● Normalize scanner data ● Generate Metrics ● Push issues to bug trackers ● Report and metrics automation ● REST + tfclient ● Source of many touch points with external teams
  • 16. Why we like AppSec Pipelines ● Allow us to have visibility into WIP ● Better understand/track/optimize flow of engagements ● Average static test takes ... ● Great increase in consistency ● Easier re-allocation of engagements between staff ● Each step has a well defined interface ● Knowing who has what allows for more informed “cost of switching” conversations ● Flexible enough for a range of skills and app maturity
  • 18. What does BoH do? • Manages our Application Security Program • Application Inventory/ Meta data Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
  • 26. Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
  • 28. Your new command line where you have your conversations. Will Bot
  • 31. Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
  • 35. "I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
  • 36. I have not failed. I've just found 10,000 ways that won't work. - Thomas A. Edison
  • 37. Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues •ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
  • 38. For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and defect tracker APIs • Get management sold first
  • 39. Agent – one mole to rule them all •Add an agent to the standard deploy • Read-only helps sell to Ops • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
  • 40. Turn Vuln scanning on its head • Add value for your Ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  • 41. • Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • e.g. Finding blocks become templates for next report • Learn to talk “dev” Key Take Aways
  • 42. Resources Exercises left to the student...
  • 43. Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
  • 44. Gauntlt ●Open source, MIT License ●Gauntlt comes with pre-canned steps that hook security testing tools ●Gauntlt does not install tools ●Gauntlt wants to be part of the CI/CD pipeline ●Be a good citizen of exit status and stdout/stderr http://gauntlt.org/
  • 45. Tiaga • Project Management Software – focused on usability and speed ● Kanban / Scrum ● Backlog ● Tasks ● Sprints ● Issues ● Wiki • Open Source – Python / Django app • Entire functionality is driven by a REST API !! https://taiga.io/
  • 48. Defect Dojo DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. It attempts to streamline the testing process by offering features such as templating, report generation, metrics, and baseline self- service tools. Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. https://github.com/rackerlabs/django-DefectDojo
  • 50. Related Presentations ● AppSec EU 2015 – Ops Track Keynote ● Deck: http://www.slideshare.net/mtesauro/mtesauro- keynote-appseceu ● Video: https://www.youtube.com/watch?v=tDnyFitE0y4
  • 51. Related Presentations ● AppSec EU 2015 – Building an AppSec Pipeline ● Deck: http://www.slideshare.net/weaveraaaron/building- an-appsec-pipeline-keeping-your-program-and- your-life-sane ● Video: https://www.youtube.com/watch?v=1CDSOSl4DQU
  • 52. The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
  • 53. Thank you ! Keep in touch @matt_tesauro matt.tesauro@owasp.org mtesauro@gmail.com /in/matttesauro github.com/mtesauro
  • 54. Image References Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle
  • 55. Image References Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-pr Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now