Taking the Best of Agile, DevOps and CI/CD into security
- 1. Taking the Best of Agile, DevOps and CI/CD Into Security Matt Tesauro matt.tesauro@10Security.com
- 2. Hello! I am Matt Tesauro I think AppSec needs to evolve And I am going to tell you how You can find me at @matt_tesauro
- 3. Custom Coachwork and Bespoke AppSec 0
- 4. Who is this guy?
- 5. The Phoenix Project 3 Ways of DevOps
- 6. #1 Workflow Look at your purpose and those processes which aid it 1
- 7. AppSec Pipelines Using CI/CD as inspiration, figure out your AppSec workflow.
- 8. Custom Made (with finite options)
- 9. Custom Made (with finite options)
- 10. Key Features of AppSec Pipelines ▪ Designed for iterative improvement ▪ Provides a reusable path for AppSec activities to follow ▪ Provides a consistent process for both the team and our constituency ▪ One way flow with well-defined states ▪ Relies heavily on automation ▪ Grows organically over time ▪ Gracefully interconnects with the development process
- 13. “Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
- 14. Optimize the critical resource - AppSec Personnel ▪ Automate the things that don’t require a human brain ▪ Drive up consistency ▪ Increase tracking of work status ▪ Increase flow through the system ▪ Increase visibility and metrics ▪ Reduce dev team friction Key Goals of AppSec Pipelines
- 15. Why choose an AppSec Pipeline? Allows us to have visibility into WIP ▪ Better understand/track/optimize flow ▪ Average SAST engagement takes… Great increase in consistency ▪ Each step has a well defined interface Easier moving activities between staff ▪ Informed for “switching costs” convos Flexible enough for a range of skills and DevOps maturity
- 16. What can an AppSec Pipeline do for you?
- 17. Real world AppSec Pipeline Stats
- 18. AppSec Pipeline + DefectDojo
- 19. 840.91% Percentage Increase from 2014 to 2016
- 20. #2 Improve Feedback Open yourself up to upstream and downstream information 2
- 21. A call to action
- 22. AppSec Chat Ops Making chat the way you do security
- 23. Developer Advice - 24 x 7
- 24. Or let you know you’re being attacke
- 25. Get notifications when you want and how you want
- 26. CAMS / CALMS Culture, Automation, Measurement, Sharing ▪ CALMS = CAMS + Lean Measurement = Metrics => Visibility Automate the drudgery ▪ Allows meaningful personal interactions What would you want if you were the dev you’re talking to?
- 27. #3 Continual Experimentation and Learning Create a culture of innovation and experimentation 3
- 28. Weaponizing Jenkins / CICD Zero false positives ▪ Anaphylactic shock Health Checks vs Scanning ▪ Run these all the time Home of specific issue tests ▪ Find a vuln, write a test Cadence for longer running tests ▪ These NEVER break the build ▪ Every X builds or every Y days
- 29. Another AppSec Pipeline experiment
- 30. Scaling with Docker Containers
- 31. Containers turn tools into an “Easy Button”
- 32. No reason to not start small docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
- 33. Then get a bit more fancy Pull in and run containers in your CICD Scale out with container orchestration
- 34. Benefits of Containers Effectively scales, can fix configurations Build security tools once, run anywhere Dev teams can run locally what their code will face in CICD runs Easy of deployment, laptop to cloud
- 35. Key Takeaways The Three Ways of DevOps 1. Workflow 2. Improve Feedback 3. Continual Experimentation and Learning The journey will be iterative Get a single source of truth for findings
- 36. ▪ AppSec Pipeline https://github.com/appsecpipeline https://owasp.org/www-project-appsec-pipeline/ ▪ DefectDojo https://www.defectdojo.org/ https://github.com/DefectDojo ▪ DefectDojo Demo https://demo.defectdojo.org/ Log in admin / defectdojo@demo#appsec ▪ Youtube - search for “matt tesauro” & https://www.slideshare.net/mtesauro Resources
- 37. Thanks! Any questions? You can find me at: @matt_tesauro matt.tesauro@10Security.com /in/matttesauro https://10security.com/
- 38. Credits Special thanks to all the people who made and released these awesome resources for free: ▪ Presentation template by SlidesCarnival ▪ Photographs by Unsplash & Death to the Stock Photo (license)