building an appsec pipeline: keeping your program, and your life, sane
TRANSCRIPT
Aaron Weaver
Application Security Manager, Pearson plc
Building an AppSec Pipeline: Keeping your program, and your life, sane
189 seconds is the average time in a drive-thru
Instrumentation
Standardization of products and processes.
A Big Mac is a Big Mac wherever you purchase it in the U.S., and this emphasis on reliable and highly standardized product offerings, as well as uniform production processes, is something fast-food companies have perfected.
Source: ValueStreamGuru.com
A production process approach
Different work cells within an individual restaurant combine to make the finished product, allowing for maximum efficiency in each work unit.
Source: ValueStreamGuru.com
A flexible and multi-skilled workforce
Each employee specializing within a role but also being trained to step into other areas whenever needed.
Source: ValueStreamGuru.com
Lean production
Maximizes the use of a facility's space. Fast-food kitchens are rarely large, but their output is tremendous, meaning they get the most from the limited space available.
Source: ValueStreamGuru.com
What would it look like if AppSec ran fast food?
AppSec Pipeline
Your front door
minimal viable product[MVP]
product
Polled the Team
?
Bag of Holding(BoH)
What does BoH do?
• Manages our Application Security Program• Application Repository• Engagement Tracking• Report Repository• Comments on any application, engagement or activity• Data Classification and PII data• Time taken on secure software activities• Historical knowledge of past assessments• Credential repository• Environment details
Length of Activities
24
25
Social, erm Yes.
26
29
Security Tool Vendors: If I can do it with the UI, I want to do it with an API.
- Matt Tesauro
| Open Source
Orchestration• Integrate Security Tools and Workflow
• Example:• Generic API for dynamic scanning
• URL• Credentials• Profile• Call any Dynamic Scanner:
• OWASP ZAP• BurpSuite• AppScan
Automate False Positive Reduction
2+ 3+ 4+ 5+
34
Scheduling Application Assessments
• PCI every quarter
• Compliance policy requirement to manually assess twice a year
Watch a Code Branch
or the doAuth()
method
Change Exceeds
Threshold
Trigger a Review
| Open Source
1 2 3Automate Assessment Requests
Your command line where you have your conversations.
Will Bot
AppSec Help
AppSec Advice
Threadfix Integration
And more:
• Create an Application• Get Summary Metrics for
Application Program
Threadfix/Static Integration
Go build. Make it better.
Q&AThank you!
46
Photo Credits
• Chicago street photography - The One That Got Away https://goo.gl/I6FLgl
• Silos https://goo.gl/3g9M38
• Kidhttps://goo.gl/NlwmBW
• Hipsterhttps://goo.gl/52VUyV