Matt Tesauro discusses moving application security (AppSec) beyond traditional security testing towards event-based security using continuous integration/continuous delivery (CI/CD) pipelines and automation. Key points include:
- Implementing AppSec pipelines that automate security tasks using tools like Docker to increase efficiency and consistency while reducing friction between AppSec and development teams.
- Treating individual security findings as tests that are run continuously via tools like Jenkins to quickly determine when issues are fixed.
- With increased automation and efficiency, one company increased the number of application assessments from 44 in 2014 to over 400 in 2016 while reducing AppSec staffing levels.
10. if you can’t find love,
change your appearance.[1]
As any dating-website veteran
will tell you,
[1] Economist, Jan 21, 2017 - http://sl.owasp.org/economist-quote
13. Key Goals of AppSec Pipelines
◈ Optimize the critical resource -
AppSec personnel
○ Automate the things that don’t require a human brain
○ Drive up consistency
○ Increase tracking of work status
○ Increase flow through the system
○ Increase visibility and metrics
○ Reduce any dev team friction with application security
15. “To put the world in order,
we must first put the nation in order;
to put the nation in order,
we must first put the family in order;
to put the family in order;
we must first cultivate our personal life;
we must first set our hearts right.
Confucius
18. Key Features of AppSec Pipelines
◈ Designed for iterative improvement
◈ Provides a reusable path for AppSec
activities to follow
◈ Provides a consistent process for both the
team and our constituency
◈ One way flow with well-defined states
◈ Relies heavily on automation
◈ Grow in functionality organically over time
◈ Gracefully interconnects with the
development process
26. Weaponizing Jenkins
◈ Zero false positives
○ Anaphylactic shock
◈ Health Checks vs Scanning
○ Run these all the time
◈ Home of specific issue tests
○ Find a vuln, write a test
◈ Cadence for longer running tests
○ These NEVER break the build
○ Every X builds or every Y days
35. AppSec Pipelines & Event based Security
◈ Security Findings
○ Turn each into a self-contained test
◈ Add those tests to Jenkins
○ Run hourly or at least daily
○ Turn green when they are fixed
◈ Tied alerts / Chat ops to those tests
○ Let them tell you when they are fixed
◈ Let the developer know that release X
fixed finding Y
○ Bonus points for connecting Jenkins test
passing to closing Jira bug
◈ 2 FTEs assessed 35 Apps in year 1
37. OWASP’s AppSec Pipeline for Projects
◈ Create an AppSec Pipeline of
OWASP Projects to assess
OWASP Projects
Use OWASP Zap
to scan OWASP Security Shepherd,
store the results in OWASP Defect Dojo
and push findings to Jira
38. OWASP Defect Dojo
◈ One-stop source of truth for findings
◈ AppSec Programs, QA, Pen Testers
○ Custom report generation
○ Metrics and Dashboards
○ App & Infrastructure findings supported
◈ New-ish OWASP Project
○ Code base is 3+ years - started at Rackspace
◈ Community and contributor friendly
○ Bugs triaged and verified in 4 hours - 8 to fix
○ 11 contributors from multiple companies
◈ Github: 178 stars, 62 forks, 196 watchers
41. 2014
◈ 44 assessments
~5x increase
2015
◈ ~200 assessments
Changes from 2014 to 2015:
- Created the AppSec Pipeline - initial launch in March 2015
- AppSec team numbers dropped - lost a couple of key people approx
3.5 FTEs
- Two of the AppSec team members went meta for most of 2015
42. 2015
◈ ~200 assessments
~2x increase
2016
◈ 414 assessments
Changes from 2015 to 2015:
- Lost 2 key FTE engineers
- AppSec team numbers dropped - not every vacant FTE position
was filled
43. 2014
◈ 44 assessments
9.4x increase
2016
◈ 414 assessments
Things to remember
- Year 1 may go slow - you need to build a solid foundation
- Get your house in order, THEN reach out to other teams
- Divide tests into
- Quick, low false-positive - these go into CI/CD
- Longer, less accurate tests
44. Company A
◈ Adopted DefectDojo
for their pipeline
◈ 4,000 employees
◈ 2,000+ issues tracked
◈ Manual Pen Tests
◈ Reporting
◈ Dashboard
Anonymous Co’s
Company B
◈ Migrated off COTS to
DefectDojo
◈ Imported 20k issues
◈ Currently at 50k+ issues
◈ Reporting
◈ Metrics/Dashboard
◈ API for automation
◈ Read-only for mgmt
45. How can you help?
Help fill the AppSec Toolbox
http://sl.owasp.org/pipeline
46.
47.
48.
49.
50. How can you help?
Help fill the AppSec Toolbox
http://sl.owasp.org/pipeline
52. CAMS / CALMS
◈ Culture, Automation,
Measurement, Sharing
○ CALMS = CAMS + Lean
◈ Measurement = Metrics => Visibility
◈ Automate the drudgery
○ Allows meaningful personal interactions
◈ What would you want if you were the dev
you’re talking to?
53. Credits
Special thanks to all the people who made and
released these awesome resources for free:
◈ Presentation template by SlidesCarnival
◈ Photographs by Unsplash
◈ Backgrounds by SubtlePatterns
54. Presentation design
This presentations uses the following typographies and colors:
◈ Titles: Playfair Display
◈ Body copy: Droid Sans
You can download the fonts on this page:
https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,70
0,400italic,700italic
Click on the “arrow button” that appears on the top right
◈ Yellow #ffd900
◈ Light gray #f3f3f3
◈ Black #000000
You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create
new slides or download the fonts to edit the presentation in PowerPoint®
55. SlidesCarnival icons are editable shapes.
This means that you can:
● Resize them without losing quality.
● Change line color, width and style.
Isn’t that nice? :)
Examples:
56. Now you can use any emoji as an icon!
And of course it resizes without losing quality and you can change the color.
How? Follow Google instructions
https://twitter.com/googledocs/status/730087240156643328
✋ ❤
and many more...