O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

Presented at AppSec USA 2016 - Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

  • Entre para ver os comentários

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

  1. 1. AppSec++ Taking the best of Agile, DevOps, and CI/CD into your AppSec Program
  2. 2. AppSec++ Taking the best of Agile, DevOps, and CI/CD into your AppSec Program Matt Tesauro matt.tesauro@owasp.org
  3. 3. Hello! I am Matt Tesauro I think AppSec needs to change And I’m going to tell you how matt.tesauro@owasp.org / @matt_tesauro
  4. 4. Custom Coachwork and Bespoke AppSec
  5. 5. Who is This Guy?
  6. 6. The Phoenix Project 3 Ways of DevOps
  7. 7. #1 Workflow Look at your purpose and those processes which aid it
  8. 8. AppSec Pipelines Using CI/CD as inspiration, figure out your AppSec workflow
  9. 9. Custom Made With finite Options
  10. 10. Key Features of AppSec Pipelines ◈Designed for iterative improvement ◈Provides a reusable path for AppSec activities to follow ◈Provides a consistent process for both the team and our constituency ◈One way flow with well-defined states ◈Relies heavily on automation ◈Grow in functionality organically over time ◈Gracefully interconnects with the development process
  11. 11. Pearson’s AppSec Pipeline
  12. 12. DevOps Pipeline AppSec Pipeline Pearson’s AppSec Pipeline
  13. 13. “Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
  14. 14. Key Goals of AppSec Pipelines ◈Optimize the critical resource - AppSec personnel Automate the things that don’t require a human brain Drive up consistency Increase tracking of work status Increase flow through the system Increase visibility and metrics Reduce any dev team friction with application security
  15. 15. Why we like AppSec Pipelines ◈Allow us to have visibility into WIP Better understand/track/optimize flow of engagements Average static test takes ... ◈Great increase in consistency Each step has a well defined interface ◈Easier moving of engagements between staff Knowing who has what allows for more informed “cost of switching” conversations ◈Flexible enough for a range of skills and app maturity
  16. 16. What can an AppSec Pipeline do for you?
  17. 17. 2014 ◈ 44 assessments ~5x increase 2015 ◈ ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015
  18. 18. #2 Improve Feedback Open yourself up to upstream and downstream information
  19. 19. A call to action...
  20. 20. AppSec Chat Ops Making chat the way you do security
  21. 21. Advice for Devs - 24x7
  22. 22. FYI: You’re being attacked
  23. 23. CAMS / CALMS ◈Culture, Automation, Measurement, Sharing CALMS = CAMS + Lean ◈Measurement = Metrics => Visibility ◈Automate the drudgery Allows meaningful personal interactions ◈What would you want if you were the dev you’re talking to?
  24. 24. #3 Continual Experimentation and learning Create a culture of innovation and experimentation
  25. 25. What’s next? Experiments in AppSec Pipelines
  26. 26. Weaponizing Jenkins ◈ Zero false positives Anaphylactic shock ◈ Health Checks vs Scanning Run these all the time ◈ Home of specific issue tests Find a vuln, write a test ◈ Cadence for longer running tests These NEVER break the build Every X builds or every Y days
  27. 27. Scaling with Docker Containers
  28. 28. docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
  29. 29. Docker Security Tool Launch (python, Go) ZAP Nikto Return ZAP IP Run Scan, Push Results to S3
  30. 30. Benefits ◈ Effectively Scales ◈ Build security tools once, run anywhere ◈ Ease of deployment
  31. 31. Pull in or scale out, your choice Pull in Docker containers to your build server ZAP Nikto Scale out to Docker Swarm ZAP Nikto
  32. 32. AppSec Pipeline for Open Source
  33. 33. Jenkins Pipeline
  34. 34. Pipeline as Code
  35. 35. OWASP’s AppSec Pipeline for Projects ◈Create an AppSec Pipeline of OWASP Projects to assess OWASP Projects Use OWASP Zap to scan OWASP Security Shepherd and store the results in OWASP Defect Dojo
  36. 36. Thanks! Any questions? Aaron Weaver @weavera aaron.weaver@owasp.org /in/aweaver github.com/aaronweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org /in/matttesauro github.com/mtesauro
  37. 37. Credits Special thanks to all the people who made and released these awesome resources for free: ◈ Presentation template by SlidesCarnival ◈ Photographs by Unsplash ◈ Backgrounds by SubtlePatterns
  38. 38. Presentation design This presentations uses the following typographies and colors: ◈ Titles: Playfair Display ◈ Body copy: Droid Sans You can download the fonts on this page: https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,7 00,400italic,700italic Click on the “arrow button” that appears on the top right ◈ Yellow #ffd900 ◈ Light gray #f3f3f3 ◈ Black #000000 You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create new slides or download the fonts to edit the presentation in PowerPoint®
  39. 39. SlidesCarnival icons are editable shapes. This means that you can: ● Resize them without losing quality. ● Change line color, width and style. Isn’t that nice? :) Examples:
  40. 40. Now you can use any emoji as an icon! And of course it resizes without losing quality and you can change the color. How? Follow Google instructions https://twitter.com/googledocs/status/730087240156643328 ✋👆👉👍👤👦👧👨👩👪💃🏃💑❤😂 😉😋😒😭👶😸🐟🍒🍔💣📌📖🔨🎃🎈 🎨🏈🏰🌏🔌🔑 and many more... 😉