O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Presented at AppSec USA 2016 - Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.
Key Features of AppSec Pipelines
◈Designed for iterative improvement
◈Provides a reusable path for AppSec
activities to follow
◈Provides a consistent process for both the
team and our constituency
◈One way flow with well-defined states
◈Relies heavily on automation
◈Grow in functionality organically over time
◈Gracefully interconnects with the
other than the critical resource
is an illusion.
W. Edwards Deming
Key Goals of AppSec Pipelines
◈Optimize the critical resource -
Automate the things that don’t require a human brain
Drive up consistency
Increase tracking of work status
Increase flow through the system
Increase visibility and metrics
Reduce any dev team friction with application security
Why we like AppSec Pipelines
◈Allow us to have visibility into WIP
Better understand/track/optimize flow of engagements
Average static test takes ...
◈Great increase in consistency
Each step has a well defined interface
◈Easier moving of engagements between staff
Knowing who has what allows for more informed “cost
of switching” conversations
◈Flexible enough for a range of skills and app
◈ 44 assessments
◈ ~200 assessments
Changes from 2014 to 2015:
- Created the AppSec Pipeline - initial launch in March 2015
- AppSec team numbers dropped - lost a couple of key people
approx 3.5 FTEs
- Two of the AppSec team members went meta for most of 2015
Open yourself up to upstream and
CAMS / CALMS
CALMS = CAMS + Lean
◈Measurement = Metrics => Visibility
◈Automate the drudgery
Allows meaningful personal interactions
◈What would you want if you were the dev
you’re talking to?
Create a culture of innovation and
◈ Zero false positives
◈ Health Checks vs Scanning
Run these all the time
◈ Home of specific issue tests
Find a vuln, write a test
◈ Cadence for longer running tests
These NEVER break the build
Every X builds or every Y days
OWASP’s AppSec Pipeline for Projects
◈Create an AppSec Pipeline of
OWASP Projects to assess
Use OWASP Zap
to scan OWASP Security Shepherd and
store the results in OWASP Defect Dojo
Special thanks to all the people who made and
released these awesome resources for free:
◈ Presentation template by SlidesCarnival
◈ Photographs by Unsplash
◈ Backgrounds by SubtlePatterns
This presentations uses the following typographies and colors:
◈ Titles: Playfair Display
◈ Body copy: Droid Sans
You can download the fonts on this page:
Click on the “arrow button” that appears on the top right
◈ Yellow #ffd900
◈ Light gray #f3f3f3
◈ Black #000000
You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create
new slides or download the fonts to edit the presentation in PowerPoint®
SlidesCarnival icons are editable shapes.
This means that you can:
● Resize them without losing quality.
● Change line color, width and style.
Isn’t that nice? :)
Now you can use any emoji as an icon!
And of course it resizes without losing quality and you can change the color.
How? Follow Google instructions
🎨🏈🏰🌏🔌🔑 and many more...