Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.
My talk from Secure Coding Virtual Summit (2021-03-24)
10. Key Features of AppSec Pipelines
▪ Designed for iterative improvement
▪ Provides a reusable path for AppSec
activities to follow
▪ Provides a consistent process for both
the team and our constituency
▪ One way flow with well-defined states
▪ Relies heavily on automation
▪ Grows organically over time
▪ Gracefully interconnects with the
development process
14. Optimize the critical resource -
AppSec Personnel
▪ Automate the things that don’t require
a human brain
▪ Drive up consistency
▪ Increase tracking of work status
▪ Increase flow through the system
▪ Increase visibility and metrics
▪ Reduce dev team friction
Key Goals of AppSec Pipelines
15. Why choose an AppSec Pipeline?
Allows us to have visibility into WIP
▪ Better understand/track/optimize flow
▪ Average SAST engagement takes…
Great increase in consistency
▪ Each step has a well defined interface
Easier moving activities between staff
▪ Informed for “switching costs” convos
Flexible enough for a range of skills and
DevOps maturity
26. CAMS / CALMS
Culture, Automation,
Measurement, Sharing
▪ CALMS = CAMS + Lean
Measurement = Metrics => Visibility
Automate the drudgery
▪ Allows meaningful personal interactions
What would you want if you were
the dev you’re talking to?
28. Weaponizing Jenkins / CICD
Zero false positives
▪ Anaphylactic shock
Health Checks vs Scanning
▪ Run these all the time
Home of specific issue tests
▪ Find a vuln, write a test
Cadence for longer running tests
▪ These NEVER break the build
▪ Every X builds or every Y days
32. No reason to not start small
docker run -it
--name kali-pipeline kali-pipeline
/bin/bash /usr/local/bin/run.sh
'nikto localhost -h localhost -T 58'
results.txt
33. Then get a bit more fancy
Pull in and run containers in your CICD
Scale out with container orchestration
34. Benefits of Containers
Effectively scales, can fix configurations
Build security tools once, run anywhere
Dev teams can run locally what their code
will face in CICD runs
Easy of deployment, laptop to cloud
35. Key Takeaways
The Three Ways of DevOps
1. Workflow
2. Improve Feedback
3. Continual Experimentation and
Learning
The journey will be iterative
Get a single source of truth for findings
37. Thanks!
Any questions?
You can find me at:
@matt_tesauro
matt.tesauro@10Security.com
/in/matttesauro
https://10security.com/
38. Credits
Special thanks to all the people who made and
released these awesome resources for free:
▪ Presentation template by SlidesCarnival
▪ Photographs by Unsplash & Death to the Stock
Photo (license)