Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Making Continuous
Security a Reality
Aaron Weaver Matt Tesauro
I am Matt Tesauro
I think AppSec needs to change and
I’m going to tell you how I see it changing
matt.tesauro@owasp.org / ...
Making AppSec a little better each day.
aaron.weaver@owasp.org / @weavera
Principal AppSec Engineer at 10Security
Aaron We...
Quick survey...
• Raise your hand if you work in:
• AppSec
• Product Security
• Security Engineering
• DevOps
aka DevSecOp...
What traditional AppSec Tooling feels like
From: Julius Caesar by William Shakespeare
From: OWASP AppSec Pipeline Project
Traditional
AppSec
it
Matt Tesauro & Aaron Weaver
AppSec Pipeline
A real life example of an implemented AppSec Pipeline
The purpose of an
Application Security
program is to evaluate
the security status of the
suite of apps for a
business.
Bas...
DevOps Pipeline AppSec Pipeline
Security test output
What is an AppSec Pipeline?
• A way to conduct testing in an automated fashion
• Run by the AppSec team
for the AppSec tea...
What an AppSec Pipeline isn’t
• The one thing that will fix all your problems
• A gate that blocks deploys
(especially at ...
Call to Action
Gasp
One implementation of the AppSec Pipeline Spec
Steps in an AppSec Pipeline run
Making containers work for you
• Treat containers like a large binary executable
• Execute once, then discard
• Each secur...
Pipeline Tool yaml
secpipeline-config.yaml
git example
secpipeline-config.yaml
Benefits of
Containerizing Tools
• Do a single “interesting” install
once
• Figure out all the arcane tool options once
• ...
Named pipelines
• Tool configs + containers = pipeline tool
• Run multiple pipeline tools in a specific order
to get a “Na...
named pipeline
At the end of a run...
Maybe Slack alerts
https://github.com/appsecpipeline/gasp-docker
AppSec Pipeline
A real life example of an implemented AppSec Pipeline
My Curent AppSec Pipeline
Lightweight Rest API’s
t2.large EC2 Instance
Criteria for Tools
❖ Runs fairly quickly
❖ Fast, lightweight dynamic scans
❖ Static scans with differential
❖ Third Party ...
AppSec Pipeline Stats
15 Repos
4 Months
5,100 Runs
25,000+
Container Executions
CI/CD Information
CI/CD Security Test
What have I learned?
After the first run of
scans the net new
vulnerabilities are low.
Legacy security* tools will be
your biggest pain point.
(Anything that isn’t in a container)
Evaluate what you did
and look for the next
improvement.
SCM Integration: The web
post tells me what
files have changed.
Improvement Idea
Manual Review
File tagged to
indicated functionality
File marked for manual
review if changed.
1. File Tagged for review f...
Manual Review
2. Manual Test Created for that Engagement
3. Slack Alert
Manual Review
4. Review changes in SCM
False positives:
Can we do better?
Rules Engine
Finding
Imported
Analyze Apply
Rules Engine
CWE Use Case
Title match on XSS →
Update CWE-79
Rules Engine
Scanner Matching
Scanner == SSLLabs →
Grade < A →
Update Verified
Rules Engine
Scanner Confidence
Scanner Confidence ==
Confirmed → Title == XSS →
Update Verified
Create an AppSec Pipeline and push visibility north
Visibility
“I am a nice shark, not a mindless
eating machine. If I am to change this
image, I must first change myself. Fish
are frie...
“I am a nice security professional,
not a mindless vulnerability spewing
machine. If I am to change this image,
I must fir...
I’m with Bruce
@BruceSecDevOps
#BruceSecDevOpsTM
aaron.weaver@owasp.org / @weavera
Aaron Weaver
matt.tesauro@owasp.org / @matt_tesauro
Matt Tesauro
Questions & Thanks
References
• Confused panda: https://openclipart.org/detail/69289/confusedpanda
• Jousting Snails - a random twitter post ...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
Nächste SlideShare
Wird geladen in …5
×

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver

328 Aufrufe

Veröffentlicht am

You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work. Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided. Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline. The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them. If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver

  1. 1. Making Continuous Security a Reality Aaron Weaver Matt Tesauro
  2. 2. I am Matt Tesauro I think AppSec needs to change and I’m going to tell you how I see it changing matt.tesauro@owasp.org / @matt_tesauro Matt Tesauro
  3. 3. Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver
  4. 4. Quick survey... • Raise your hand if you work in: • AppSec • Product Security • Security Engineering • DevOps aka DevSecOps, • SecDevOps, DevOpsSec, OpsDevSec...
  5. 5. What traditional AppSec Tooling feels like
  6. 6. From: Julius Caesar by William Shakespeare
  7. 7. From: OWASP AppSec Pipeline Project Traditional AppSec it Matt Tesauro & Aaron Weaver
  8. 8. AppSec Pipeline A real life example of an implemented AppSec Pipeline
  9. 9. The purpose of an Application Security program is to evaluate the security status of the suite of apps for a business. Basically, to provide a map to guide business decisions Do you have a full view of your application landscape?
  10. 10. DevOps Pipeline AppSec Pipeline Security test output
  11. 11. What is an AppSec Pipeline? • A way to conduct testing in an automated fashion • Run by the AppSec team for the AppSec team • Get your house in order • Then reach out to dev teams • A way to scale AppSec coverage • ‘You must be this high to ride this ride’ • Pre-calculate a portion of manual testing • Create a security baseline across the application landscape
  12. 12. What an AppSec Pipeline isn’t • The one thing that will fix all your problems • A gate that blocks deploys (especially at first) • Pipelines create artifact • CI/CD artifacts are deployed versions of an app(s) • AppSec Pipeline artifacts are security findings
  13. 13. Call to Action
  14. 14. Gasp One implementation of the AppSec Pipeline Spec
  15. 15. Steps in an AppSec Pipeline run
  16. 16. Making containers work for you • Treat containers like a large binary executable • Execute once, then discard • Each security tool or service is in a container • Each has a configuration file in yaml • Yaml contains pre-configured tool profiles
  17. 17. Pipeline Tool yaml secpipeline-config.yaml
  18. 18. git example secpipeline-config.yaml
  19. 19. Benefits of Containerizing Tools • Do a single “interesting” install once • Figure out all the arcane tool options once • Sane defaults • Further refinement for high risk targets • Tools can be in any language • Establish a AppSec baseline • Run the same tool container + profile against all apps
  20. 20. Named pipelines • Tool configs + containers = pipeline tool • Run multiple pipeline tools in a specific order to get a “Named pipeline” GIT CLOC Brakeman Defect Dojo
  21. 21. named pipeline
  22. 22. At the end of a run...
  23. 23. Maybe Slack alerts
  24. 24. https://github.com/appsecpipeline/gasp-docker
  25. 25. AppSec Pipeline A real life example of an implemented AppSec Pipeline
  26. 26. My Curent AppSec Pipeline
  27. 27. Lightweight Rest API’s
  28. 28. t2.large EC2 Instance
  29. 29. Criteria for Tools ❖ Runs fairly quickly ❖ Fast, lightweight dynamic scans ❖ Static scans with differential ❖ Third Party Components
  30. 30. AppSec Pipeline Stats 15 Repos 4 Months 5,100 Runs 25,000+ Container Executions
  31. 31. CI/CD Information
  32. 32. CI/CD Security Test
  33. 33. What have I learned?
  34. 34. After the first run of scans the net new vulnerabilities are low.
  35. 35. Legacy security* tools will be your biggest pain point. (Anything that isn’t in a container)
  36. 36. Evaluate what you did and look for the next improvement.
  37. 37. SCM Integration: The web post tells me what files have changed. Improvement Idea
  38. 38. Manual Review File tagged to indicated functionality File marked for manual review if changed. 1. File Tagged for review from build
  39. 39. Manual Review 2. Manual Test Created for that Engagement 3. Slack Alert
  40. 40. Manual Review 4. Review changes in SCM
  41. 41. False positives: Can we do better?
  42. 42. Rules Engine Finding Imported Analyze Apply
  43. 43. Rules Engine CWE Use Case Title match on XSS → Update CWE-79
  44. 44. Rules Engine Scanner Matching Scanner == SSLLabs → Grade < A → Update Verified
  45. 45. Rules Engine Scanner Confidence Scanner Confidence == Confirmed → Title == XSS → Update Verified
  46. 46. Create an AppSec Pipeline and push visibility north Visibility
  47. 47. “I am a nice shark, not a mindless eating machine. If I am to change this image, I must first change myself. Fish are friends, not food.” -Bruce, Chum and Anchor
  48. 48. “I am a nice security professional, not a mindless vulnerability spewing machine. If I am to change this image, I must first change myself. Developers are friends, not fools.” -Bruce, Aaron and Matt
  49. 49. I’m with Bruce @BruceSecDevOps #BruceSecDevOpsTM
  50. 50. aaron.weaver@owasp.org / @weavera Aaron Weaver matt.tesauro@owasp.org / @matt_tesauro Matt Tesauro Questions & Thanks
  51. 51. References • Confused panda: https://openclipart.org/detail/69289/confusedpanda • Jousting Snails - a random twitter post I lost the URL for, sorry • Julius Caesar quote image: https://quotefancy.com/quote/1740243/Marcus-Junius-Brutus-the-Younger-I-hav e-not-come-to-praise-Caesar-but-to-bury-him • Map image: https://openclipart.org/detail/823/two-harbours-map • Roadmap quote: https://www.brainyquote.com/quotes/earl_nightingale_159044 • Gandoff “Shall pass”: https://shirt.woot.com/offers/halfling-height-requirement • Pixie dust: http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-necklace/ • Easy button: https://xposehope.com/2016/11/02/hit-the-easy-button/ • Jar factory: https://www.youtube.com/watch?v=YVqiEMQ1HgA • Iceberg of Ignorance: https://corporate-rebels.com/iceberg-of-ignorance/

×