Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible? The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.

1. Aaron Weaver
Application Security Manager, Pearson plc
Building an AppSec Pipeline:
Keeping your program, and
your life, sane

2. 189 seconds is the average
time in a drive-thru

4. Instrumentation

5. Standardization of products and
processes.
A Big Mac is a Big Mac wherever you
purchase it in the U.S., and this emphasis
on reliable and highly standardized product
offerings, as well as uniform production
processes, is something fast-food
companies have perfected.
Source: ValueStreamGuru.com

6. A production process approach
Different work cells within an individual
restaurant combine to make the finished
product, allowing for maximum efficiency in
each work unit.
Source: ValueStreamGuru.com

7. A flexible and multi-skilled
workforce
Each employee specializing within a role but
also being trained to step into other areas
whenever needed.
Source: ValueStreamGuru.com

8. Lean production
Maximizes the use of a facility's space. Fast-
food kitchens are rarely large, but their
output is tremendous, meaning they get the
most from the limited space available.
Source: ValueStreamGuru.com

9. What would it look like if
AppSec ran fast food?

10. AppSec Pipeline

11. Your front door

13. minimal viable product
[MVP]
product

14. Polled the Team
?

15. Bag of Holding
(BoH)

16. What does BoH do?
• Manages our Application Security Program
• Application Repository
• Engagement Tracking
• Report Repository
• Comments on any application, engagement or activity
• Data Classification and PII data
• Time taken on secure software activities
• Historical knowledge of past assessments
• Credential repository
• Environment details

23. Length of Activities

24. 24

25. 25
Social, erm Yes.

26. 26

29. Security Tool Vendors: If I
can do it with the UI, I want
to do it with an API.
- Matt Tesauro

31. | Open Source
Orchestration
• Integrate Security Tools and Workflow
• Example:
• Generic API for dynamic scanning
• URL
• Credentials
• Profile
• Call any Dynamic Scanner:
• OWASP ZAP
• BurpSuite
• AppScan

33. Automate False
Positive Reduction
2+ 3+ 4+ 5+

34. 34
Scheduling Application
Assessments
• PCI every quarter
• Compliance policy requirement to manually
assess twice a year

35. Watch a
Code Branch
or the
doAuth()
method
Change
Exceeds
Threshold
Trigger a
Review
| Open Source
1 2 3
Automate Assessment Requests

38. Your command line where you have
your conversations.
Will Bot

39. AppSec Help

40. AppSec Advice

41. Threadfix Integration
And more:
• Create an Application
• Get Summary Metrics for
Application Program

42. Threadfix/Static
Integration

43. Go build.
Make it better.

44. Q&A
Thank you!

45. @weavera
aaron.weaver2@gmail.com
/in/aweaver

46. Photo Credits
• Chicago street photography - The One That Got Away
https://goo.gl/I6FLgl
• Silos
https://goo.gl/3g9M38
• Kid
https://goo.gl/NlwmBW
• Hipster
https://goo.gl/52VUyV
46