Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Aaron Weaver
Application Security Manager, Pearson plc
Building an AppSec Pipeline:
Keeping your program, and
your life, s...
189 seconds is the average
time in a drive-thru
Instrumentation
Standardization of products and
processes.
A Big Mac is a Big Mac wherever you
purchase it in the U.S., and this emphasis
...
A production process approach
Different work cells within an individual
restaurant combine to make the finished
product, a...
A flexible and multi-skilled
workforce
Each employee specializing within a role but
also being trained to step into other ...
Lean production
Maximizes the use of a facility's space. Fast-
food kitchens are rarely large, but their
output is tremend...
What would it look like if
AppSec ran fast food?
AppSec Pipeline
Your front door
minimal viable product
[MVP]
product
Polled the Team
?
Bag of Holding
(BoH)
What does BoH do?
• Manages our Application Security Program
• Application Repository
• Engagement Tracking
• Report Repos...
Length of Activities
24
25
Social, erm Yes.
26
Security Tool Vendors: If I
can do it with the UI, I want
to do it with an API.
- Matt Tesauro
| Open Source
Orchestration
• Integrate Security Tools and Workflow
• Example:
• Generic API for dynamic scanning
• URL
• ...
Automate False
Positive Reduction
2+ 3+ 4+ 5+
34
Scheduling Application
Assessments
• PCI every quarter
• Compliance policy requirement to manually
assess twice a year
Watch a
Code Branch
or the
doAuth()
method
Change
Exceeds
Threshold
Trigger a
Review
| Open Source
1 2 3
Automate Assessme...
Your command line where you have
your conversations.
Will Bot
AppSec Help
AppSec Advice
Threadfix Integration
And more:
• Create an Application
• Get Summary Metrics for
Application Program
Threadfix/Static
Integration
Go build.
Make it better.
Q&A
Thank you!
@weavera
aaron.weaver2@gmail.com
/in/aweaver
Photo Credits
• Chicago street photography - The One That Got Away
https://goo.gl/I6FLgl
• Silos
https://goo.gl/3g9M38
• K...
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
Nächste SlideShare
Wird geladen in …5
×

Building an AppSec Pipeline: Keeping your program, and your life, sane

4.441 Aufrufe

Veröffentlicht am

Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?

The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Building an AppSec Pipeline: Keeping your program, and your life, sane

  1. 1. Aaron Weaver Application Security Manager, Pearson plc Building an AppSec Pipeline: Keeping your program, and your life, sane
  2. 2. 189 seconds is the average time in a drive-thru
  3. 3. Instrumentation
  4. 4. Standardization of products and processes. A Big Mac is a Big Mac wherever you purchase it in the U.S., and this emphasis on reliable and highly standardized product offerings, as well as uniform production processes, is something fast-food companies have perfected. Source: ValueStreamGuru.com
  5. 5. A production process approach Different work cells within an individual restaurant combine to make the finished product, allowing for maximum efficiency in each work unit. Source: ValueStreamGuru.com
  6. 6. A flexible and multi-skilled workforce Each employee specializing within a role but also being trained to step into other areas whenever needed. Source: ValueStreamGuru.com
  7. 7. Lean production Maximizes the use of a facility's space. Fast- food kitchens are rarely large, but their output is tremendous, meaning they get the most from the limited space available. Source: ValueStreamGuru.com
  8. 8. What would it look like if AppSec ran fast food?
  9. 9. AppSec Pipeline
  10. 10. Your front door
  11. 11. minimal viable product [MVP] product
  12. 12. Polled the Team ?
  13. 13. Bag of Holding (BoH)
  14. 14. What does BoH do? • Manages our Application Security Program • Application Repository • Engagement Tracking • Report Repository • Comments on any application, engagement or activity • Data Classification and PII data • Time taken on secure software activities • Historical knowledge of past assessments • Credential repository • Environment details
  15. 15. Length of Activities
  16. 16. 24
  17. 17. 25 Social, erm Yes.
  18. 18. 26
  19. 19. Security Tool Vendors: If I can do it with the UI, I want to do it with an API. - Matt Tesauro
  20. 20. | Open Source Orchestration • Integrate Security Tools and Workflow • Example: • Generic API for dynamic scanning • URL • Credentials • Profile • Call any Dynamic Scanner: • OWASP ZAP • BurpSuite • AppScan
  21. 21. Automate False Positive Reduction 2+ 3+ 4+ 5+
  22. 22. 34 Scheduling Application Assessments • PCI every quarter • Compliance policy requirement to manually assess twice a year
  23. 23. Watch a Code Branch or the doAuth() method Change Exceeds Threshold Trigger a Review | Open Source 1 2 3 Automate Assessment Requests
  24. 24. Your command line where you have your conversations. Will Bot
  25. 25. AppSec Help
  26. 26. AppSec Advice
  27. 27. Threadfix Integration And more: • Create an Application • Get Summary Metrics for Application Program
  28. 28. Threadfix/Static Integration
  29. 29. Go build. Make it better.
  30. 30. Q&A Thank you!
  31. 31. @weavera aaron.weaver2@gmail.com /in/aweaver
  32. 32. Photo Credits • Chicago street photography - The One That Got Away https://goo.gl/I6FLgl • Silos https://goo.gl/3g9M38 • Kid https://goo.gl/NlwmBW • Hipster https://goo.gl/52VUyV 46

×