![Page 1: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/1.jpg)
AppSec++Taking the best of Agile, DevOps, and CI/CD into your AppSec Program
![Page 3: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/3.jpg)
Hello!
I am Matt TesauroI think AppSec needs to changeAnd I’m going to tell you how
[email protected] / @matt_tesauro
![Page 4: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/4.jpg)
Custom Coachwork and Bespoke AppSec
![Page 5: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/5.jpg)
Who is This Guy?
![Page 6: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/6.jpg)
The Phoenix Project 3 Ways of DevOps
![Page 7: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/7.jpg)
#1 WorkflowLook at your purpose and those
processes which aid it
![Page 8: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/8.jpg)
AppSec Pipelines
Using CI/CD as inspiration, figure out your AppSec workflow
![Page 9: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/9.jpg)
Custom Made
With finiteOptions
![Page 10: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/10.jpg)
![Page 11: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/11.jpg)
Key Features of AppSec Pipelines
◈Designed for iterative improvement ◈Provides a reusable path for AppSec activities to follow
◈Provides a consistent process for both the team and our constituency
◈One way flow with well-defined states◈Relies heavily on automation◈Grow in functionality organically over time
◈Gracefully interconnects with the development process
![Page 12: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/12.jpg)
Pearson’sAppSecPipeline
![Page 13: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/13.jpg)
DevOps Pipeline AppSec Pipeline
Pearson’sAppSecPipeline
![Page 14: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/14.jpg)
“Spending time optimizing anything other than the critical resource is an illusion.
W. Edwards Deming
![Page 15: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/15.jpg)
Key Goals of AppSec Pipelines
◈Optimize the critical resource - AppSec personnel
Automate the things that don’t require a human brain
Drive up consistencyIncrease tracking of work statusIncrease flow through the systemIncrease visibility and metricsReduce any dev team friction with application
security
![Page 16: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/16.jpg)
Why we like AppSec Pipelines
◈Allow us to have visibility into WIPBetter understand/track/optimize flow of
engagementsAverage static test takes ...
◈Great increase in consistencyEach step has a well defined interface
◈Easier moving of engagements between staff
Knowing who has what allows for more informed “cost of switching” conversations
◈Flexible enough for a range of skills and app maturity
![Page 17: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/17.jpg)
What can an AppSec Pipeline
do for you?
![Page 18: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/18.jpg)
2014◈44 assessments
~5x increase2015
◈~200 assessments
Changes from 2014 to 2015:- Created the AppSec Pipeline - initial launch in March 2015- AppSec team numbers dropped - lost a couple of key people approx
3.5 FTEs- Two of the AppSec team members went meta for most of 2015
![Page 19: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/19.jpg)
#2 Improve Feedback
Open yourself up to upstream and downstream information
![Page 20: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/20.jpg)
A call to action...
![Page 21: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/21.jpg)
AppSec Chat Ops
Making chat the way you do security
![Page 22: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/22.jpg)
Advice for Devs - 24x7
![Page 23: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/23.jpg)
FYI: You’re being attacked
![Page 24: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/24.jpg)
CAMS / CALMS◈Culture, Automation, Measurement, Sharing
CALMS = CAMS + Lean
◈Measurement = Metrics => Visibility◈Automate the drudgery
Allows meaningful personal interactions
◈What would you want if you were the dev you’re talking to?
![Page 25: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/25.jpg)
#3 Continual Experimentation
and learningCreate a culture of innovation
and experimentation
![Page 26: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/26.jpg)
What’s next?Experiments in AppSec
Pipelines
![Page 27: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/27.jpg)
Weaponizing Jenkins◈ Zero false positives
Anaphylactic shock
◈ Health Checks vs ScanningRun these all the time
◈ Home of specific issue testsFind a vuln, write a test
◈ Cadence for longer running testsThese NEVER break the buildEvery X builds or every Y days
![Page 28: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/28.jpg)
Scaling withDocker Containers
![Page 29: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/29.jpg)
docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
![Page 30: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/30.jpg)
Docker Security Tool Launch(python, Go)
ZAP
Nikto
Return ZAP IP
Run Scan, Push Results to S3
![Page 31: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/31.jpg)
Benefits◈ Effectively Scales
◈ Build security tools once, run anywhere
◈ Ease of deployment
![Page 32: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/32.jpg)
Pull in or scale out, your choice
Pull in Docker containersto your build server
ZAP
Nikto
Scale out to Docker SwarmZAP
Nikto
![Page 33: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/33.jpg)
AppSec Pipeline for Open Source
![Page 34: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/34.jpg)
Jenkins Pipeline
![Page 35: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/35.jpg)
Pipeline as Code
![Page 36: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/36.jpg)
OWASP’s AppSec Pipeline for Projects
◈Create an AppSec Pipeline of OWASP Projects to assess OWASP Projects
Use OWASP Zap to scan OWASP Security Shepherd and store the results in OWASP Defect Dojo
![Page 37: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/37.jpg)
![Page 38: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/38.jpg)
![Page 39: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/39.jpg)
Thanks!
Any questions?Aaron Weaver@weavera
/in/aweaver
github.com/aaronweaver
Matt Tesauro@matt_tesauro
/in/matttesauro
github.com/mtesauro
![Page 40: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/40.jpg)
Credits
Special thanks to all the people who made and released these awesome resources for free:◈ Presentation template by SlidesCarnival◈ Photographs by Unsplash◈ Backgrounds by SubtlePatterns
![Page 41: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/41.jpg)
Presentation design
This presentations uses the following typographies and colors:◈ Titles: Playfair Display◈ Body copy: Droid Sans
You can download the fonts on this page:https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,700,400italic,700italicClick on the “arrow button” that appears on the top right
◈ Yellow #ffd900◈ Light gray #f3f3f3◈ Black #000000
You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create new slides or download the fonts to edit the presentation in PowerPoint®
![Page 42: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/42.jpg)
SlidesCarnival icons are editable shapes.
This means that you can:● Resize them without losing
quality.● Change line color, width and
style.
Isn’t that nice? :)
Examples:
![Page 43: AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program](https://reader036.vdocuments.mx/reader036/viewer/2022062522/587b98ef1a28ab4e4f8b6f9f/html5/thumbnails/43.jpg)
Now you can use any emoji as an icon!And of course it resizes without losing quality and you can change the color.
How? Follow Google instructions https://twitter.com/googledocs/status/730087240156643328
✋👆👉👍👤👦👧👨👩👪💃❤😂😉😋😒😭 😸🏃💑 👶 🐟🍒
🍔💣📌📖🔨🎃🎈🎨🏈🏰🌏🔌🔑 and many more...
��