building an appsec pipeline: keeping your program, and your life, sane
TRANSCRIPT
![Page 1: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/1.jpg)
Aaron Weaver
Application Security Manager, Pearson plc
Building an AppSec Pipeline: Keeping your program, and your life, sane
![Page 2: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/2.jpg)
189 seconds is the average time in a drive-thru
![Page 3: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/3.jpg)
![Page 4: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/4.jpg)
Instrumentation
![Page 5: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/5.jpg)
Standardization of products and processes.
A Big Mac is a Big Mac wherever you purchase it in the U.S., and this emphasis on reliable and highly standardized product offerings, as well as uniform production processes, is something fast-food companies have perfected.
Source: ValueStreamGuru.com
![Page 6: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/6.jpg)
A production process approach
Different work cells within an individual restaurant combine to make the finished product, allowing for maximum efficiency in each work unit.
Source: ValueStreamGuru.com
![Page 7: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/7.jpg)
A flexible and multi-skilled workforce
Each employee specializing within a role but also being trained to step into other areas whenever needed.
Source: ValueStreamGuru.com
![Page 8: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/8.jpg)
Lean production
Maximizes the use of a facility's space. Fast-food kitchens are rarely large, but their output is tremendous, meaning they get the most from the limited space available.
Source: ValueStreamGuru.com
![Page 9: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/9.jpg)
What would it look like if AppSec ran fast food?
![Page 10: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/10.jpg)
AppSec Pipeline
![Page 11: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/11.jpg)
Your front door
![Page 12: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/12.jpg)
![Page 13: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/13.jpg)
minimal viable product[MVP]
product
![Page 14: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/14.jpg)
Polled the Team
?
![Page 15: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/15.jpg)
Bag of Holding(BoH)
![Page 16: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/16.jpg)
What does BoH do?
• Manages our Application Security Program• Application Repository• Engagement Tracking• Report Repository• Comments on any application, engagement or activity• Data Classification and PII data• Time taken on secure software activities• Historical knowledge of past assessments• Credential repository• Environment details
![Page 17: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/17.jpg)
![Page 18: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/18.jpg)
![Page 19: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/19.jpg)
![Page 20: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/20.jpg)
![Page 21: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/21.jpg)
![Page 22: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/22.jpg)
![Page 23: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/23.jpg)
Length of Activities
![Page 24: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/24.jpg)
24
![Page 25: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/25.jpg)
25
Social, erm Yes.
![Page 26: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/26.jpg)
26
![Page 27: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/27.jpg)
![Page 28: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/28.jpg)
![Page 29: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/29.jpg)
29
Security Tool Vendors: If I can do it with the UI, I want to do it with an API.
- Matt Tesauro
![Page 30: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/30.jpg)
![Page 31: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/31.jpg)
| Open Source
Orchestration• Integrate Security Tools and Workflow
• Example:• Generic API for dynamic scanning
• URL• Credentials• Profile• Call any Dynamic Scanner:
• OWASP ZAP• BurpSuite• AppScan
![Page 32: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/32.jpg)
![Page 33: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/33.jpg)
Automate False Positive Reduction
2+ 3+ 4+ 5+
![Page 34: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/34.jpg)
34
Scheduling Application Assessments
• PCI every quarter
• Compliance policy requirement to manually assess twice a year
![Page 35: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/35.jpg)
Watch a Code Branch
or the doAuth()
method
Change Exceeds
Threshold
Trigger a Review
| Open Source
1 2 3Automate Assessment Requests
![Page 36: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/36.jpg)
![Page 37: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/37.jpg)
![Page 38: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/38.jpg)
Your command line where you have your conversations.
Will Bot
![Page 39: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/39.jpg)
AppSec Help
![Page 40: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/40.jpg)
AppSec Advice
![Page 41: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/41.jpg)
Threadfix Integration
And more:
• Create an Application• Get Summary Metrics for
Application Program
![Page 42: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/42.jpg)
Threadfix/Static Integration
![Page 43: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/43.jpg)
Go build. Make it better.
![Page 44: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/44.jpg)
Q&AThank you!
![Page 46: Building an AppSec Pipeline: Keeping your program, and your life, sane](https://reader036.vdocument.in/reader036/viewer/2022062515/55c9f1c9bb61ebcf348b484b/html5/thumbnails/46.jpg)
46
Photo Credits
• Chicago street photography - The One That Got Away https://goo.gl/I6FLgl
• Silos https://goo.gl/3g9M38
• Kidhttps://goo.gl/NlwmBW
• Hipsterhttps://goo.gl/52VUyV