SlideShare a Scribd company logo

Building a Secure DevOps Pipeline - for your AppSec Program

M
Matt Tesauro

What an AppSec Pipeline is, why it's going to change AppSec, how to take good ideas from DevOps and Agile into AppSec Programs and various stages of maturity for AppSec Pipelines. All done with the hope that others will start on their AppSec Pipeline journey.

Technology
1 of 60
Download to read offline
Building a Secure DevOps Pipeline (for your AppSec Program) Aaron Weaver Matt Tesauro AppSec USA 2017
Building a Secure DevOps Pipeline (for your appSec program) Matt Tesauro Aaron Weaver AppSec USA 2017
Hello! I am Aaron Weaver All around good guy and craftsman of wood and coffee aaron@sec.training / @weavera
Hello! I am Matt Tesauro I think AppSec needs to change and I’m going to tell you how I see it changing matt.tesauro@owasp.org / @matt_tesauro
AppSec Evolution
✣ Radically changed travel in the US ✣ Travel time across the US Pre-train: 6 months + $1,000 Post-train: 1 week + $150 ✣ Towns that had a stopping prospered Those that didn’t, faded away The Iron Horse Straddles America
Trains == Change ✣ Changed the landscape for better or worse The US ‘got smaller’ - travel was in reach Expanded markets, more customers ‘Cost’ of going west went way down
Trains <==> DevOps ✣ Changed the landscape for better or worse DevOps changed IT for better or worse The US ‘got smaller’ - travel was in reach Batch / change size got smaller (CI/CD) Expanded markets, more customers Increased agility, more customers ’Cost’ of going west went way down Cost of experiments goes way down
When will we see this? DevOps AppSec
Genis: Pipeline Species: AppSec A new evolution of AppSec
AppSec Pipelines Using CI/CD as inspiration, figure out your AppSec workflow
Key Features of AppSec Pipelines ✣ Designed for iterative improvement ✣ Provides a reusable path for AppSec activities ✣ Provides a consistent process for both the team and our constituency ✣ One way flow with well-defined states ✣ Relies heavily on automation ✣ Grow in functionality organically over time ✣ Gracefully interconnects with the development process
What we want is ala carte - Just with a limited number of choices
Pipeline
Gen 1 Pipelines Look at your team's purpose and those processes which aid it
Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
AppSec Personnel ✣ They are the critical resource - optimize their work Automate the things that don’t require a human brain Drive up consistency Increase tracking of work status Increase flow through the system Increase visibility and metrics Reduce any dev team friction with application security
Gen 1: Inside out focused AppSec
Then, once your house is in order...
Gen 2 Pipelines Look outside your team's purpose and those processes which aid it
DevOps Pipeline AppSec Pipeline Integrate with Dev & Ops teams
Weaponizing Jenkins ✣ Zero false positives Anaphylactic shock ✣ Health Checks vs Scanning Run these all the time ✣ Home of specific issue tests Find a vuln, write a test ✣ Cadence for longer running tests These NEVER break the build Every X builds or every Y days
OWASP & AppSec Pipelines
OWASP Defect Dojo ✣ Single source of truth for findings ✣ AppSec Programs, QA, Pen Testers Custom report generation Metrics and Dashboards App & Infrastructure findings supported ✣ New-ish OWASP Project Code base is 3+ years - started at Rackspace ✣ Community and contributor friendly Bugs triaged, verified and fixed quickly 11 contributors from multiple companies ✣ Github: 262 stars, 106 forks, 199 watchers
Species: AppSec Family: Automation Evolving AppSec faster
What went hand in hand with the transcontinental railroad expansion?
The Telegraph
Telegraph | Automation ✣ Sped up signaling and communication Enhanced benefits of easier travel Followed the existing tracks ✣ Linked cities using a standard protocol Morse code
Telegraph | Automation ✣ Sped up routine tasks Enhances benefits of existing AppSec Pipeline Follows the same path aka consistent ✣ Links software using a standard protocol HTTP / REST
A call to action...
AppSec Chat Ops Making chat the way you do security
FYI: You’re being attacked
FYI: You’re being blocked
Advice for Devs - 24x7
Static Analysis Integration Recurring static analysis in about 10 minutes!
Scaling with Docker Containers
docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
Docker Security Tool Launch (python, Go) ZAP Nikto Return ZAP IP Run Scan, Push Results to S3
Benefits ✣ Effectively Scales ✣ Build security tools once, run anywhere ✣ Ease of deployment
Pull in or scale out, your choice Pull in Docker containers to your build server ZAP Nikto Scale out to Docker Swarm ZAP Nikto
Jenkins Pipeline
Pipeline as Code
Conduct your own AppSec Pipeline Experiment Come down out of the traditional AppSec trees
Pick a language ✣ To do AppSec well, you need to know something about coding ✣ Don’t care what language, pick one and stark hacking away ✣ Most Pipeline code is glue code - l33t algorithms need not apply
Case Studies
AppSec Pipeline - Company #1 ✣ Security Findings Turn each into a self-contained test ✣ Add those tests to Jenkins Run hourly or at least daily Turn green when they are fixed ✣ Tied alerts / Chat ops to those tests Let them tell you when they are fixed ✣ Developer knows release X fixed finding Y Bonus points for connecting Jenkins test passing to closing Jira bug ✣ 2 FTEs assessed 35 Apps in year 1
2014 ✣ 44 assessments ~5x increase 2015 ✣ ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015 Company #2
2015 ✣ ~200 assessments ~2x increase 2016 ✣ 414 assessments Changes from 2015 to 2015: - Lost 2 key FTE engineers - AppSec team numbers dropped - not every vacant FTE position was filled Company #2
2014 ✣ 44 assessments 9.4x increase 2016 ✣ 414 assessments Things to remember - Year 1 may go slow - you need to build a solid foundation - Get your house in order, THEN reach out to other teams - Divide tests into - Quick, low false-positive - these go into CI/CD - Longer, less accurate tests Company #2
@weavera@weavera
@weavera@weavera “I am a nice shark, not a mindless eating machine. If I am to change this image, I must first change myself. Fish are friends, not food.” -Bruce, Chum and Anchor
@weavera@weavera “I am a nice security professional, not a mindless vulnerability spewing machine. If I am to change this image, I must first change myself. Developers are friends, not fools.” -Bruce, Aaron and Matt
@weavera@weavera I’m with Bruce @BruceSecDevOps #BruceSecDevOpsTM
Thanks! Any questions? Aaron Weaver @weavera aaron@sec.training /in/aweaver github.com/aaronweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org /in/matttesauro github.com/mtesauro
References Presentation template: http://www.slidescarnival.com/dolabella-free-presentation-template/840 Black and White train image (original) https://www.youtube.com/watch?v=-80sFvilSXs Train/Transport facts from: https://gtgtechnologygroup.com/transcontinental-railroad/ https://www.thoughtco.com/effect-of-railroads-on-the-united-states-104724 http://www.american-rails.com/transcontinental.html Meeting of the railroads image (original) public domain image at https://www.thoughtco.com/effect-of-railroads-on-the-united-states-104724 Model Train cars (original) https://www.pinterest.com/njaredmartin99/trains/ What color is your parachute (original) http://earthconservant.com/100-ways-earthfit-day-37-color-parachute/
Telegraph poles by a railroad picture (original) https://www.pinterest.com/pin/412360909600598272/ Telegraph key https://openclipart.org/detail/188507/telegraph-key
Instructions for use EDIT IN GOOGLE SLIDES Click on the button under the presentation preview that says "Use as Google Slides Theme". You will get a copy of this document on your Google Drive and will be able to edit, add or delete slides. You have to be signed in to your Google account. EDIT IN POWERPOINT® Click on the button under the presentation preview that says "Download as PowerPoint template". You will get a .pptx file that you can edit in PowerPoint. Remember to download and install the fonts used in this presentation (you’ll find the links to the font files needed in the Presentation design slide) More info on how to use this template at www.slidescarnival.com/help-use-presentation-template This template is free to use under Creative Commons Attribution license. You can keep the Credits slide or mention SlidesCarnival and other resources used in a slide footer.
Credits Special thanks to all the people who made and released these awesome resources for free: ✣ Presentation template by SlidesCarnival ✣ Photographs by Unsplash ✣ Paper texture by GraphicBurguer

Recommended

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 

Recommended

Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...QASymphony
 
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"QASymphony
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsQASymphony
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
Continues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekContinues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekrantav
 
Continuous delivery @ hi q
Continuous delivery @ hi qContinuous delivery @ hi q
Continuous delivery @ hi qTomas Riha
 

More Related Content

What's hot

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...QASymphony
 
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"QASymphony
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsQASymphony
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 

What's hot (20)

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
Quality Jam 2017: Elise Carmichael and Corey Pyle "Jumpstarting Your Test Aut...
 
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
Quality Jam 2017: Kevin Dunne "Macro Trends and Useful Tools that 'Get It'"
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 

Similar to Building a Secure DevOps Pipeline - for your AppSec Program

Continues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekContinues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekrantav
 
Continuous delivery @ hi q
Continuous delivery @ hi qContinuous delivery @ hi q
Continuous delivery @ hi qTomas Riha
 
Continuous Delivery: The New Normal. London Event.
Continuous Delivery: The New Normal. London Event. Continuous Delivery: The New Normal. London Event.
Continuous Delivery: The New Normal. London Event. Perforce
 
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016Amazon Web Services
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
Scaling continuous delivery @ GeeCon 2014
Scaling continuous delivery @ GeeCon 2014Scaling continuous delivery @ GeeCon 2014
Scaling continuous delivery @ GeeCon 2014Tomas Riha
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet
 
Achieving Continuous Delivery with Puppet
Achieving Continuous Delivery with PuppetAchieving Continuous Delivery with Puppet
Achieving Continuous Delivery with PuppetDevoteam Revolve
 
Bring Down The Walls for Confusion - Agile and Beyond 2016
Bring Down The Walls for Confusion - Agile and Beyond 2016Bring Down The Walls for Confusion - Agile and Beyond 2016
Bring Down The Walls for Confusion - Agile and Beyond 2016Dana Pylayeva
 
Build Quality In: Stop the Line - Peter Antman
Build Quality In: Stop the Line - Peter AntmanBuild Quality In: Stop the Line - Peter Antman
Build Quality In: Stop the Line - Peter AntmanSmartBear
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroPaul Boos
 
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...PROIDEA
 
Delivering New Features to Over 30,000 Customers — Daily
Delivering New Features to Over 30,000 Customers — DailyDelivering New Features to Over 30,000 Customers — Daily
Delivering New Features to Over 30,000 Customers — Dailycolleenfry
 
Enterprise Architectures with Ruby (and Rails)
Enterprise Architectures with Ruby (and Rails)Enterprise Architectures with Ruby (and Rails)
Enterprise Architectures with Ruby (and Rails)Konstantin Gredeskoul
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev opsAgile Montréal
 
Continuous delivery its not about the technology, its about the people. @pipe...
Continuous delivery its not about the technology, its about the people. @pipe...Continuous delivery its not about the technology, its about the people. @pipe...
Continuous delivery its not about the technology, its about the people. @pipe...Tomas Riha
 
Agile in Style 2013 Preso by Agilish Ganesh Chandrasekaran
Agile in Style 2013 Preso by Agilish Ganesh ChandrasekaranAgile in Style 2013 Preso by Agilish Ganesh Chandrasekaran
Agile in Style 2013 Preso by Agilish Ganesh Chandrasekarantcganesh
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchPete Cheslock
 

Similar to Building a Secure DevOps Pipeline - for your AppSec Program (20)

Continues Deployment - Tech Talk week
Continues Deployment - Tech Talk weekContinues Deployment - Tech Talk week
Continues Deployment - Tech Talk week
 
Continuous delivery @ hi q
Continuous delivery @ hi qContinuous delivery @ hi q
Continuous delivery @ hi q
 
Continuous Delivery: The New Normal. London Event.
Continuous Delivery: The New Normal. London Event. Continuous Delivery: The New Normal. London Event.
Continuous Delivery: The New Normal. London Event.
 
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
DevOps Tech Talk: Getting out of Operations Hell | AWS Public Sector Summit 2016
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5
 
Scaling continuous delivery @ GeeCon 2014
Scaling continuous delivery @ GeeCon 2014Scaling continuous delivery @ GeeCon 2014
Scaling continuous delivery @ GeeCon 2014
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
Puppet Camp Paris 2014: Achieving Continuous Delivery and DevOps with Puppet
 
Achieving Continuous Delivery with Puppet
Achieving Continuous Delivery with PuppetAchieving Continuous Delivery with Puppet
Achieving Continuous Delivery with Puppet
 
Bring Down The Walls for Confusion - Agile and Beyond 2016
Bring Down The Walls for Confusion - Agile and Beyond 2016Bring Down The Walls for Confusion - Agile and Beyond 2016
Bring Down The Walls for Confusion - Agile and Beyond 2016
 
Build Quality In: Stop the Line - Peter Antman
Build Quality In: Stop the Line - Peter AntmanBuild Quality In: Stop the Line - Peter Antman
Build Quality In: Stop the Line - Peter Antman
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for Distro
 
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
 
Delivering New Features to Over 30,000 Customers — Daily
Delivering New Features to Over 30,000 Customers — DailyDelivering New Features to Over 30,000 Customers — Daily
Delivering New Features to Over 30,000 Customers — Daily
 
Enterprise Architectures with Ruby (and Rails)
Enterprise Architectures with Ruby (and Rails)Enterprise Architectures with Ruby (and Rails)
Enterprise Architectures with Ruby (and Rails)
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev ops
 
Continuous delivery its not about the technology, its about the people. @pipe...
Continuous delivery its not about the technology, its about the people. @pipe...Continuous delivery its not about the technology, its about the people. @pipe...
Continuous delivery its not about the technology, its about the people. @pipe...
 
Agile in Style 2013 Preso by Agilish Ganesh Chandrasekaran
Agile in Style 2013 Preso by Agilish Ganesh ChandrasekaranAgile in Style 2013 Preso by Agilish Ganesh Chandrasekaran
Agile in Style 2013 Preso by Agilish Ganesh Chandrasekaran
 
DevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratchDevOpsDays - Pick any Three - Devops from scratch
DevOpsDays - Pick any Three - Devops from scratch
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Matt Tesauro
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012Matt Tesauro
 

More from Matt Tesauro (13)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 

Recently uploaded

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Recently uploaded (20)

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Building a Secure DevOps Pipeline - for your AppSec Program

  • 1. Building a Secure DevOps Pipeline (for your AppSec Program) Aaron Weaver Matt Tesauro AppSec USA 2017
  • 2. Building a Secure DevOps Pipeline (for your appSec program) Matt Tesauro Aaron Weaver AppSec USA 2017
  • 3. Hello! I am Aaron Weaver All around good guy and craftsman of wood and coffee aaron@sec.training / @weavera
  • 4. Hello! I am Matt Tesauro I think AppSec needs to change and I’m going to tell you how I see it changing matt.tesauro@owasp.org / @matt_tesauro
  • 6.
  • 7. ✣ Radically changed travel in the US ✣ Travel time across the US Pre-train: 6 months + $1,000 Post-train: 1 week + $150 ✣ Towns that had a stopping prospered Those that didn’t, faded away The Iron Horse Straddles America
  • 8. Trains == Change ✣ Changed the landscape for better or worse The US ‘got smaller’ - travel was in reach Expanded markets, more customers ‘Cost’ of going west went way down
  • 9. Trains <==> DevOps ✣ Changed the landscape for better or worse DevOps changed IT for better or worse The US ‘got smaller’ - travel was in reach Batch / change size got smaller (CI/CD) Expanded markets, more customers Increased agility, more customers ’Cost’ of going west went way down Cost of experiments goes way down
  • 10. When will we see this? DevOps AppSec
  • 11. Genis: Pipeline Species: AppSec A new evolution of AppSec
  • 12. AppSec Pipelines Using CI/CD as inspiration, figure out your AppSec workflow
  • 13. Key Features of AppSec Pipelines ✣ Designed for iterative improvement ✣ Provides a reusable path for AppSec activities ✣ Provides a consistent process for both the team and our constituency ✣ One way flow with well-defined states ✣ Relies heavily on automation ✣ Grow in functionality organically over time ✣ Gracefully interconnects with the development process
  • 14.
  • 15. What we want is ala carte - Just with a limited number of choices
  • 17. Gen 1 Pipelines Look at your team's purpose and those processes which aid it
  • 18. Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
  • 19. AppSec Personnel ✣ They are the critical resource - optimize their work Automate the things that don’t require a human brain Drive up consistency Increase tracking of work status Increase flow through the system Increase visibility and metrics Reduce any dev team friction with application security
  • 20. Gen 1: Inside out focused AppSec
  • 22. Gen 2 Pipelines Look outside your team's purpose and those processes which aid it
  • 23. DevOps Pipeline AppSec Pipeline Integrate with Dev & Ops teams
  • 24. Weaponizing Jenkins ✣ Zero false positives Anaphylactic shock ✣ Health Checks vs Scanning Run these all the time ✣ Home of specific issue tests Find a vuln, write a test ✣ Cadence for longer running tests These NEVER break the build Every X builds or every Y days
  • 25. OWASP & AppSec Pipelines
  • 26. OWASP Defect Dojo ✣ Single source of truth for findings ✣ AppSec Programs, QA, Pen Testers Custom report generation Metrics and Dashboards App & Infrastructure findings supported ✣ New-ish OWASP Project Code base is 3+ years - started at Rackspace ✣ Community and contributor friendly Bugs triaged, verified and fixed quickly 11 contributors from multiple companies ✣ Github: 262 stars, 106 forks, 199 watchers
  • 28. What went hand in hand with the transcontinental railroad expansion?
  • 30. Telegraph | Automation ✣ Sped up signaling and communication Enhanced benefits of easier travel Followed the existing tracks ✣ Linked cities using a standard protocol Morse code
  • 31. Telegraph | Automation ✣ Sped up routine tasks Enhances benefits of existing AppSec Pipeline Follows the same path aka consistent ✣ Links software using a standard protocol HTTP / REST
  • 32. A call to action...
  • 33. AppSec Chat Ops Making chat the way you do security
  • 36. Advice for Devs - 24x7
  • 37. Static Analysis Integration Recurring static analysis in about 10 minutes!
  • 39. docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
  • 40. Docker Security Tool Launch (python, Go) ZAP Nikto Return ZAP IP Run Scan, Push Results to S3
  • 41. Benefits ✣ Effectively Scales ✣ Build security tools once, run anywhere ✣ Ease of deployment
  • 42. Pull in or scale out, your choice Pull in Docker containers to your build server ZAP Nikto Scale out to Docker Swarm ZAP Nikto
  • 45. Conduct your own AppSec Pipeline Experiment Come down out of the traditional AppSec trees
  • 46. Pick a language ✣ To do AppSec well, you need to know something about coding ✣ Don’t care what language, pick one and stark hacking away ✣ Most Pipeline code is glue code - l33t algorithms need not apply
  • 48. AppSec Pipeline - Company #1 ✣ Security Findings Turn each into a self-contained test ✣ Add those tests to Jenkins Run hourly or at least daily Turn green when they are fixed ✣ Tied alerts / Chat ops to those tests Let them tell you when they are fixed ✣ Developer knows release X fixed finding Y Bonus points for connecting Jenkins test passing to closing Jira bug ✣ 2 FTEs assessed 35 Apps in year 1
  • 49. 2014 ✣ 44 assessments ~5x increase 2015 ✣ ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015 Company #2
  • 50. 2015 ✣ ~200 assessments ~2x increase 2016 ✣ 414 assessments Changes from 2015 to 2015: - Lost 2 key FTE engineers - AppSec team numbers dropped - not every vacant FTE position was filled Company #2
  • 51. 2014 ✣ 44 assessments 9.4x increase 2016 ✣ 414 assessments Things to remember - Year 1 may go slow - you need to build a solid foundation - Get your house in order, THEN reach out to other teams - Divide tests into - Quick, low false-positive - these go into CI/CD - Longer, less accurate tests Company #2
  • 53. @weavera@weavera “I am a nice shark, not a mindless eating machine. If I am to change this image, I must first change myself. Fish are friends, not food.” -Bruce, Chum and Anchor
  • 54. @weavera@weavera “I am a nice security professional, not a mindless vulnerability spewing machine. If I am to change this image, I must first change myself. Developers are friends, not fools.” -Bruce, Aaron and Matt
  • 56. Thanks! Any questions? Aaron Weaver @weavera aaron@sec.training /in/aweaver github.com/aaronweaver Matt Tesauro @matt_tesauro matt.tesauro@owasp.org /in/matttesauro github.com/mtesauro
  • 57. References Presentation template: http://www.slidescarnival.com/dolabella-free-presentation-template/840 Black and White train image (original) https://www.youtube.com/watch?v=-80sFvilSXs Train/Transport facts from: https://gtgtechnologygroup.com/transcontinental-railroad/ https://www.thoughtco.com/effect-of-railroads-on-the-united-states-104724 http://www.american-rails.com/transcontinental.html Meeting of the railroads image (original) public domain image at https://www.thoughtco.com/effect-of-railroads-on-the-united-states-104724 Model Train cars (original) https://www.pinterest.com/njaredmartin99/trains/ What color is your parachute (original) http://earthconservant.com/100-ways-earthfit-day-37-color-parachute/
  • 58. Telegraph poles by a railroad picture (original) https://www.pinterest.com/pin/412360909600598272/ Telegraph key https://openclipart.org/detail/188507/telegraph-key
  • 59. Instructions for use EDIT IN GOOGLE SLIDES Click on the button under the presentation preview that says "Use as Google Slides Theme". You will get a copy of this document on your Google Drive and will be able to edit, add or delete slides. You have to be signed in to your Google account. EDIT IN POWERPOINT® Click on the button under the presentation preview that says "Download as PowerPoint template". You will get a .pptx file that you can edit in PowerPoint. Remember to download and install the fonts used in this presentation (you’ll find the links to the font files needed in the Presentation design slide) More info on how to use this template at www.slidescarnival.com/help-use-presentation-template This template is free to use under Creative Commons Attribution license. You can keep the Credits slide or mention SlidesCarnival and other resources used in a slide footer.
  • 60. Credits Special thanks to all the people who made and released these awesome resources for free: ✣ Presentation template by SlidesCarnival ✣ Photographs by Unsplash ✣ Paper texture by GraphicBurguer