AppSec Pipelines and Event based Security

AppSec Pipelines andEvent based SecurityMoving beyond a traditional security test

Matt Tesauromatt.tesauro@owasp.org

Hello!

I am Matt Tesauro

I think AppSec needs to change

And I’m going to tell you how is see it changing

matt.tesauro@owasp.org / @matt_tesauro

Custom Coachwork and Bespoke AppSec

Who is This Guy?

ProposedTraditional AppSec Programs

cannot scale to fit today's needsand AppSec needs to change

The Phoenix Project 3 Ways of DevOps

AppSec

Our purpose is to make the security posture of apps visible to the

business

How AppSec sees itself

How Devs see AppSec

if you can’t find love, change your appearance.[1]

As any dating-website veteran will tell you,

[1] Economist, Jan 21, 2017 - http://sl.owasp.org/economist-quote

AppSec Pipelines

Using CI/CD as inspiration, figure out your AppSec workflow

“Spending time optimizing anything

other than the critical resource is an illusion.

W. Edwards Deming

Key Goals of AppSec Pipelines

◈ Optimize the critical resource - AppSec personnel

○ Automate the things that don’t require a human brain○ Drive up consistency○ Increase tracking of work status○ Increase flow through the system○ Increase visibility and metrics○ Reduce any dev team friction with application security

Gen 1 PipelinesLook at your team's purpose and

those processes which aid it

“To put the world in order,

we must first put the nation in order; to put the nation in order,

we must first put the family in order; to put the family in order;

we must first cultivate our personal life; we must first set our hearts right.

Confucius

Custom Made

With finiteOptions

First, get your house in order...

Key Features of AppSec Pipelines

◈ Designed for iterative improvement ◈ Provides a reusable path for AppSec

activities to follow◈ Provides a consistent process for both the

team and our constituency◈ One way flow with well-defined states◈ Relies heavily on automation◈ Grow in functionality organically over time◈ Gracefully interconnects with the

development process

Gen 2 PipelinesLook outside your team's and

those processes which aid others

DevOps Pipeline AppSec Pipeline

Gen 2AppSecPipeline

A call to action...

AppSec Chat Ops

Making chat the way you do security

Advice for Devs - 24x7

FYI: You’re being attacked

FYI: You’re being blocked

Weaponizing Jenkins

◈ Zero false positives○ Anaphylactic shock

◈ Health Checks vs Scanning○ Run these all the time

◈ Home of specific issue tests○ Find a vuln, write a test

◈ Cadence for longer running tests○ These NEVER break the build○ Every X builds or every Y days

Scaling withDocker Containers

docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt

Docker Security Tool Launch(python, Go)

ZAP

Nikto

Return ZAP IP

Run Scan, Push Results to S3

Benefits◈ Effectively Scales

◈ Build security tools once, run anywhere

◈ Ease of deployment

Pull in or scale out, your choice

Pull in Docker containersto your build server

ZAP

Nikto

Scale out to Docker SwarmZAP

Nikto

Jenkins Pipeline

Pipeline as Code

AppSec Pipeline Math

CI/CD + Docker = Event based Security

AppSec Pipelines & Event based Security

◈ Security Findings○ Turn each into a self-contained test

◈ Add those tests to Jenkins○ Run hourly or at least daily○ Turn green when they are fixed

◈ Tied alerts / Chat ops to those tests○ Let them tell you when they are fixed

◈ Let the developer know that release X fixed finding Y○ Bonus points for connecting Jenkins test

passing to closing Jira bug◈ 2 FTEs assessed 35 Apps in year 1

AppSec Pipeline for OWASP

OWASP’s AppSec Pipeline for Projects

◈ Create an AppSec Pipeline of OWASP Projects to assess OWASP Projects

Use OWASP Zap to scan OWASP Security Shepherd, store the results in OWASP Defect Dojo and push findings to Jira

OWASP Defect Dojo

◈ One-stop source of truth for findings◈ AppSec Programs, QA, Pen Testers

○ Custom report generation○ Metrics and Dashboards○ App & Infrastructure findings supported

◈ New-ish OWASP Project○ Code base is 3+ years - started at Rackspace

◈ Community and contributor friendly○ Bugs triaged and verified in 4 hours - 8 to fix○ 11 contributors from multiple companies

◈ Github: 178 stars, 62 forks, 196 watchers

OWASP & AppSec Pipelines

What can an AppSec Pipeline

do for you?

2014

◈ 44 assessments

~5x increase

2015

◈ ~200 assessments

Changes from 2014 to 2015:- Created the AppSec Pipeline - initial launch in March 2015- AppSec team numbers dropped - lost a couple of key people approx

3.5 FTEs- Two of the AppSec team members went meta for most of 2015

2015

◈ ~200 assessments

~2x increase

2016

◈ 414 assessments

Changes from 2015 to 2015:- Lost 2 key FTE engineers- AppSec team numbers dropped - not every vacant FTE position

was filled

2014

◈ 44 assessments

9.4x increase

2016

◈ 414 assessments

Things to remember- Year 1 may go slow - you need to build a solid foundation- Get your house in order, THEN reach out to other teams- Divide tests into

- Quick, low false-positive - these go into CI/CD- Longer, less accurate tests

Company A

◈ Adopted DefectDojofor their pipeline

◈ 4,000 employees◈ 2,000+ issues tracked◈ Manual Pen Tests◈ Reporting◈ Dashboard

Anonymous Co’s

Company B

◈ Migrated off COTS to DefectDojo

◈ Imported 20k issues◈ Currently at 50k+ issues◈ Reporting◈ Metrics/Dashboard◈ API for automation◈ Read-only for mgmt

How can you help?

Help fill the AppSec Toolbox

http://sl.owasp.org/pipeline

How can you help?

Help fill the AppSec Toolbox

http://sl.owasp.org/pipeline

Thanks!

Any questions?Aaron Weaver

@weavera

aaron.weaver@owasp.org

/in/aweaver

github.com/aaronweaver

Matt Tesauro

@matt_tesauro

matt.tesauro@owasp.org

/in/matttesauro

github.com/mtesauro

CAMS / CALMS

◈ Culture, Automation, Measurement, Sharing○ CALMS = CAMS + Lean

◈ Measurement = Metrics => Visibility◈ Automate the drudgery

○ Allows meaningful personal interactions

◈ What would you want if you were the dev you’re talking to?

Credits

Special thanks to all the people who made and released these awesome resources for free:◈ Presentation template by SlidesCarnival◈ Photographs by Unsplash◈ Backgrounds by SubtlePatterns

Presentation design

This presentations uses the following typographies and colors:

◈ Titles: Playfair Display◈ Body copy: Droid Sans

You can download the fonts on this page:

https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,700,400italic,700italic

Click on the “arrow button” that appears on the top right

◈ Yellow #ffd900◈ Light gray #f3f3f3◈ Black #000000

You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create new slides or download the fonts to edit the presentation in PowerPoint®

SlidesCarnival icons are editable shapes.

This means that you can:● Resize them without losing quality.● Change line color, width and style.

Isn’t that nice? :)

Examples:

Now you can use any emoji as an icon!And of course it resizes without losing quality and you can change the color.

How? Follow Google instructions https://twitter.com/googledocs/status/730087240156643328

✋ ❤

and many more...