Embed Size (px)
Citation preview
AppSec Pipelines andEvent based SecurityMoving beyond a traditional security test
Matt [email protected]
Hello!
I am Matt Tesauro
I think AppSec needs to change
And I’m going to tell you how is see it changing
[email protected] / @matt_tesauro
Custom Coachwork and Bespoke AppSec
Who is This Guy?
ProposedTraditional AppSec Programs
cannot scale to fit today's needsand AppSec needs to change
The Phoenix Project 3 Ways of DevOps
AppSec
Our purpose is to make the security posture of apps visible to the
business
How AppSec sees itself
How Devs see AppSec
if you can’t find love, change your appearance.[1]
As any dating-website veteran will tell you,
[1] Economist, Jan 21, 2017 - http://sl.owasp.org/economist-quote
AppSec Pipelines
Using CI/CD as inspiration, figure out your AppSec workflow
“Spending time optimizing anything
other than the critical resource is an illusion.
W. Edwards Deming
Key Goals of AppSec Pipelines
◈ Optimize the critical resource - AppSec personnel
○ Automate the things that don’t require a human brain○ Drive up consistency○ Increase tracking of work status○ Increase flow through the system○ Increase visibility and metrics○ Reduce any dev team friction with application security
Gen 1 PipelinesLook at your team's purpose and
those processes which aid it
“To put the world in order,
we must first put the nation in order; to put the nation in order,
we must first put the family in order; to put the family in order;
we must first cultivate our personal life; we must first set our hearts right.
Confucius
Custom Made
With finiteOptions
First, get your house in order...
Key Features of AppSec Pipelines
◈ Designed for iterative improvement ◈ Provides a reusable path for AppSec
activities to follow◈ Provides a consistent process for both the
team and our constituency◈ One way flow with well-defined states◈ Relies heavily on automation◈ Grow in functionality organically over time◈ Gracefully interconnects with the
development process
Gen 2 PipelinesLook outside your team's and
those processes which aid others
DevOps Pipeline AppSec Pipeline
Gen 2AppSecPipeline
A call to action...
AppSec Chat Ops
Making chat the way you do security
Advice for Devs - 24x7
FYI: You’re being attacked
FYI: You’re being blocked
Weaponizing Jenkins
◈ Zero false positives○ Anaphylactic shock
◈ Health Checks vs Scanning○ Run these all the time
◈ Home of specific issue tests○ Find a vuln, write a test
◈ Cadence for longer running tests○ These NEVER break the build○ Every X builds or every Y days
Scaling withDocker Containers
docker run -it --name kali-pipeline kali-pipeline /bin/bash /usr/local/bin/run.sh 'nikto localhost -h localhost -T 58' results.txt
Docker Security Tool Launch(python, Go)
ZAP
Nikto
Return ZAP IP
Run Scan, Push Results to S3
Benefits◈ Effectively Scales
◈ Build security tools once, run anywhere
◈ Ease of deployment
Pull in or scale out, your choice
Pull in Docker containersto your build server
ZAP
Nikto
Scale out to Docker SwarmZAP
Nikto
Jenkins Pipeline
Pipeline as Code
AppSec Pipeline Math
CI/CD + Docker = Event based Security
AppSec Pipelines & Event based Security
◈ Security Findings○ Turn each into a self-contained test
◈ Add those tests to Jenkins○ Run hourly or at least daily○ Turn green when they are fixed
◈ Tied alerts / Chat ops to those tests○ Let them tell you when they are fixed
◈ Let the developer know that release X fixed finding Y○ Bonus points for connecting Jenkins test
passing to closing Jira bug◈ 2 FTEs assessed 35 Apps in year 1
AppSec Pipeline for OWASP
OWASP’s AppSec Pipeline for Projects
◈ Create an AppSec Pipeline of OWASP Projects to assess OWASP Projects
Use OWASP Zap to scan OWASP Security Shepherd, store the results in OWASP Defect Dojo and push findings to Jira
OWASP Defect Dojo
◈ One-stop source of truth for findings◈ AppSec Programs, QA, Pen Testers
○ Custom report generation○ Metrics and Dashboards○ App & Infrastructure findings supported
◈ New-ish OWASP Project○ Code base is 3+ years - started at Rackspace
◈ Community and contributor friendly○ Bugs triaged and verified in 4 hours - 8 to fix○ 11 contributors from multiple companies
◈ Github: 178 stars, 62 forks, 196 watchers
OWASP & AppSec Pipelines
What can an AppSec Pipeline
do for you?
2014
◈ 44 assessments
~5x increase
2015
◈ ~200 assessments
Changes from 2014 to 2015:- Created the AppSec Pipeline - initial launch in March 2015- AppSec team numbers dropped - lost a couple of key people approx
3.5 FTEs- Two of the AppSec team members went meta for most of 2015
2015
◈ ~200 assessments
~2x increase
2016
◈ 414 assessments
Changes from 2015 to 2015:- Lost 2 key FTE engineers- AppSec team numbers dropped - not every vacant FTE position
was filled
2014
◈ 44 assessments
9.4x increase
2016
◈ 414 assessments
Things to remember- Year 1 may go slow - you need to build a solid foundation- Get your house in order, THEN reach out to other teams- Divide tests into
- Quick, low false-positive - these go into CI/CD- Longer, less accurate tests
Company A
◈ Adopted DefectDojofor their pipeline
◈ 4,000 employees◈ 2,000+ issues tracked◈ Manual Pen Tests◈ Reporting◈ Dashboard
Anonymous Co’s
Company B
◈ Migrated off COTS to DefectDojo
◈ Imported 20k issues◈ Currently at 50k+ issues◈ Reporting◈ Metrics/Dashboard◈ API for automation◈ Read-only for mgmt
How can you help?
Help fill the AppSec Toolbox
http://sl.owasp.org/pipeline
How can you help?
Help fill the AppSec Toolbox
http://sl.owasp.org/pipeline
Thanks!
Any questions?Aaron Weaver
@weavera
/in/aweaver
github.com/aaronweaver
Matt Tesauro
@matt_tesauro
/in/matttesauro
github.com/mtesauro
CAMS / CALMS
◈ Culture, Automation, Measurement, Sharing○ CALMS = CAMS + Lean
◈ Measurement = Metrics => Visibility◈ Automate the drudgery
○ Allows meaningful personal interactions
◈ What would you want if you were the dev you’re talking to?
Credits
Special thanks to all the people who made and released these awesome resources for free:◈ Presentation template by SlidesCarnival◈ Photographs by Unsplash◈ Backgrounds by SubtlePatterns
Presentation design
This presentations uses the following typographies and colors:
◈ Titles: Playfair Display◈ Body copy: Droid Sans
You can download the fonts on this page:
https://www.google.com/fonts#UsePlace:use/Collection:Droid+Sans:400,700|Playfair+Display:400,700,400italic,700italic
Click on the “arrow button” that appears on the top right
◈ Yellow #ffd900◈ Light gray #f3f3f3◈ Black #000000
You don’t need to keep this slide in your presentation. It’s only here to serve you as a design guide if you need to create new slides or download the fonts to edit the presentation in PowerPoint®
SlidesCarnival icons are editable shapes.
This means that you can:● Resize them without losing quality.● Change line color, width and style.
Isn’t that nice? :)
Examples:
Now you can use any emoji as an icon!And of course it resizes without losing quality and you can change the color.
How? Follow Google instructions https://twitter.com/googledocs/status/730087240156643328
✋ ❤
and many more...
