Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesauro & Aaron Weaver
- 1. Making Continuous Security a Reality Aaron Weaver Matt Tesauro
- 2. I am Matt Tesauro I think AppSec needs to change and I’m going to tell you how I see it changing [email protected] / @matt_tesauro Matt Tesauro
- 3. Making AppSec a little better each day. [email protected] / @weavera Principal AppSec Engineer at 10Security Aaron Weaver
- 4. Quick survey... • Raise your hand if you work in: • AppSec • Product Security • Security Engineering • DevOps aka DevSecOps, • SecDevOps, DevOpsSec, OpsDevSec...
- 5. What traditional AppSec Tooling feels like
- 6. From: Julius Caesar by William Shakespeare
- 7. From: OWASP AppSec Pipeline Project Traditional AppSec it Matt Tesauro & Aaron Weaver
- 9. AppSec Pipeline A real life example of an implemented AppSec Pipeline
- 10. The purpose of an Application Security program is to evaluate the security status of the suite of apps for a business. Basically, to provide a map to guide business decisions Do you have a full view of your application landscape?
- 13. DevOps Pipeline AppSec Pipeline Security test output
- 14. What is an AppSec Pipeline? • A way to conduct testing in an automated fashion • Run by the AppSec team for the AppSec team • Get your house in order • Then reach out to dev teams • A way to scale AppSec coverage • ‘You must be this high to ride this ride’ • Pre-calculate a portion of manual testing • Create a security baseline across the application landscape
- 15. What an AppSec Pipeline isn’t • The one thing that will fix all your problems • A gate that blocks deploys (especially at first) • Pipelines create artifact • CI/CD artifacts are deployed versions of an app(s) • AppSec Pipeline artifacts are security findings
- 17. Call to Action
- 18. Gasp One implementation of the AppSec Pipeline Spec
- 23. Steps in an AppSec Pipeline run
- 24. Making containers work for you • Treat containers like a large binary executable • Execute once, then discard • Each security tool or service is in a container • Each has a configuration file in yaml • Yaml contains pre-configured tool profiles
- 28. Benefits of Containerizing Tools • Do a single “interesting” install once • Figure out all the arcane tool options once • Sane defaults • Further refinement for high risk targets • Tools can be in any language • Establish a AppSec baseline • Run the same tool container + profile against all apps
- 29. Named pipelines • Tool configs + containers = pipeline tool • Run multiple pipeline tools in a specific order to get a “Named pipeline” GIT CLOC Brakeman Defect Dojo
- 31. named pipeline
- 32. At the end of a run...
- 36. AppSec Pipeline A real life example of an implemented AppSec Pipeline
- 37. My Curent AppSec Pipeline
- 40. Criteria for Tools ❖ Runs fairly quickly ❖ Fast, lightweight dynamic scans ❖ Static scans with differential ❖ Third Party Components
- 41. AppSec Pipeline Stats 15 Repos 4 Months 5,100 Runs 25,000+ Container Executions
- 45. What have I learned?
- 46. After the first run of scans the net new vulnerabilities are low.
- 47. Legacy security* tools will be your biggest pain point. (Anything that isn’t in a container)
- 48. Evaluate what you did and look for the next improvement.
- 49. SCM Integration: The web post tells me what files have changed. Improvement Idea
- 50. Manual Review File tagged to indicated functionality File marked for manual review if changed. 1. File Tagged for review from build
- 51. Manual Review 2. Manual Test Created for that Engagement 3. Slack Alert
- 52. Manual Review 4. Review changes in SCM
- 53. False positives: Can we do better?
- 55. Rules Engine CWE Use Case Title match on XSS → Update CWE-79
- 56. Rules Engine Scanner Matching Scanner == SSLLabs → Grade < A → Update Verified
- 57. Rules Engine Scanner Confidence Scanner Confidence == Confirmed → Title == XSS → Update Verified
- 59. Create an AppSec Pipeline and push visibility north Visibility
- 61. “I am a nice shark, not a mindless eating machine. If I am to change this image, I must first change myself. Fish are friends, not food.” -Bruce, Chum and Anchor
- 62. “I am a nice security professional, not a mindless vulnerability spewing machine. If I am to change this image, I must first change myself. Developers are friends, not fools.” -Bruce, Aaron and Matt
- 64. [email protected] / @weavera Aaron Weaver [email protected] / @matt_tesauro Matt Tesauro Questions & Thanks
- 65. References • Confused panda: https://openclipart.org/detail/69289/confusedpanda • Jousting Snails - a random twitter post I lost the URL for, sorry • Julius Caesar quote image: https://quotefancy.com/quote/1740243/Marcus-Junius-Brutus-the-Younger-I-hav e-not-come-to-praise-Caesar-but-to-bury-him • Map image: https://openclipart.org/detail/823/two-harbours-map • Roadmap quote: https://www.brainyquote.com/quotes/earl_nightingale_159044 • Gandoff “Shall pass”: https://shirt.woot.com/offers/halfling-height-requirement • Pixie dust: http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-necklace/ • Easy button: https://xposehope.com/2016/11/02/hit-the-easy-button/ • Jar factory: https://www.youtube.com/watch?v=YVqiEMQ1HgA • Iceberg of Ignorance: https://corporate-rebels.com/iceberg-of-ignorance/