Slide 1

Slide 1 text

A P P S E C V U L N E R A B I L I T Y M A N AG E M E N T P I P E L I N E S

Slide 2

Slide 2 text

A G E N D A • VM Life Cycle • Common Challenges • DevSecOps Pipeline • Demo • Generic Approach • Cloud Native Approach (AWS)

Slide 3

Slide 3 text

A B O U T M E : AGUSTIN CELANO CISSP | PCAP | DSOE | DOL | CCNP /agustincelano @agustincelano /celagus [email protected]

Slide 4

Slide 4 text

V U L N E R A B I L I T Y M A N A G E M E N T L I F E C Y C L E SCAN PRIORITIZE REPORT REMEDIATE VALIDATE Get info Default Severity (CVSS) vs Real Severity (Internal clasification) Report and escale to appropiate team for fixes − Fixeable? Fix-it! − Not fixeable? Manage the risk: mitigate, accept, transfer or de-promote asset - Validate fixes - Formalize risk management decisions - Learn & Improve

Slide 5

Slide 5 text

C O M M O N V M P R O C E S S C H A L L E N G E S Multiple VA tools False Positives Prioritization / Ponderation Just in time remediation Tracking - Multiple origins - Multiple formats - Asynchronous run - Vulnerability must exist - Exploitation must be feasible - No compensatory controls Possible criteria: - Exploit available - Publicated service - Internal asset classification - Issue must be fixed before SLA expire or asset version were changed - All vulns, actions and comments must be logged and be traceable

Slide 6

Slide 6 text

B E A G I L E , A U T O M AT E ! T H I S I S D E V O P S , S O . . T H I S I S T O O M U C H I M P O R T A N T …

Slide 7

Slide 7 text

D E V S E C O P S A P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback

Slide 8

Slide 8 text

D E V S E C O P S A P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback

Slide 9

Slide 9 text

D E M O T I M E !

Slide 10

Slide 10 text

A P P S E C V M P I P E L I N E ( G E N E R I C A P P R O A C H ) App Repo Security Orchestrator Issue Tracking Remediation AppSec Tools Continuous feedback Vuln Tracking

Slide 11

Slide 11 text

A P P S E C V M P I P E L I N E ( C L O U D N A T I V E A P P R O A C H ) Remediation Continuous feedback AppSec Tools Vuln Tracking Issue Tracking AWS CodePipeline AWS CodeCommit

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content