A P P S E C V U L N E R A B I L I T Y M A N AG E M E N T P I P E L I N E S

A G E N D A • VM Life Cycle • Common Challenges • DevSecOps Pipeline • Demo • Generic Approach • Cloud Native Approach (AWS)

A B O U T M E : AGUSTIN CELANO CISSP | PCAP | DSOE | DOL | CCNP /agustincelano @agustincelano /celagus [email protected]

V U L N E R A B I L I T Y M A N A G E M E N T L I F E C Y C L E SCAN PRIORITIZE REPORT REMEDIATE VALIDATE Get info Default Severity (CVSS) vs Real Severity (Internal clasification) Report and escale to appropiate team for fixes − Fixeable? Fix-it! − Not fixeable? Manage the risk: mitigate, accept, transfer or de-promote asset - Validate fixes - Formalize risk management decisions - Learn & Improve

C O M M O N V M P R O C E S S C H A L L E N G E S Multiple VA tools False Positives Prioritization / Ponderation Just in time remediation Tracking - Multiple origins - Multiple formats - Asynchronous run - Vulnerability must exist - Exploitation must be feasible - No compensatory controls Possible criteria: - Exploit available - Publicated service - Internal asset classification - Issue must be fixed before SLA expire or asset version were changed - All vulns, actions and comments must be logged and be traceable

B E A G I L E , A U T O M AT E ! T H I S I S D E V O P S , S O . . T H I S I S T O O M U C H I M P O R T A N T …

D E V S E C O P S A P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback

D E V S E C O P S A P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback

D E M O T I M E !

A P P S E C V M P I P E L I N E ( G E N E R I C A P P R O A C H ) App Repo Security Orchestrator Issue Tracking Remediation AppSec Tools Continuous feedback Vuln Tracking

A P P S E C V M P I P E L I N E ( C L O U D N A T I V E A P P R O A C H ) Remediation Continuous feedback AppSec Tools Vuln Tracking Issue Tracking AWS CodePipeline AWS CodeCommit

No content

No content

No content