Save 37% off PRO during our Black Friday Sale! »

Put yourself in the appsec pipeline

857c770ccb0a8e869994f663f09b22ec?s=47 Paolo Perego
September 23, 2016

Put yourself in the appsec pipeline

Building an effective application security pipeline is the necessary
step for each company to establish a meticulous appsec program. Create
secure software is more than run a penetration test or a code review,
just before the deploy and having some automatism can help you in have
a low error rate process.

In this talk we will go through the pipeline building process,
explaining how to automate some boring tasks dedicating ourself to
having fun, playing tricks like pros. At the end of our journey both
tech people than security managers, will have the feeling that using
the pipeline approach, they can lower vulnerabilities, with an
affordable time to market so to make the bosses happy.

857c770ccb0a8e869994f663f09b22ec?s=128

Paolo Perego

September 23, 2016
Tweet

Transcript

  1. Put yourself in the #appsec pipeline

  2. Change your Yahoo Password now (ymail, flickr, …)! http://www.usatoday.com/story/tech/2016/09/22/report-yahoo-may- confirm-massive-data-breach/90824934/

  3. $ whoami • Application security engineer 15 years in #appsec

    industry • Tech blogger @codiceinsicuro • Love writing security source code scanners (Owasp Orizon, dawnscanner) • Love talking about application security • #appsec tweets available at @thesp0nge
  4. Agenda • Talk about testing scenarios • Talk about what

    an appsec pipe is and what do you need to create one • Be inspired, go home and do some homework
  5. What do I have to test?

  6. None
  7. Testing scenarios

  8. We don’t do any test (and we are aware of

    it)
  9. We don’t do any test (but I’ll love to do)

  10. We do security test (but I want to learn more

    about the pipeline)
  11. How do we perform security tests?

  12. The unacceptable solution… • Tests must be done: • in

    production environment • before going live • Testers need: • the code being frozen • some “fake” accounts • a couple of week to do the job
  13. … for a difficult task • Products can not delay

    time to market release to allow security tests • Tests must be performed on each release • Often companies do releases on a weekly basis • There are no fake accounts on a production server • Code is never on a frozen state • This applies to web properties and mobile applications • Tests are not sawn as investment
  14. #appsec can’t be done this way and we’re the first

    talking our science to the next level
  15. The application security pipeline

  16. Before we start • We need • Commitment • An

    organised SDLC • A development team aware about #appsec topic • An #appsec team (with patience and some coding skills)
  17. Then we can build the #appsec pipeline (https://www.owasp.org/index.php/OWASP_AppSec_Pipeline)

  18. The collector tool A way for our customer to ask

    for services, keep track about the progress and having results back
  19. Your favourite collection of #appsec tools You may want to

    cover vulnerability assessment, penetration test, web application penetration test and code review at least. Keep calm and let’s go shopping.
  20. The Orchestrator Your customers ask for services, you need an

    automatic dispatcher mechanism to the appropriate tool. Of course you need also something retrieving results too.
  21. The ticketing system You need something to keep track about

    vulnerabilities, about their history and their state.
  22. The Workflow (Glue all together)

  23. Bonus track - some useful tools

  24. Some tools to check • Sinatra with Grape (create HTTP

    API endpoints) • Owasp ZAP (WAPT on steroids) • Owasp DeepViolet (check your SSL config) • Nexpose + nexpose gem (automate vulnerability assessment) • Brakeman/Dawnscanner (ultimate ruby code review) • Owasp Orizon (Java security code review) • Owasp GLUE gem (pipeline related tool)
  25. THANKS!