Aaron Weaver

Application Security Manager, Pearson plc

Building an AppSec Pipeline: Keeping your program, and your life, sane

189 seconds is the average time in a drive-thru

Instrumentation

Standardization of products and processes.

A Big Mac is a Big Mac wherever you purchase it in the U.S., and this emphasis on reliable and highly standardized product offerings, as well as uniform production processes, is something fast-food companies have perfected.

Source: ValueStreamGuru.com

A production process approach

Different work cells within an individual restaurant combine to make the finished product, allowing for maximum efficiency in each work unit.

Source: ValueStreamGuru.com

A flexible and multi-skilled workforce

Each employee specializing within a role but also being trained to step into other areas whenever needed.

Source: ValueStreamGuru.com

Lean production

Maximizes the use of a facility's space. Fast-food kitchens are rarely large, but their output is tremendous, meaning they get the most from the limited space available.

Source: ValueStreamGuru.com

What would it look like if AppSec ran fast food?

AppSec Pipeline

Your front door

minimal viable product[MVP]

product

Polled the Team

?

Bag of Holding(BoH)

What does BoH do?

• Manages our Application Security Program• Application Repository• Engagement Tracking• Report Repository• Comments on any application, engagement or activity• Data Classification and PII data• Time taken on secure software activities• Historical knowledge of past assessments• Credential repository• Environment details

Length of Activities

24

25

Social, erm Yes.

26

29

Security Tool Vendors: If I can do it with the UI, I want to do it with an API.

- Matt Tesauro

| Open Source

Orchestration• Integrate Security Tools and Workflow

• Example:• Generic API for dynamic scanning

• URL• Credentials• Profile• Call any Dynamic Scanner:

• OWASP ZAP• BurpSuite• AppScan

Automate False Positive Reduction

2+ 3+ 4+ 5+

34

Scheduling Application Assessments

• PCI every quarter

• Compliance policy requirement to manually assess twice a year

Watch a Code Branch

or the doAuth()

method

Change Exceeds

Threshold

Trigger a Review

| Open Source

1 2 3Automate Assessment Requests

Your command line where you have your conversations.

Will Bot

AppSec Help

AppSec Advice

Threadfix Integration

And more:

• Create an Application• Get Summary Metrics for

Application Program

Threadfix/Static Integration

Go build. Make it better.

Q&AThank you!

@weavera

aaron.weaver2@gmail.com

/in/aweaver

46

Photo Credits

• Chicago street photography - The One That Got Away https://goo.gl/I6FLgl

• Silos https://goo.gl/3g9M38

• Kidhttps://goo.gl/NlwmBW

• Hipsterhttps://goo.gl/52VUyV