October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

You don’t need to be a unicorn to have great security: Appsec programs for the rest of us

Aaron Weaver (Cengage), Matt Tesauro (Pearson plc)
2:10pm–2:50pm Wednesday, 11/02/2016
Tools and processes
Location: Grand Ballroom West Level: Intermediate
Average rating: ****.
(4.43, 7 ratings)

What you'll learn

  • Learn to implement usable application security that works for both large and small teams


A robust, scalable, and automated appsec program is not the sole province of Netflix and the other tech unicorns. Aaron Weaver and Matt Tesauro explain how you can achieve the automation and flow that you need to start paying down your company’s technical security debt by taking the best of DevOps, Agile development, and CI/CD into your appsec program.

Aaron and Matt introduce the concept of appsec pipelines, covering its underlying philosophy and providing example pipelines from a range of companies as well as two in-depth case studies that explore the dramatic improvements that occurred after their launch.

Aaron and Matt also introduce the OWASP AppSec Pipeline project, a collection of tools and techniques to create the appsec pipeline that fits your business. The project includes reference implementations of appsec pipelines and information on integrating security into CI/CD and weaponizing your Jenkins build server. By abstracting away security tools to Docker images and REST APIs, you can quickly and efficiently add security health checks to Jenkins or your preferred CI/CD software. Aaron and Matt also share examples of providing full round-trip tracking of security findings from discovery through reporting and remediation to retesting with minimal manual work.

Automation is no longer for just for monkey herders. It’s now available to all appsec programs.

Photo of Aaron Weaver

Aaron Weaver


Aaron Weaver is the application security manager at Cengage. Over his career, Aaron has played various roles, including software developer, system engineer, and embedded developer with IT security. Previously, Aaron was the application security manager at Pearson, a learning and publishing company. He has worked on developer and QA awareness to increase security in the software development life-cycle and leads OWASP Philadelphia. When he has time, Aaron likes to make sawdust in his workshop.

Photo of Matt Tesauro

Matt Tesauro

Pearson plc

Matt Tesauro is the application security lead engineer at Pearson and an adjunct professor for the University of Texas Computer Science Department, where he teaches the next generation of CS students about appsec. Matt has 15 years’ experience as a information security professional specializing in applications and cloud security. He was previously the senior product security engineer at Rackspace, and his work has included security consulting, penetration testing, threat modeling, code reviews, training, and university teaching. Matt has presented and provided trainings at various international industry events. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project. Matt holds two degrees from Texas A&M University and several security and Linux certifications.

Comments on this page are now closed.


Christine Tendo Nakawuma
09/02/2016 5:09am EDT

I am looking forward to hearing and learning from Matt Tesauro.