A robust, scalable, and automated appsec program is not the sole province of Netflix and the other tech unicorns. Aaron Weaver and Matt Tesauro explain how you can achieve the automation and flow that you need to start paying down your company’s technical security debt by taking the best of DevOps, Agile development, and CI/CD into your appsec program.
Aaron and Matt introduce the concept of appsec pipelines, covering its underlying philosophy and providing example pipelines from a range of companies as well as two in-depth case studies that explore the dramatic improvements that occurred after their launch.
Aaron and Matt also introduce the OWASP AppSec Pipeline project, a collection of tools and techniques to create the appsec pipeline that fits your business. The project includes reference implementations of appsec pipelines and information on integrating security into CI/CD and weaponizing your Jenkins build server. By abstracting away security tools to Docker images and REST APIs, you can quickly and efficiently add security health checks to Jenkins or your preferred CI/CD software. Aaron and Matt also share examples of providing full round-trip tracking of security findings from discovery through reporting and remediation to retesting with minimal manual work.
Automation is no longer for just for monkey herders. It’s now available to all appsec programs.
Aaron Weaver is the application security manager at Cengage. Over his career, Aaron has played various roles, including software developer, system engineer, and embedded developer with IT security. Previously, Aaron was the application security manager at Pearson, a learning and publishing company. He has worked on developer and QA awareness to increase security in the software development life-cycle and leads OWASP Philadelphia. When he has time, Aaron likes to make sawdust in his workshop.
Matt Tesauro is the application security lead engineer at Pearson and an adjunct professor for the University of Texas Computer Science Department, where he teaches the next generation of CS students about appsec. Matt has 15 years’ experience as a information security professional specializing in applications and cloud security. He was previously the senior product security engineer at Rackspace, and his work has included security consulting, penetration testing, threat modeling, code reviews, training, and university teaching. Matt has presented and provided trainings at various international industry events. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project. Matt holds two degrees from Texas A&M University and several security and Linux certifications.
Comments on this page are now closed.
©2016, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com