Build resilient systems at scale
October 12–14, 2015 • New York, NY

Building an AppSec pipeline: Keeping your program, and your life, sane

Aaron Weaver (Cengage), Matt Tesauro (Pearson plc)
4:35pm–5:15pm Wednesday, 10/14/2015
Location: Nassau Suite
Average rating: ****.
(4.67, 3 ratings)
Slides:   1-PPTX 

Prerequisite Knowledge

An interest in building a scalable application security program.


At Pearson, the AppSec program was faced with a highly geographically-dispersed company with a wide range of different development styles and business practices. Add in a geographically-dispersed AppSec team, and something had to be done. To address the needs of the development groups, the AppSec team, and the business, Pearson created an AppSec Pipeline to handle the work flowing through AppSec.

The pipeline starts with “Bag of Holding,” BOH, an open source Django web application that helps automate and streamline the activities of the AppSec team and keeps the vital information available to any team member, anywhere at any time. At the end of the pipeline is ThreadFix, to combine, de-dupe, and manage all the findings from all the sources. This talk will cover the motivation behind the AppSec pipeline, its implementation at Pearson, and how it can help you get the most out of your AppSec program.

Photo of Aaron Weaver

Aaron Weaver


Aaron Weaver is the application security manager at Cengage. Over his career, Aaron has played various roles, including software developer, system engineer, and embedded developer with IT security. Previously, Aaron was the application security manager at Pearson, a learning and publishing company. He has worked on developer and QA awareness to increase security in the software development life-cycle and leads OWASP Philadelphia. When he has time, Aaron likes to make sawdust in his workshop.

Photo of Matt Tesauro

Matt Tesauro

Pearson plc

Matt Tesauro is the application security lead engineer at Pearson and an adjunct professor for the University of Texas Computer Science Department, where he teaches the next generation of CS students about appsec. Matt has 15 years’ experience as a information security professional specializing in applications and cloud security. He was previously the senior product security engineer at Rackspace, and his work has included security consulting, penetration testing, threat modeling, code reviews, training, and university teaching. Matt has presented and provided trainings at various international industry events. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project. Matt holds two degrees from Texas A&M University and several security and Linux certifications.

Stay Connected

Follow Velocity on Twitter Facebook Group Google+ LinkedIn Group


More Videos »

O’Reilly Media

Tech insight, analysis, and research