Building an AppSec pipeline: Keeping your program, and your life, sane
1-PPTX
Prerequisite Knowledge
An interest in building a scalable application security program.Description
At Pearson, the AppSec program was faced with a highly geographically-dispersed company with a wide range of different development styles and business practices. Add in a geographically-dispersed AppSec team, and something had to be done. To address the needs of the development groups, the AppSec team, and the business, Pearson created an AppSec Pipeline to handle the work flowing through AppSec.
The pipeline starts with “Bag of Holding,” BOH, an open source Django web application that helps automate and streamline the activities of the AppSec team and keeps the vital information available to any team member, anywhere at any time. At the end of the pipeline is ThreadFix, to combine, de-dupe, and manage all the findings from all the sources. This talk will cover the motivation behind the AppSec pipeline, its implementation at Pearson, and how it can help you get the most out of your AppSec program.
Aaron Weaver
Cengage
Aaron Weaver is the application security manager at Cengage. Over his career, Aaron has played various roles, including software developer, system engineer, and embedded developer with IT security. Previously, Aaron was the application security manager at Pearson, a learning and publishing company. He has worked on developer and QA awareness to increase security in the software development life-cycle and leads OWASP Philadelphia. When he has time, Aaron likes to make sawdust in his workshop.
Matt Tesauro
Pearson plc
Matt Tesauro is the application security lead engineer at Pearson and an adjunct professor for the University of Texas Computer Science Department, where he teaches the next generation of CS students about appsec. Matt has 15 years’ experience as a information security professional specializing in applications and cloud security. He was previously the senior product security engineer at Rackspace, and his work has included security consulting, penetration testing, threat modeling, code reviews, training, and university teaching. Matt has presented and provided trainings at various international industry events. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project. Matt holds two degrees from Texas A&M University and several security and Linux certifications.
Aerospike- Ansible
- Apica
- Appcito
- BigPanda
- BlazeMeter
- Catchpoint
- Chef
- Datadog
- DeviceAtlas
- Dropbox
- Dyn Inc.
- Dynatrace
- ExtraHop
- Fastly
- Ghostery
- GitHub
- Hazelcast
- Imperva Incapsula
- Instart Logic
- Jut
- Limelight Networks, Inc.
- LiveAction
- New Relic
- NGINX, Inc.
- OpenShift
- Opsmatic
- PagerDuty
- Pivotal
- Puppet Labs
- Radware
- ruxit
- Sauce Labs
- ScientiaMobile
- ScriptRock
- Site24x7
- SmartBear
- Sumo Logic
- ThousandEyes
- TrafficDefender
- VictorOps
- VMware
- xMatters
- Yottaa
Sponsorship Opportunities
For exhibition and sponsorship opportunities, contact Gloria Lombardo at glombardo@oreilly.com
Partner Opportunities
For information on trade opportunities with O'Reilly conferences, email partners@oreilly.com
Contact Us
View a complete list of Velocity contacts
©2015, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • conf-webmaster@oreilly.com