Building a Secure DevOps Pipeline

Presented at AppSec USA 2017, Sept. 22, 2017, 9 a.m. (45 minutes)

Is software development outpacing your ability to secure your company's portfolio of apps?  You don't have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster.  And it's not like you didn't already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business.  This isn't a theoretical talk.  It covers the results of  successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees.  Yes, real stats on improvements seen will be provided. By changing focus from a point in time security testing and assessments to automation, continual health checks and event-based security, your AppSec program can start to keep pace with the increasing speed of delivery your business is trying to obtain.  By embracing the same methodologies, you can turn Docker from a problem to how you horizontally scale your security work.  Don't swim against the current of DevOps, Agile software development and Continuous Delivery.  Instead use those movements to speed your AppSec program to new levels.

Presenters:

• Matt Tesauro - Senior Technical Project Engineer - OWASP Foundation
  Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline & WTE projects. He holds two degrees from Texas A&M University and several security and Linux certifications.
• Aaron Weaver - Application Security Manager - NA Bancard
  Aaron Weaver is the Application Security Manager at NA Bancard. Prior to that he was at Cengage Learning and Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks frequently at OWASP, AppSec USA/EU, Infragard, ISSA, ISACA, IIA and Velocity. When he has time Aaron likes to make sawdust in his workshop.

Links:

• https://appsecusa2017.sched.com/event/BKW1/building-a-secure-devops-pipeline
• https://infocon.org/cons/OWASP/AppSecUSA 2017/Building a Secure DevOps Pipeline.mp4
• https://www.youtube.com/watch?v=IAzPKzwY-ks

Similar Presentations:

• AppSec USA 2015 / Doing AppSec at Scale: Taking the best of DevOps, Agile and CI/CD into AppSec.
• BSides Austin 2016 / Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better
• AppSec USA 2016 / AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program