This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSec Pipeline"

From OWASP
Jump to: navigation, search
m (The OWASP AppSec Pipeline Project)
(Pipeline Design Patterns)
Line 149: Line 149:
 
[[File:AppSec-Pipeline-Example.png|800px|thumb|left|Example Rugged DevOps AppSec Pipeline]]
 
[[File:AppSec-Pipeline-Example.png|800px|thumb|left|Example Rugged DevOps AppSec Pipeline]]
 
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
 
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
 
= Pipeline Design Patterns =
 
 
[[File:AppSec-Pipeline-Example.png|800px|thumb|left|Example AppSec Pipeline]]
 
 
<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
 
The specific tools used in a pipeline aren't the important part - its making your AppSec engagements as efficient as possible.
 
  
 
= Presentations =
 
= Presentations =

Revision as of 17:13, 5 October 2015

OWASP Project Header.jpg

The OWASP AppSec Rugged DevOps Pipeline Project

The OWASP AppSec Rugged DevOps Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the documentation and references of this project will allow you to setup your own AppSec Pipeline.

Description

The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. AppSec Pipelines takes the principals of DevOps and Lean and applies that to an application security program. The project will gather references, cheat sheets, and specific guidance for tools/software which would compose an AppSec Pipeline.

Licensing

The OWASP AppSec Pipeline Project documentation is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is OWASP Security Principles Project?

The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline.

Project Leaders

Matt Tesauro
Aaron Weaver
Matt Konda

Related Projects

OWASP_Web_Testing_Environment_Project

Quick Download

Bag of Holding

News and Events

Catch our next presentation at Velocity New York

In Print

Building an AppSec Pipeline
Taking DevOps practices into your AppSec Life

Classifications

New projects.png Owasp-breakers-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

Project Type Files CODE.jpg

Project Type Files TOOL.jpg


What are DevOp Security Pipeline Tools?

DevOp security pipeline tools are written with the mindset of API first. The goal is that a security tool will expose all the core functionality of the product as an API. Tools need to have an API so that the 'All the things' can be automated. Each tool will be evaluated with the criteria outlined below including example pipeline use cases.

Evaluation Criteria

Application Description: Overview of the security tool, description and product web page.
API: The type of API (REST, SOAP), API coverage (% of total features available via the API) and API Docs.
Pipeline Position: Where in the AppSec pipeline the tool would be best suited to reside
Cloud Scalable: Is the tool cloud aware and can the tool scale based on demand?
Runs as a Service: Can the tool run as a service or in headless mode?
Pipeline Example: Link to an example use case of the tool in the pipeline
Client Libraries: What client libraries are written to assist in integration. For example a python or Go library.
CI/CD Plugins: Does the tool have CI/CD plugins for integration into a DevOps pipeline. For example a Jenkins plugin.
Data Sent to the Cloud: What kind of data, if any, is sent off premise to the cloud? Is there an option to keep all data in-house?

Results

We are currently working on gathering a list of the current tools and evaluating each tool based on the criteria listed. The goal is to create a one page wiki document of the application.

Get Involved

Interested in participating or having your product included in the review? Contact Aaron Weaver

What is an AppSec Pipeline?

An AppSec Pipelines takes the principals of DevOps and Lean and applies that to an application security program. An AppSec pipeline is designed for iterative improvement and has the ability to grow in functionality organically over time. When starting out an AppSec Pipeline choose the area that is your greatest pain point and work on a reusable path for all the AppSec activities that follow.

Pipelines have three distinct areas which will be covered in depth. The first is the "Intake process" or "first impression." This is where your customer's request AppSec services from the team. The second part is the "middle" which is the heart of the pipeline. It is here where all the AppSec tools are automated, results are fed into a central repository and are reviewed for false positives. Finally the "end" of the pipeline is where the results are delivered to your customer. This will be slightly different and will vary by organization however most pipelines will integrate with a defect tracker and will produce summary metrics and reporting for senior management.

The goal of an AppSec Pipeline is to provides a consistent process from the application security team and the constituency which typically is developers, QA, product managers and senior stakeholders. Throughout the process flow each activity has well-defined states. The pipeline relies heavily on automation for repeatable tasks so that the critical resource, AppSec personnel, is optimized.

Rugged DevOps AppSec Pipeline Template



























Pipeline - Intake

“First Impression”
Major categories of Intake

  • Existing Application
  • New Application
  • Previously tested Application
  • Application to re-test findings

Key Concepts

  • Ask for data about Apps only once
  • Have data reviewed when an application returns
  • Adapt data collected based on broad categories of Apps

Pipeline - The Middle

  • Inbound request triage
    • Ala Carte App Sec
    • Dynamic Testing
    • Static Testing
    • Re-Testing mitigated findings
    • Mix and match based on risk

Key Concepts

  • Activities can be run in parallel
  • Automation on setup, configuration, data export
  • People focus on customization rather than setup

Pipeline - The End

Source of truth for all AppSec activities

  • Dedupe / Consolidate findings
  • Normalize scanner data
  • Generate Metrics
  • Push issues to bug trackers
  • Report and metrics automation REST + tfclient
  • Source of many touch points with external teams

AppSec Pipeline Example #1

Example Rugged DevOps AppSec Pipeline


















AppSec Pipeline Presentations

Rugged DevOp Interviews

Rugged DevOps

TBD

Got a question?

Ask us on Twitter:

Contributors

Besides the project leaders, contributions have been made by:

  • Adam Parsons - Bag of Holding
  • Matt Brown - suggestions and review of Bag of Holding
  • Lee Thurlow - suggestions and review of Bag of Holding

Future releases will include:

  • List of open source tools for each portion of the AppSec Pipeline
  • Additional releases of Bag of Holding with new and exciting features
  • Documentation and references to integration of the various pieces of the AppSec Pipeline.