Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AppSec Vulnerability Management Pipelines (2020)

AppSec Vulnerability Management Pipelines (2020)

Talk for Ekoparty (Argentina) about vulnerability management in Devops environment.

Agustin Celano

September 24, 2020
Tweet

More Decks by Agustin Celano

Other Decks in Technology

Transcript

  1. A P P S E C V U L N

    E R A B I L I T Y M A N AG E M E N T P I P E L I N E S
  2. A G E N D A • VM Life Cycle

    • Common Challenges • DevSecOps Pipeline • Demo • Generic Approach • Cloud Native Approach (AWS)
  3. A B O U T M E : AGUSTIN CELANO

    CISSP | PCAP | DSOE | DOL | CCNP /agustincelano @agustincelano /celagus [email protected]
  4. V U L N E R A B I L

    I T Y M A N A G E M E N T L I F E C Y C L E SCAN PRIORITIZE REPORT REMEDIATE VALIDATE Get info Default Severity (CVSS) vs Real Severity (Internal clasification) Report and escale to appropiate team for fixes − Fixeable? Fix-it! − Not fixeable? Manage the risk: mitigate, accept, transfer or de-promote asset - Validate fixes - Formalize risk management decisions - Learn & Improve
  5. C O M M O N V M P R

    O C E S S C H A L L E N G E S Multiple VA tools False Positives Prioritization / Ponderation Just in time remediation Tracking - Multiple origins - Multiple formats - Asynchronous run - Vulnerability must exist - Exploitation must be feasible - No compensatory controls Possible criteria: - Exploit available - Publicated service - Internal asset classification - Issue must be fixed before SLA expire or asset version were changed - All vulns, actions and comments must be logged and be traceable
  6. B E A G I L E , A U

    T O M AT E ! T H I S I S D E V O P S , S O . . T H I S I S T O O M U C H I M P O R T A N T …
  7. D E V S E C O P S A

    P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback
  8. D E V S E C O P S A

    P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback
  9. A P P S E C V M P I

    P E L I N E ( G E N E R I C A P P R O A C H ) App Repo Security Orchestrator Issue Tracking Remediation AppSec Tools Continuous feedback Vuln Tracking
  10. A P P S E C V M P I

    P E L I N E ( C L O U D N A T I V E A P P R O A C H ) Remediation Continuous feedback AppSec Tools Vuln Tracking Issue Tracking AWS CodePipeline AWS CodeCommit