AppSec Vulnerability Management Pipelines (2020)

Transcript

1. A P P S E C V U L N

   E R A B I L I T Y M A N AG E M E N T P I P E L I N E S

2. A G E N D A • VM Life Cycle

   • Common Challenges • DevSecOps Pipeline • Demo • Generic Approach • Cloud Native Approach (AWS)

3. A B O U T M E : AGUSTIN CELANO

   CISSP | PCAP | DSOE | DOL | CCNP /agustincelano @agustincelano /celagus [email protected]

4. V U L N E R A B I L

   I T Y M A N A G E M E N T L I F E C Y C L E SCAN PRIORITIZE REPORT REMEDIATE VALIDATE Get info Default Severity (CVSS) vs Real Severity (Internal clasification) Report and escale to appropiate team for fixes − Fixeable? Fix-it! − Not fixeable? Manage the risk: mitigate, accept, transfer or de-promote asset - Validate fixes - Formalize risk management decisions - Learn & Improve

5. C O M M O N V M P R

   O C E S S C H A L L E N G E S Multiple VA tools False Positives Prioritization / Ponderation Just in time remediation Tracking - Multiple origins - Multiple formats - Asynchronous run - Vulnerability must exist - Exploitation must be feasible - No compensatory controls Possible criteria: - Exploit available - Publicated service - Internal asset classification - Issue must be fixed before SLA expire or asset version were changed - All vulns, actions and comments must be logged and be traceable

6. B E A G I L E , A U

   T O M AT E ! T H I S I S D E V O P S , S O . . T H I S I S T O O M U C H I M P O R T A N T …

7. D E V S E C O P S A

   P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback

8. D E V S E C O P S A

   P P S E C P I P E L I N E SCA SAST IAST DAST RASP INFRA / CONTAINER VULN SCAN HARDENING + PATCH PENTEST AUDIT Continuous feedback

9. D E M O T I M E !

10. A P P S E C V M P I

    P E L I N E ( G E N E R I C A P P R O A C H ) App Repo Security Orchestrator Issue Tracking Remediation AppSec Tools Continuous feedback Vuln Tracking

11. A P P S E C V M P I

    P E L I N E ( C L O U D N A T I V E A P P R O A C H ) Remediation Continuous feedback AppSec Tools Vuln Tracking Issue Tracking AWS CodePipeline AWS CodeCommit
12. None
13. None
14. None