APPSEC VULNERABILITY MANAGEMENT PIPELINES
Transcript of APPSEC VULNERABILITY MANAGEMENT PIPELINES
![Page 1: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/1.jpg)
A P P S E C V U L N E R A B I L I T Y M A N A G E M E N T P I P E L I N E S
![Page 2: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/2.jpg)
A C E R C A
D E M I …
AGUSTIN CELANO
CISSP | PCAP | DSOE | DOL | CCNP
/agustincelano
@agustincelano
/celagus
![Page 3: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/3.jpg)
D E V S E C O P S A P P S E C
P I P E L I N E A P P R O A C H
SCA SAST
IAST
DAST RASP
INFRA / CONTAINER VULN SCAN HARDENING + PATCH
PENTESTAUDIT
Continuous feedback
![Page 4: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/4.jpg)
V U L N E R A B I L I T Y M A N A G E M E N T L I F E C Y C L E
Scan
Prioritize
Report
Remediate
Validate
Get info
Default Severity (CVSS)vs
Real Severity (Internalclasification)
Report and escale toappropiate team for fixes
− Fixeable? Fix-it!− Not fixeable? Manage the
risk: mitigate, accept, transfer or de-promoteasset
- Validate fixes- Formalize risk
management decisions- Learn & Improve
![Page 5: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/5.jpg)
C O M M O N V M P R O C E S S
C H A L L E N G E S
Multiple VA tools
False Positives
Prioritization / Ponderation
Just in time remediation
Tracking
- Multiple origins- Multiple formats- Asynchronous run
- Vulnerability must exist- Exploitation must be
feasible- No compensatory
controls - Exploit available- Publicated service- Internal asset
classification- Issue must be fixedbefore SLA expire orasset version is changed
- All vulns, actions and comments must be logged and be traceable
![Page 6: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/6.jpg)
B E A G I L E , A U T O M A T E !
T H I S I S D E V O P S , S O . .
T H A T I S V E R Y V E R Y I M P O R T A N T …
![Page 7: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/7.jpg)
A P P S E C V M P I P E L I N E
A P P R O A C H
App RepoSecurity
Orchestrator
Issue
TrackingRemediationAppSec
Tools
Continuous feedback
Vuln
Tracking
![Page 8: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/8.jpg)
D E M O
T I M E !
![Page 9: APPSEC VULNERABILITY MANAGEMENT PIPELINES](https://reader030.fdocuments.us/reader030/viewer/2022032610/62397f7bbb707228bc0d0866/html5/thumbnails/9.jpg)