Are you currently running an AppSec program?

Are you currently running an AppSec program? Nobody said it was going to be easy working on the inside of AppSec. AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible.

At Pearson, the AppSec program was faced with a highly geographically dispersed company with a wide range of different development styles and business practices. Add in a geographically dispersed AppSec team and something has to be done. To address both the needs of the development groups, the AppSec team and the business, Pearson created an AppSec Pipeline to handle the work flowing through AppSec using and creating Open Source software along the way. The pipeline starts with “Bag of Holding”, BOH, an Open Source Django web application Pearson created which helps automate and streamline the activities of your AppSec team and keeps the vital information available to any team member, anywhere at any time. At the end of the pipeline is ThreadFix to combine, de-dupe and manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place and made our own AppSec chatops bot. This talk will cover the motivation behind its AppSec pipeline, its implementation at Pearson and how creating an AppSec pipeline can help you get the most out of your AppSec program."