making continuous security a reality - global appsec · making appsec a little better each day....
TRANSCRIPT
![Page 1: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/1.jpg)
Making Continuous Security a Reality
Aaron Weaver Matt Tesauro
![Page 2: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/2.jpg)
I am Matt Tesauro
I think AppSec needs to change and
I’m going to tell you how I see it changing
[email protected] / @matt_tesauro
Matt Tesauro
![Page 3: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/3.jpg)
Making AppSec a little better each day.
[email protected] / @weavera
Principal AppSec Engineer at 10Security
Aaron Weaver
![Page 4: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/4.jpg)
Quick survey...
• Raise your hand if you work in:• AppSec• Product Security• Security Engineering• DevOps
aka DevSecOps, • SecDevOps, DevOpsSec,
OpsDevSec...
![Page 5: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/5.jpg)
What traditional AppSec Tooling feels like
![Page 6: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/6.jpg)
From: Julius Caesar by William Shakespeare
![Page 7: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/7.jpg)
From: OWASP AppSec Pipeline Project
TraditionalAppSec
it
Matt Tesauro & Aaron Weaver
![Page 8: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/8.jpg)
![Page 9: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/9.jpg)
AppSec PipelineA real life example of an implemented AppSec Pipeline
![Page 10: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/10.jpg)
The purpose of an Application Security program is to evaluate the security status of the suite of apps for a business.
Basically, to provide a map to guide business decisions
Do you have a full view of your application landscape?
![Page 11: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/11.jpg)
![Page 12: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/12.jpg)
![Page 13: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/13.jpg)
DevOps Pipeline AppSec Pipeline
Security test output
![Page 14: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/14.jpg)
What is an AppSec Pipeline?• A way to conduct testing in an automated fashion• Run by the AppSec team
for the AppSec team• Get your house in order
• Then reach out to dev teams
• A way to scale AppSec coverage• ‘You must be this high to ride this ride’• Pre-calculate a portion of manual testing• Create a security baseline across
the application landscape
![Page 15: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/15.jpg)
What an AppSec Pipeline isn’t
• The one thing that will fix all your problems• A gate that blocks deploys
(especially at first)
• Pipelines create artifact
• CI/CD artifacts are deployed versions of an app(s)
• AppSec Pipeline artifacts are security findings
![Page 16: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/16.jpg)
![Page 17: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/17.jpg)
Call to Action
![Page 18: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/18.jpg)
GaspOne implementation of the AppSec Pipeline Spec
![Page 19: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/19.jpg)
![Page 20: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/20.jpg)
![Page 21: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/21.jpg)
![Page 22: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/22.jpg)
![Page 23: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/23.jpg)
Steps in an AppSec Pipeline run
![Page 24: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/24.jpg)
Making containers work for you
• Treat containers like a large binary executable
• Execute once, then discard
• Each security tool or service is in a container
• Each has a configuration file in yaml
• Yaml contains pre-configured tool profiles
![Page 25: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/25.jpg)
Pipeline Tool yaml
secpipeline-config.yaml
![Page 26: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/26.jpg)
git example
secpipeline-config.yaml
![Page 27: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/27.jpg)
![Page 28: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/28.jpg)
Benefits of Containerizing Tools
• Do a single “interesting” install once
• Figure out all the arcane tool options once• Sane defaults• Further refinement for high risk targets
• Tools can be in any language
• Establish a AppSec baseline
• Run the same tool container + profile against all apps
![Page 29: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/29.jpg)
Named pipelines
• Tool configs + containers = pipeline tool
• Run multiple pipeline tools in a specific order to get a “Named pipeline”
GIT CLOC Brakeman DefectDojo
![Page 30: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/30.jpg)
master.yaml
![Page 31: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/31.jpg)
named pipeline
![Page 32: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/32.jpg)
At the end of a run...
![Page 33: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/33.jpg)
Maybe Slack alerts
![Page 34: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/34.jpg)
![Page 35: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/35.jpg)
https://github.com/appsecpipeline/gasp-docker
![Page 36: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/36.jpg)
AppSec PipelineA real life example of an implemented AppSec Pipeline
![Page 37: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/37.jpg)
My Curent AppSec Pipeline
![Page 38: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/38.jpg)
Lightweight Rest API’s
![Page 39: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/39.jpg)
t2.large EC2 Instance
![Page 40: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/40.jpg)
Criteria for Tools
❖ Runs fairly quickly❖ Fast, lightweight dynamic scans❖ Static scans with differential❖ Third Party Components
![Page 41: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/41.jpg)
AppSec Pipeline Stats
15 Repos
4 Months
5,100 Runs
25,000+Container Executions
![Page 42: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/42.jpg)
![Page 43: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/43.jpg)
CI/CD Information
![Page 44: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/44.jpg)
CI/CD Security Test
![Page 45: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/45.jpg)
What have I learned?
![Page 46: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/46.jpg)
After the first run of scans the net new
vulnerabilities are low.
![Page 47: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/47.jpg)
Legacy security* tools will be your biggest pain point.(Anything that isn’t in a container)
![Page 48: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/48.jpg)
Evaluate what you did and look for the next
improvement.
![Page 49: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/49.jpg)
SCM Integration: The web post tells me what files have changed.
Improvement Idea
![Page 50: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/50.jpg)
Manual Review
File tagged to indicated functionality
File marked for manual review if changed.
1. File Tagged for review from build
![Page 51: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/51.jpg)
Manual Review2. Manual Test Created for that Engagement
3. Slack Alert
![Page 52: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/52.jpg)
Manual Review4. Review changes in SCM
![Page 53: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/53.jpg)
False positives: Can we do better?
![Page 54: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/54.jpg)
Rules Engine
Finding Imported
Analyze Apply
![Page 55: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/55.jpg)
Rules Engine CWE Use Case
Title match on XSS → Update CWE-79
![Page 56: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/56.jpg)
Rules Engine Scanner Matching
Scanner == SSLLabs → Grade < A →
Update Verified
![Page 57: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/57.jpg)
Rules Engine Scanner Confidence
Scanner Confidence == Confirmed → Title == XSS →
Update Verified
![Page 58: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/58.jpg)
![Page 59: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/59.jpg)
Create an AppSec Pipeline and push visibility north
Vis
ibili
ty
![Page 60: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/60.jpg)
![Page 61: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/61.jpg)
“I am a nice shark, not a mindless eating machine. If I am to change this image, I must first change myself. Fish are friends, not food.”
-Bruce, Chum and Anchor
![Page 62: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/62.jpg)
“I am a nice security professional, not a mindless vulnerability spewing machine. If I am to change this image, I must first change myself. Developers are friends, not fools.”
-Bruce, Aaron and Matt
![Page 63: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/63.jpg)
I’m with Bruce@BruceSecDevOps
#BruceSecDevOpsTM
![Page 64: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/64.jpg)
[email protected] / @weaveraAaron Weaver
[email protected] / @matt_tesauroMatt Tesauro
Questions & Thanks
![Page 65: Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver](https://reader034.vdocuments.site/reader034/viewer/2022042109/5e894f3e955ecb52640b30e3/html5/thumbnails/65.jpg)
References• Confused panda: https://openclipart.org/detail/69289/confusedpanda • Jousting Snails - a random twitter post I lost the URL for, sorry• Julius Caesar quote image:
https://quotefancy.com/quote/1740243/Marcus-Junius-Brutus-the-Younger-I-have-not-come-to-praise-Caesar-but-to-bury-him
• Map image: https://openclipart.org/detail/823/two-harbours-map • Roadmap quote: https://www.brainyquote.com/quotes/earl_nightingale_159044 • Gandoff “Shall pass”: https://shirt.woot.com/offers/halfling-height-requirement • Pixie dust:
http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-necklace/ • Easy button: https://xposehope.com/2016/11/02/hit-the-easy-button/ • Jar factory: https://www.youtube.com/watch?v=YVqiEMQ1HgA • Iceberg of Ignorance: https://corporate-rebels.com/iceberg-of-ignorance/