OWASP AppSec Pipeline

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

The OWASP AppSec Pipeline Project
The OWASP AppSec Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the documentation and references of this project will allow you to setup your own AppSec Pipeline.

Description
The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. AppSec Pipelines take the principals of DevOps and Lean and apply that to an application security program. The project will gather references, cheat sheets, and specific guidance for tools/software which would compose an AppSec Pipeline.

The initial launch of this project include an a web-based Application inventory and engagement management tool called Bag of Holding. See the "Pipeline Tools" Tab for more infomration

Licensing
The OWASP AppSec Pipeline Project documentation is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is OWASP Security Principles Project?
The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline.

Presentation
Aaron Weaver - AppSec EU 2015 Building An AppSec Pipeline

Matt Tesauro - AppSec EU 2015

Taking DevOps Practices Into Your AppSec Life

Project Leaders
[mailto:matt.tesauro@owasp.org Matt Tesauro]

[mailto:aaron.weaver2@gmail.com Aaron Weaver]

Related Projects
OWASP_Web_Testing_Environment_Project


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download
Bag of Holding

News and Events
Catch our next presentation at AppSec US 2015

In Print
Building an AppSec Pipeline

Taking DevOps practices into your AppSec Life

Classifications

 * }

=Pipeline Tools=

Bag of Holding - A web-based Application inventory and engagement management tool

Bag of Holding centers around an application. Each application can have one or more an associated engagement. An engagement is time boxed and consists of a set of activities such as a dynamic scan, a static scan, a threat model or a manual review. Each application includes metadata around the app such as a data classification, business criticality, number of users and revenue. Applications will have the ability to be tagged.

The first release is a minimal viable product which will allow for creating and updating an application. Engagements and supporting activities are part of the first release.

The first release includes:
 * Dashboard showing entire application portfolio and last assessment date
 * Applications requiring assessments
 * Managing the work load for assessments
 * KPI's around application workload
 * Tracking of dev team training and overall maturity
 * Request form for dev/product managers to request an application review

Bag of Holding on GitHub

= AppSec Pipeline Design Patterns =



The specific tools used in a pipeline aren't the important part - its making your AppSec engagements as efficient as possible.

= Presentations =

=FAQs=

Got a question?

Ask us on Twitter:
 * @appsecpipeline
 * @matt_tesauro

= Acknowledgements =

Contributors
Besides the project leaders, contributions have been made by:


 * Adam Parsons - Bag of Holding
 * Matt Brown - suggestions and review of Bag of Holding
 * Lee Thurlow - suggestions and review of Bag of Holding

= Road Map and Getting Involved =

Future releases will include:
 * List of open source tools for each portion of the AppSec Pipeline
 * Additional releases of Bag of Holding with new and exciting features
 * Documentation and references to integration of the various pieces of the AppSec Pipeline.