OWASP AppSec Pipeline

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

The OWASP AppSec Pipeline Project
The OWASP AppSec Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the documentation and references of this project will allow you to setup your own AppSec Pipeline.

Description
The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. AppSec Pipelines take the principals of DevOps and Lean and apply that to an application security program. The project will gather references, cheat sheets, and specific guidance for tools/software which would compose an AppSec Pipeline.

The initial launch of this project include an a web-based Application inventory and engagement management tool called Bag of Holding. See the "Pipeline Tools" Tab for more infomration

Licensing
The OWASP AppSec Pipeline Project documentation is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is OWASP Security Principles Project?
The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline.

Project Leaders
[mailto:matt.tesauro@owasp.org Matt Tesauro]

[mailto:aaron.weaver2@gmail.com Aaron Weaver] [mailto:matt.konda@owasp.org Matt Konda]

Related Projects
OWASP_Web_Testing_Environment_Project


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download
Bag of Holding

News and Events
Catch our next presentation at Velocity New York

In Print
Building an AppSec Pipeline

Taking DevOps practices into your AppSec Life

Classifications

 * }

=Pipeline Tools=

What are DevOp Security Pipeline Tools?
DevOp security pipeline tools are written with the mindset of API first. The goal is that a security tool will expose all the core functionality of the product as an API. Tools need to have an API so that the 'All the things' can be automated. Each tool will be evaluated with the criteria outlined below including example pipeline use cases.

Evaluation Criteria
Application Description: Overview of the security tool, description and product web page. API: The type of API (REST, SOAP), API coverage (% of total features available via the API) and API Docs. Pipeline Position: Where in the AppSec pipeline the tool would be best suited to reside Cloud Scalable: Is the tool cloud aware and can the tool scale based on demand? Runs as a Service: Can the tool run as a service or in headless mode? Pipeline Example: Link to an example use case of the tool in the pipeline Client Libraries: What client libraries are written to assist in integration. For example a python or Go library. CI/CD Plugins: Does the tool have CI/CD plugins for integration into a DevOps pipeline. For example a Jenkins plugin. Data Sent to the Cloud: What kind of data, if any, is sent off premise to the cloud? Is there an option to keep all data in-house?

Results
We are currently working on gathering a list of the current tools and evaluating each tool based on the criteria listed. The goal is to create a one page wiki document of the application.

Get Involved
Interested in participating or having your product included in the review? Contact [mailto:aaron.weaver2@gmail.com Aaron Weaver]

= What is an Rugged AppSec DevOps Pipeline? ==

= Pipeline Design Patterns =



The specific tools used in a pipeline aren't the important part - its making your AppSec engagements as efficient as possible.

= Presentations =

AppSec Pipeline Presentations
 * Building An AppSec Pipeline Aaron Weaver - AppSec EU 2015


 * Taking DevOps Practices Into Your AppSec Life Matt Tesauro - AppSec EU 2015

Rugged DevOp Interviews
 * DevOps, Security and Development w/ Matt Tesauro, Jez Humble and Shannon Lietz AppSec USA 2015
 * Pipeline Project Interview Matt Konda - AppSec USA 2015

Rugged DevOps
 * The Road to Being Rugged Shannon Lietz - GOTO 2015
 * When Devops Meets Security Michael Brunton-Spall - GOTO 2015
 * Rugged Building Materials and Creating Agility with Security David Etue - GOTO 2015
 * How to effect change in the Epistemological Wasteland of Application Security James Wickett - GOTO 2015

=Metrics=

TBD
=FAQs=

Got a question?

Ask us on Twitter:
 * @appsecpipeline
 * @matt_tesauro
 * @weavera

= Acknowledgements =

Contributors
Besides the project leaders, contributions have been made by:


 * Adam Parsons - Bag of Holding
 * Matt Brown - suggestions and review of Bag of Holding
 * Lee Thurlow - suggestions and review of Bag of Holding

= Road Map and Getting Involved =

Future releases will include:
 * List of open source tools for each portion of the AppSec Pipeline
 * Additional releases of Bag of Holding with new and exciting features
 * Documentation and references to integration of the various pieces of the AppSec Pipeline.