Difference between revisions of "OWASP AppSec Pipeline"

From OWASP
Jump to: navigation, search
(Created page with "=Main= <!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --> <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">link=</...")
 
(Removed boilerplate and created initial project page content)
Line 6: Line 6:
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
 
</span>
 
  
 
==The OWASP AppSec Pipeline Project==
 
==The OWASP AppSec Pipeline Project==
Line 18: Line 13:
 
==Description==
 
==Description==
  
 +
The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline.  AppSec Pipelines take the
 +
principals of DevOps and Lean and apply that to an application security program.  The project will gather references, cheat sheets, and specific guidance for tools/software which would compose an AppSec Pipeline.
 +
 +
The initial launch of this project include an a web-based Application inventory and engagement management tool called Bag of Holding.  See the "Pipeline Tools" Tab for more infomration
  
 
==Licensing==
 
==Licensing==
  
 
+
The OWASP AppSec Pipeline Project documentation is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
 
The OWASP AppSec Pipeline Project is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
  
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
Line 30: Line 27:
 
== What is OWASP Security Principles Project? ==
 
== What is OWASP Security Principles Project? ==
  
 
+
The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline.
 
 
Initially, the project will produce templates and guides for setting up an AppSec Pipeline.  I'd also like to see it eventually become a place for references, cheat sheets, and specific guidance for particular software which would compose an AppSec Pipeline.
 
  
 
== Presentation ==
 
== Presentation ==
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
Aaron Weaver - AppSec EU 2015<br /.>
<span style="color:#ff0000">
+
[https://www.youtube.com/watch?v=1CDSOSl4DQU Building An AppSec Pipeline]<br />
This is where you can link to slide presentations related to your project.
+
Matt Tesauro - AppSec EU 2015<br />
</span>
+
[https://www.youtube.com/watch?v=tDnyFitE0y4 Taking DevOps Practices Into Your AppSec Life]
 
 
 
 
 
 
== Project Leader ==
 
  
[mailto:matt.tesauro@owasp.org Matt Tesauro]
+
== Project Leaders ==
  
 +
[mailto:matt.tesauro@owasp.org Matt Tesauro]<br />
 +
[mailto:aaron.weaver2@gmail.com Aaron Weaver]
  
 
== Related Projects ==
 
== Related Projects ==
  
 
+
[[OWASP_Web_Testing_Environment_Project]]
  
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
Line 57: Line 50:
 
== Quick Download ==
 
== Quick Download ==
  
 
+
[https://github.com/PearsonEducation/bag-of-holding Bag of Holding]
  
 
== News and Events ==
 
== News and Events ==
  
 
+
Catch our next presentation at [http://sched.co/3VgS AppSec US 2015]
  
 
== In Print ==
 
== In Print ==
  
 
+
[http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-program-and-your-life-sane Building an AppSec Pipeline]<br />
 +
[http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu Taking DevOps practices into your AppSec Life]
  
 
==Classifications==
 
==Classifications==
 
  
  
Line 84: Line 77:
  
 
|}
 
|}
 +
 +
 +
=Pipeline Tools=
 +
 +
'''Bag of Holding''' - A web-based Application inventory and engagement management tool
 +
 +
Bag of Holding centers around an application. Each application can have one or more an associated engagement. An engagement is time boxed and consists of a set of activities such as a dynamic scan, a static scan, a threat model or a manual review. Each application includes metadata around the app such as a data classification, business criticality, number of users and revenue. Applications will have the ability to be tagged.
 +
 +
The first release is a minimal viable product which will allow for creating and updating an application. Engagements and supporting activities are part of the first release.
 +
 +
The first release includes:
 +
* Dashboard showing entire application portfolio and last assessment date
 +
* Applications requiring assessments
 +
* Managing the work load for assessments
 +
* KPI's around application workload
 +
* Tracking of dev team training and overall maturity
 +
* Request form for dev/product managers to request an application review
 +
 +
[https://github.com/PearsonEducation/bag-of-holding Bag of Holding on GitHub]
  
 
=FAQs=
 
=FAQs=
Line 102: Line 114:
 
Following releases will include:
 
Following releases will include:
 
* List of open source tools for each portion of the AppSec Pipeline
 
* List of open source tools for each portion of the AppSec Pipeline
* Release of an open source app for intake into the AppSec Pipeline
+
* Release of an open source app for intake stage of an AppSec Pipeline
 
* Documentation and references to integration of the various pieces of the AppSec Pipeline.
 
* Documentation and references to integration of the various pieces of the AppSec Pipeline.
 
 
  
  

Revision as of 13:13, 17 July 2015

OWASP Project Header.jpg

The OWASP AppSec Pipeline Project

The OWASP AppSec Pipeline Project is the place to find the information you need to increase the speed and automation of your AppSec program. Using the documentation and references of this project will allow you to setup your own AppSec Pipeline.

Description

The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline. AppSec Pipelines take the principals of DevOps and Lean and apply that to an application security program. The project will gather references, cheat sheets, and specific guidance for tools/software which would compose an AppSec Pipeline.

The initial launch of this project include an a web-based Application inventory and engagement management tool called Bag of Holding. See the "Pipeline Tools" Tab for more infomration

Licensing

The OWASP AppSec Pipeline Project documentation is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is OWASP Security Principles Project?

The AppSec pipeline project is a place to gather together information, techniques and tools to create your own AppSec Pipeline.

Presentation

Aaron Weaver - AppSec EU 2015
Building An AppSec Pipeline
Matt Tesauro - AppSec EU 2015
Taking DevOps Practices Into Your AppSec Life

Project Leaders

Matt Tesauro
Aaron Weaver

Related Projects

OWASP_Web_Testing_Environment_Project

Quick Download

Bag of Holding

News and Events

Catch our next presentation at AppSec US 2015

In Print

Building an AppSec Pipeline
Taking DevOps practices into your AppSec Life

Classifications

New projects.png Owasp-breakers-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg


Bag of Holding - A web-based Application inventory and engagement management tool

Bag of Holding centers around an application. Each application can have one or more an associated engagement. An engagement is time boxed and consists of a set of activities such as a dynamic scan, a static scan, a threat model or a manual review. Each application includes metadata around the app such as a data classification, business criticality, number of users and revenue. Applications will have the ability to be tagged.

The first release is a minimal viable product which will allow for creating and updating an application. Engagements and supporting activities are part of the first release.

The first release includes:

  • Dashboard showing entire application portfolio and last assessment date
  • Applications requiring assessments
  • Managing the work load for assessments
  • KPI's around application workload
  • Tracking of dev team training and overall maturity
  • Request form for dev/product managers to request an application review

Bag of Holding on GitHub

Contributors

Matt Tesauro

Initial Release: Template for an AppSec Pipeline Following releases will include:

  • List of open source tools for each portion of the AppSec Pipeline
  • Release of an open source app for intake stage of an AppSec Pipeline
  • Documentation and references to integration of the various pieces of the AppSec Pipeline.