APPSEC VULNERABILITY MANAGEMENT PIPELINES

A P P S E C V U L N E R A B I L I T Y M A N A G E M E N T P I P E L I N E S

A C E R C A

D E M I …

AGUSTIN CELANO

CISSP | PCAP | DSOE | DOL | CCNP

/agustincelano

@agustincelano

/celagus

agustin.celano@baite.com.ar

D E V S E C O P S A P P S E C

P I P E L I N E A P P R O A C H

SCA SAST

IAST

DAST RASP

INFRA / CONTAINER VULN SCAN HARDENING + PATCH

PENTESTAUDIT

Continuous feedback

V U L N E R A B I L I T Y M A N A G E M E N T L I F E C Y C L E

Scan

Prioritize

Report

Remediate

Validate

Get info

Default Severity (CVSS)vs

Real Severity (Internalclasification)

Report and escale toappropiate team for fixes

− Fixeable? Fix-it!− Not fixeable? Manage the

risk: mitigate, accept, transfer or de-promoteasset

- Validate fixes- Formalize risk

management decisions- Learn & Improve

C O M M O N V M P R O C E S S

C H A L L E N G E S

Multiple VA tools

False Positives

Prioritization / Ponderation

Just in time remediation

Tracking

- Multiple origins- Multiple formats- Asynchronous run

- Vulnerability must exist- Exploitation must be

feasible- No compensatory

controls - Exploit available- Publicated service- Internal asset

classification- Issue must be fixedbefore SLA expire orasset version is changed

- All vulns, actions and comments must be logged and be traceable

B E A G I L E , A U T O M A T E !

T H I S I S D E V O P S , S O . .

T H A T I S V E R Y V E R Y I M P O R T A N T …

A P P S E C V M P I P E L I N E

A P P R O A C H

App RepoSecurity

Orchestrator

Issue

TrackingRemediationAppSec

Tools

Continuous feedback

Vuln

Tracking

D E M O

T I M E !