A P P S E C V U L N E R A B I L I T Y M A N A G E M E N T P I P E L I N E S
A C E R C A
D E M I …
AGUSTIN CELANO
CISSP | PCAP | DSOE | DOL | CCNP
/agustincelano
@agustincelano
/celagus
D E V S E C O P S A P P S E C
P I P E L I N E A P P R O A C H
SCA SAST
IAST
DAST RASP
INFRA / CONTAINER VULN SCAN HARDENING + PATCH
PENTESTAUDIT
Continuous feedback
V U L N E R A B I L I T Y M A N A G E M E N T L I F E C Y C L E
Scan
Prioritize
Report
Remediate
Validate
Get info
Default Severity (CVSS)vs
Real Severity (Internalclasification)
Report and escale toappropiate team for fixes
− Fixeable? Fix-it!− Not fixeable? Manage the
risk: mitigate, accept, transfer or de-promoteasset
- Validate fixes- Formalize risk
management decisions- Learn & Improve
C O M M O N V M P R O C E S S
C H A L L E N G E S
Multiple VA tools
False Positives
Prioritization / Ponderation
Just in time remediation
Tracking
- Multiple origins- Multiple formats- Asynchronous run
- Vulnerability must exist- Exploitation must be
feasible- No compensatory
controls - Exploit available- Publicated service- Internal asset
classification- Issue must be fixedbefore SLA expire orasset version is changed
- All vulns, actions and comments must be logged and be traceable
B E A G I L E , A U T O M A T E !
T H I S I S D E V O P S , S O . .
T H A T I S V E R Y V E R Y I M P O R T A N T …
A P P S E C V M P I P E L I N E
A P P R O A C H
App RepoSecurity
Orchestrator
Issue
TrackingRemediationAppSec
Tools
Continuous feedback
Vuln
Tracking
D E M O
T I M E !