Lessons from building a single pane of AppSec glass

Wednesday
 
27
 
November
11:20 am
 - 
12:00 pm
Topic
Application Security / Vulnerability Management
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 208
Theme
Secure by Design

Speakers

Ralf Huuck
Ralf Huuck

Ralf Huuck

Ralf Huuck

CEO
Logilica

Synopsis

A key challenge to running a modern application security stream in the enterprise is to integrate and standardize across numerous products and vendors. Even when building on more holistic DevSecOps platforms such as Azure, GitHub or GitLab there are commonly several additional products and vendors in the mix.

On top of this, organisations are under pressure to deliver software products at a high velocity. Therefore, AppSec teams need to avoid becoming the bottleneck to delivery. As a consequence, AppSec teams endeavour to have a single pane of glass to aggregate, review and manage all the organisation’s AppSec results in an efficient manner.

This talk is about our experience from building a single pane of glass from the ground up. We outline some of the challenges of integrating different platforms and product categories, the challenge of data storage and result correlation, as well as the ability to create the right reporting environment for different stakeholders.

Moreover, we present some of the fundamental solutions we have adopted to address those challenges. This includes the reliance on industry standards such as SARIF, our data pipelining approach for platform scalability, as well as the inclusion of traceability to low-level security issue. Finally, this presentation examines some of the cost factors involved in developing such a platform versus going with a potential 3rd party solution.

Introduction

  • Understanding the software delivery process
  • AppSec – What is this and why do we need this?

Existing tooling and processes

  • SAST, SCA, DAST etc.
  • What is this and who is in charge?

A Single Pane of AppSec glass

  • Why is this needed?
  • What are the benefits?
  • What can go wrong?

Lesson from the trenches

  • Integration challenges
  • Correlation challenges
  • Building your own data warehouse?
  • Traceability for getting developer buy-in
  • Reporting for different stakeholders

Blueprint of a solution

  • Unified data formats such as SARIF
  • Scan orchestration
  • Building a data pipeline
  • From security to data analytics

Pros and Cons of DIY

  • Control
  • Extensibility
  • Costs

The Future of AppSec Posture Management

Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country