Creating your own appsec pipeline

Most customers in need for security test automation use different CI tools that fit their needs. Getting your security tools in these CI environments makes you fully dependent on the plugins the CI environment provides.
Now, imagine a world where we could configure our security tools once and use this as a blueprint over all the CI tools? Docker helps security engineers to weaponise the customers CI/CD pipe-lines in a heartbeat with hard to configure security tools. Delivering the entire security test automation and vulnerability management solution a scripted manner that roles out in the blink of an eye! 
After we have the basic set-up configured correctly we can start collecting the right tooling to get the job done. There are a lot of things we should take into consideration if we want to cover the entire attack surface. How to secure the application host, containers, manage secrets, and implement static/dynamic analysis tools. Even more importantly, how to ultimately manage all the vulnerabilities in an effective way where we can do delta reporting and false positive suppression to make everything more maintainable? 
Through pain and lessons learned we want to share our experiences in the form of a workshop to give handles and guides to get security automation started in your company!


Riccardo ten Cate, Xebia

As a penetration tester from the Netherlands Riccardo specializes in application security and has extensive knowledge in securing applications in multiple coding languages.

Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design.

Riccardo also has expertise on implementing security test automation in CI/CD pipe-lines and is project leader of the OWASP security knowledge framework.

Ben de Haan, Xebia

Ben is an Agile security consultant working for Xebia, with experience as Security Engineer and DevOps engineer. His specialties are DevSecOps and SIEM, and he's a big fan of security automation.

After spending some time implementing and tuning SIEM systems at different customers, he worked on continuous hardening, internal monitoring, and retrieving and aggregating alert data from several customer sites for an MSSP. Ben likes contributing to open source projects like OWASP DefectDojo and Sigma when he gets the opportunity.