An AppSec pipeline applies the principle of DevOps and lean into the application security program.
The ultimate aim of an AppSec pipeline is to deliver a consistent process from the application security team and the constituency which typically involves the developers, QA, product managers, and senior stakeholders.
An AppSec pipeline is designed for iterative improvement and can organically grow in functionality over time.
Each activity has well-defined states throughout the process flow.
The pipeline extensively depends on automation for repeatable tasks.
Pipelines comprises of four distinct areas.
The first is the
intake process or
Here the customers requests AppSec services such as static, dynamic, or manual assessments from the AppSec team.
The intake process comprises of an application repository that a requester will either choose from a listing of applications or provide the details manually.
The second part is
An analysis is done to apply the requested services.
For example, an application request may include an automated scan. In such a case a request would be made to conduct a security scan.
AppSec Pipeline - Intake and Triage
The image above illustrates the components of the intake and triage phase.
AppSec Pipeline - Testing Phase
The last part of the pipeline
Here the results are distributed to the customer.
- In this phase most pipelines integrate with the defect tracker and will produce summary matrices and reports for senior management