AppSec Pipeline
An AppSec pipeline applies the principle of DevOps and lean into the application security program.
The ultimate aim of an AppSec pipeline is to deliver a consistent process from the application security team and the constituency which typically involves the developers, QA, product managers, and senior stakeholders.
An AppSec pipeline is designed for iterative improvement and can organically grow in functionality over time.
Each activity has well-defined states throughout the process flow.
The pipeline extensively depends on automation for repeatable tasks.
AppSec Pipelines
Pipelines comprises of four distinct areas.
The first is the intake process or first impression.
-
Here the customers requests AppSec services such as static, dynamic, or manual assessments from the AppSec team.
-
The intake process comprises of an application repository that a requester will either choose from a listing of applications or provide the details manually.
The second part is triage
-
An analysis is done to apply the requested services.
-
For example, an application request may include an automated scan. In such a case a request would be made to conduct a security scan.
-
AppSec Pipeline - Intake and Triage
The image above illustrates the components of the intake and triage phase.
-
AppSec Pipeline - Testing Phase
AppSec Pipelines
The last part of the pipeline deliver.
Here the results are distributed to the customer.
- In this phase most pipelines integrate with the defect tracker and will produce summary matrices and reports for senior management
