Creating an AppSec Pipeline With Containers in a Week - How We Failed and Succeeded

Explore the journey of setting up an AppSec pipeline using Docker containers in this 25-minute conference talk from AppSec EU 2017. Discover the challenges faced, solutions implemented, and lessons learned in creating a secure application development workflow. Learn how to combat false positives, leverage existing security products effectively, and minimize disruption to development teams. Gain insights into extending build steps, integrating tools like ZAP and BURP, implementing DAST and reporting, containerizing the process, and addressing issues such as legacy APIs and false negatives. Understand the importance of platform team availability and how to balance security measures with developer productivity.

Intro
About me
The Challenge: The landscape
The Challenge: Existing workflow
The Challenge: New entries
The Solution: Extend build step
The Solution: Feeding ZAP & BURP
The Solution: DAST & reporting
The Solution: Clair
The solution: Containerize!
The solution: a starting point
The Solution: Did it work?
False positives
Legacy APIs
Not frustrate developers
Integrating Burpproxy
False negatives....
Platform team availability
Recap