application security as a service start your application
play

Application Security as a Service: Start Your Application Security - PowerPoint PPT Presentation

Aug 18, 2023 •36.71k likes •37.39k views

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

  1. Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal – Fortify on Demand #MicroFocusCyberSummit

  2. Agenda The Application Security Problem Security Gate Secure DevOps Best Practice Approach Q&A 3

  3. The Application Security Problem

  4. The Majority of Security Breaches Today are From Application Vulnerabilities 80% 90% Percentage of applications containing at Security incidents from exploits against least one critical or high vulnerability. 1 defects in the design or code of software. 2 1 2017 Application Security Research Update” by the HPE Software Security Research team, 2017 5 2 U.S . Department of Homeland Security’s U.S. Computer Emergency Response Team (US -CERT)

  5. Today’s business needs are dramatically increasing the number of applications and the frequency of releases 2020+ 2015 App App 2010 Number of Applications Release Frequency 6

  6. Background Applications are being driven by the business not IT Commissioned by the Capturing personal data is Applications are business the norm proliferating  Focus on “wow factor” and  Key to building the direct  Websites, Facebook marketing related customer relationship applications, Mobile functionality applications, Cloud  Relies on trust between applications  Frequently developed by customer and the brand small boutique  Marketing Campaigns ran consultancies outside normal process, no governance  Intense pressure on timescales  Do you even know how many applications you  Little thought given to non- have? functional requirements

  7. Customer Challenges with Application Security Difficult to train and retain Lack of resources and Growing number of applications AppSec experts, developers expertise and attacks Rapid release cycles and Compliance requirements Securing outsourced, increasing pressure to push apps 3rd party and open source code into production faster

  8. Security Challenge Key Requirements Identify and fix application Implement security issues before Cost Effective application goes into solution rapidly production  Systematic  No complex  Cheaper than existing hardware/software approach  Support all types to install of applications  Predictable  No need to hire, train  Support all development and retain a team of approaches application security experts  No impact on time to market  Scale rapidly to test all applications

  9. Security Gate

  10. Fortify on Demand Security Gate Secure ALL your applications before deployment  Web, Facebook, Mobile, Cloud  In-house, out-sourced, third-party Security Testing Service Code Test Deploy Contract/Outsource Procure Security Gate

  11. Fortify on Demand Cloud-based Application Security Testing Platform Simple Fast Flexible Launch your application security Scale to test all applications in your  Tests all types of applications initiative in < 1 day organization  Web, Facebook, Mobile, Cloud,  No hardware or software investments  1 day turn-around on application Desktop… or maintenance security results  In-house, open source and third  No experts to hire, train and retain  Support 1000s of applications party, commercial applications  OWASP, PCI DSS, FISMA

  12. But can it keep up with DevOps? 3 minutes Average Software 12 months 3 weeks Release Cycle (anticipated) Source: https://medium.com/data-ops/how-software-teams-accelerated-average-release-frequency-from-three-weeks-to-three-minutes-d2aaa9cca918

  13. Secure DevOps

  14. What exactly is DevOps? Means different things to different people DevOps aims to bring applications to market rapidly through:  Cross-functional empowered teams (Business, Dev, Ops, QA) with full lifecycle responsibility for delivering a service Merging of Dev & IT Ops  Rapid code release cycles (working together) Continuous Increased  But large variation in release frequency Integration Agility/Flexibility  Agile Development  Trunk-based with Feature Flags Lean Automation Defining  Service Orientated Architecture on a cloud-based infrastructure Characteristics of DevOps  Tool-chain automation  Continuous Integration/Continuous Testing/Continuous Delivery Faster Time-to- Modern Development Development Security is perceived an inhibitor More Robust Dynamic Apps  Penetration test based release gate is too slow

  15. Secure DevOps Addressing the challenge Best way to deliver secure applications is to build security in  See Software Assurance Maturity Model (SAMM)  With DevOps it’s the only way to deliver secure applications Address security early  Developer Education  Static Application Security Testing(SAST) Security gates still have their place  Dynamic Application Security Testing (DAST) baseline and critical releases Add compensating controls  DAST in production  Runtime Application Self Protection (RASP)

  16. Secure Development Life-Cycle Initiate Define Design Develop Test Implement Operate Strategy & Metrics Policy & Compliance Governance Education & Guidance Threat Assessment Construction Security Requirements Secure Architecture Design Review Verification Code Review Security Testing Issue Management Environment Operations Hardening Operational Enablement See www.opensamm.org

  17. Secure DevOps with Fortify on Demand Application Security Testing on Demand Powered by Industry leading Fortify products Secure DevOps  Fortify SCA – SAST eLearning  With Sonatype SAST Component RASP  Security Assistant – SAST Analysis  WebInspect – DAST  Application Defender – RASP DevOps Available on Demand SAST DAST Baseline  Supported by Security Experts  Quick to get started  Rapid Results SAST  Grows with your business SAST Continuous in IDE  Global datacentres and support Integration Fully integrated in the DevOps Toolchain

  18. Fortify on Demand Role-based Secure DevOps Training Role-based Training  Developers  .NET, Java, C/C++, PHP  Mobile Developers  iOS & Android  Project Managers  QA eLearning  Low cost  Easier to schedule  Highly-scalable  Easy to manage  Easy to enforce

  19. Fortify on Demand Component Analysis with Sonatype Use secure components  Component selection  Version selection

  20. Fortify on Demand Baseline Static Application Security Testing Full test with Fortify SCA  Industry leading SAST  Comprehensive  Accurate Results validation  Ensure full coverage Manual audit by Security Expert  Remove false positives

  21. Fortify Security Assistant Real-time light-weight analysis of code in IDE Eclipse or Visual Studio Plug-in  Inline analysis of the source code as the developer types  Instant results  Continuous Feedback  Not a replacement for a full assessment but catches a significant subset of vulnerabilities. FoD IDE initiated automated scan option for non-supported languages  Component level scan  <100k TLOC 10 mins

  22. Fortify on Demand SAST as part of Continuous Integration Jenkins Plug-in  Invoke SCA scan  Based on baseline scan  Automated results audit using Fortify Scan Analytics  Wait for scan to complete  Returns Pass or Fail based on organizations security policy  Option to publish any new security vulnerabilities into Jira. Visual Studio TFS integration also available Command-line option for other CI tools

  23. Fortify on Demand Dynamic Application Security Testing Baseline DAST DAST for security critical releases Use DAST in production

  24. Application Defender Runtime Application Self-protection Core component of your infrastructure  All environments  Part of your deployment process Compensating Control  Monitors execution of application  Looks for abnormal behavior within application  Monitor or Block  Feedback Integrated with Fortify on Demand  Enable protection based on assessment findings

  25. Best Practice Approach

  26. Implement a Security Gate First Puts security in control  Establish policy  Monitor compliance  Handle exceptions Fortify on Demand addresses the key customer challenges  Lack of in-house resources  Massive scalability Proven approach to reduce application security risk Fast enough for most application developments today 27

  27. Secure DevOps Lifecycle as a Compensating Control DevOps teams can earn the right to be exempt from the gate  Passed security gate with initial version  Secure DevOps lifecycle validated by security  Completeness  Not just CI/CD integration  Effectiveness  Finding vulnerabilities is not enough!  Periodic security gate tests 28

  28. Q&A

  29. #MicroFocusCyberSummit Thank You.

  30. #MicroFocusCyberSummit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
2018-19 Head Start / Preschool Application Have you ever filled out a Head Start application?

2018-19 Head Start / Preschool Application Have you ever filled out a Head Start application?

2018-19 Head Start / Preschool Application Have you ever filled out a Head Start application? Yes No Enrolling Agency Enrolling Site Primary Caregiver General Information First Name M. Init. Last Name Gender Male

440 views • 22 slides
2019-20 Head Start / Preschool Application Have you ever filled out a Head Start application?

2019-20 Head Start / Preschool Application Have you ever filled out a Head Start application?

2019-20 Head Start / Preschool Application Have you ever filled out a Head Start application? Yes No Enrolling Agency Enrolling Site Primary Caregiver General Information First Name M. Init. Last Name Gender Male

297 views • 7 slides
2017-18 Head Start / Preschool Application Have you ever filled out a Head Start application?

2017-18 Head Start / Preschool Application Have you ever filled out a Head Start application?

2017-18 Head Start / Preschool Application Have you ever filled out a Head Start application? Yes No Enrolling Agency Enrolling Site Primary Caregiver General Information First Name M. Init. Last Name Gender Male

431 views • 18 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes

Using Cloud Native Technologies to Solve Complex Application Security Challenges in Kubernetes Deployments Cequence Security: A Cloud Native Approach to Application Security Venture-backed start-up bringing much-needed innovation to

304 views • 17 slides
Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application Security Management (ASM) Features and Benefits Performance Review Ordering Information About Application Security Management (ASM)

618 views • 7 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security

Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security

Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 11/19/14 2 Solution Building blocks Apache CXF Fediz Apache CXF Fediz Single Sign On (WS-Federation) Attribute Based Access

515 views • 29 slides
Application security Application security September 25, 2020 Administrative submittal

Application security Application security September 25, 2020 Administrative submittal

Application security Application security September 25, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab assignments questions in written report form, as a text, pdf, or Word

566 views • 37 slides
Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect

Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect

Practical Web Application Security and OWASP Top 10 with Service Oriented Architectures Adnan Masood Sr. System Architect Green Dot Corporation What this talk is about? 2 This session is an introduction to web application security

839 views • 60 slides
Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Service Application Process Project Covered Application 6 major steps before energization. For

Service Application Process Project Covered Application 6 major steps before energization. For

Service Application Process Project Covered Application 6 major steps before energization. For each step, the customer and Meralco have responsibilities to fulfill 5 1 2 3 4 6 Design Presentation Payment / Construct Receipt of

702 views • 33 slides
Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems

Application Logic Flaws Professor Larry Heimann Web Application Security Information Systems Discussion of Lab 6 Due end of the week on October 17th (11:59am) Complete findings record, attach screenshots and/or code files to confirm

847 views • 16 slides
Relational Non-Relational Rational Agile Predictable Flexible Traditional

Relational Non-Relational Rational Agile Predictable Flexible Traditional

B IG D ATA A NALYTICS R EFERENCE A RCHITECTURES AND C ASE S TUDIES Relational vs. Non-Relational Architecture Relational Non-Relational Rational Agile Predictable Flexible Traditional Modern 2 Agenda Tips for Big Data

834 views • 29 slides
STEM CHALLENGE THE NUTS &amp; BOLTS Madi Burns New Mexico State University College of

STEM CHALLENGE THE NUTS &amp; BOLTS Madi Burns New Mexico State University College of

STEM CHALLENGE THE NUTS &amp; BOLTS Madi Burns New Mexico State University College of Engineering Overview o CRITERIA REFRESHER o CHALLENGE QUESTION &amp; SUBTOPICS o PROPOSAL SUBMISSION COMPONENTS o GRADING &amp; EVALUATION o STATEWIDE

222 views • 19 slides
Continuous Innovation through DevOps Pipelines Andreas Grabner: @grabnerandi,

Continuous Innovation through DevOps Pipelines Andreas Grabner: @grabnerandi,

Continuous Innovation through DevOps Pipelines Andreas Grabner: @grabnerandi, andreas.grabner@dynatrace.com Slides: http://www.slideshare.net/grabnerandi Podcast: https://www.spreaker.com/show/pureperformance The Story started in 2009

788 views • 63 slides
The American Rocketry Challenge 2020 Presentation Competition Rules UPDATED April 3, 2020

The American Rocketry Challenge 2020 Presentation Competition Rules UPDATED April 3, 2020

The American Rocketry Challenge 2020 Presentation Competition Rules UPDATED April 3, 2020 Overview Despite postponing the 2020 competition until 2021, we still know how much hard work teams put into their rockets this year. To give teams a

552 views • 3 slides
Deep Foundation Testing, Multiple Topics Brent Robinson, Ph.D., P.E. www.grlengineers.com |

Deep Foundation Testing, Multiple Topics Brent Robinson, Ph.D., P.E. www.grlengineers.com |

Deep Foundation Testing, Multiple Topics Brent Robinson, Ph.D., P.E. www.grlengineers.com | info@grlengineers.com www.grlengineers.com | info@grlengineers.com Deep Foundation Testing, Multiple Topics PDA/CAPWAP applied to large diameter

883 views • 71 slides
W13 November 6, 2002 3:15 PM T ACKLING THE T EST A UTOMATION C HALLENGE : T HE C ENTRALIZED T EAM

W13 November 6, 2002 3:15 PM T ACKLING THE T EST A UTOMATION C HALLENGE : T HE C ENTRALIZED T EAM

BIO PRESENTATION DEMO SHEETS W13 November 6, 2002 3:15 PM T ACKLING THE T EST A UTOMATION C HALLENGE : T HE C ENTRALIZED T EAM A PPROACH Dave Torresan and Jeff Beange RBC Financial Group International Conference On Software Testing Analysis

1.35k views • 33 slides
Taking SiC Power Devices to the Final Frontier: Addressing Challenges of the Space Radiation

Taking SiC Power Devices to the Final Frontier: Addressing Challenges of the Space Radiation

National Aeronautics and Space Administration Taking SiC Power Devices to the Final Frontier: Addressing Challenges of the Space Radiation Environment Jean-Marie Lauenstein and Megan Casey NASA Goddard Space Flight Center (GSFC)

585 views • 36 slides
C challenge the UDF zone. As a positive point the = DP x log( ) (1) challenging

C challenge the UDF zone. As a positive point the = DP x log( ) (1) challenging

New guideline on testing operating theatres in the Netherlands Frans W. Saurwalt 1 1 Kropman Contamination Control, Nijmegen, The Netherlands, frans.saurwalt@kropman.nl 1 Vice president of project group 4 of VCCN (Dutch Contamination Control

825 views • 4 slides

More recommend