Application Security as a Service: Start Your Application Security - - PowerPoint PPT Presentation

application security as a service start your application
SMART_READER_LITE
LIVE PREVIEW

Application Security as a Service: Start Your Application Security - - PowerPoint PPT Presentation

Aug 18, 2023 36.71k likes •37.4k views

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

slide-1
SLIDE 1

#MicroFocusCyberSummit

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

David Harper Practice Principal – Fortify on Demand

slide-2
SLIDE 2

The Application Security Problem Security Gate Secure DevOps Best Practice Approach Q&A

3

Agenda

slide-3
SLIDE 3

The Application Security Problem

slide-4
SLIDE 4

5

The Majority of Security Breaches Today are From Application Vulnerabilities

Security incidents from exploits against defects in the design or code of software.2

12017 Application Security Research Update” by the HPE Software Security Research team, 2017 2U.S. Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT)

Percentage of applications containing at least one critical or high vulnerability.1

90% 80%

slide-5
SLIDE 5

6

Today’s business needs are dramatically increasing the number of applications and the frequency of releases

2010

Release Frequency Number of Applications

2020+

App App

2015

slide-6
SLIDE 6
  • Focus on “wow factor” and

marketing related functionality

  • Frequently developed by

small boutique consultancies

  • Intense pressure on

timescales

  • Little thought given to non-

functional requirements

  • Key to building the direct

customer relationship

  • Relies on trust between

customer and the brand

  • Websites, Facebook

applications, Mobile applications, Cloud applications

  • Marketing Campaigns ran
  • utside normal process, no

governance

  • Do you even know how

many applications you have? Commissioned by the business Capturing personal data is the norm Applications are proliferating

Background

Applications are being driven by the business not IT

slide-7
SLIDE 7

Customer Challenges with Application Security

Securing outsourced, 3rd party and open source code Difficult to train and retain AppSec experts, developers Lack of resources and expertise Growing number of applications and attacks Rapid release cycles and increasing pressure to push apps into production faster Compliance requirements

slide-8
SLIDE 8

Security Challenge

Key Requirements

  • Systematic
  • Support all types
  • f applications
  • Support all development

approaches

  • No impact on time

to market

  • No complex

hardware/software to install

  • No need to hire, train

and retain a team of application security experts

  • Scale rapidly to test

all applications

  • Cheaper than existing

approach

  • Predictable

Identify and fix application security issues before application goes into production

Implement solution rapidly Cost Effective

slide-9
SLIDE 9

Security Gate

slide-10
SLIDE 10

Secure ALL your applications before deployment

  • Web, Facebook, Mobile, Cloud
  • In-house, out-sourced, third-party

Fortify on Demand Security Gate

Deploy Code Test Contract/Outsource Procure

Security Testing Service

Security Gate

slide-11
SLIDE 11

Fortify on Demand

Cloud-based Application Security Testing Platform

Launch your application security initiative in < 1 day

  • No hardware or software investments
  • r maintenance
  • No experts to hire, train and retain

Scale to test all applications in your

  • rganization
  • 1 day turn-around on application

security results

  • Support 1000s of applications
  • Tests all types of applications
  • Web, Facebook, Mobile, Cloud,

Desktop…

  • In-house, open source and third

party, commercial applications

  • OWASP, PCI DSS, FISMA

Simple Fast Flexible

slide-12
SLIDE 12

But can it keep up with DevOps?

Source: https://medium.com/data-ops/how-software-teams-accelerated-average-release-frequency-from-three-weeks-to-three-minutes-d2aaa9cca918

Average Software Release Cycle

12 months 3 weeks 3 minutes

(anticipated)

slide-13
SLIDE 13

Secure DevOps

slide-14
SLIDE 14

What exactly is DevOps?

Means different things to different people DevOps aims to bring applications to market rapidly through:

  • Cross-functional empowered teams (Business, Dev, Ops, QA) with full lifecycle responsibility for

delivering a service

  • Rapid code release cycles
  • But large variation in release frequency
  • Agile Development
  • Trunk-based with Feature Flags
  • Service Orientated Architecture on a cloud-based infrastructure
  • Tool-chain automation
  • Continuous Integration/Continuous Testing/Continuous Delivery

Security is perceived an inhibitor

  • Penetration test based release gate is too slow

Defining Characteristics

  • f DevOps

Merging of Dev & IT Ops

(working together)

Increased Agility/Flexibility Continuous Integration Automation Lean Faster Time-to- Development Modern Development More Robust Dynamic Apps

slide-15
SLIDE 15

Best way to deliver secure applications is to build security in

  • See Software Assurance Maturity Model (SAMM)
  • With DevOps it’s the only way to deliver secure applications

Address security early

  • Developer Education
  • Static Application Security Testing(SAST)

Security gates still have their place

  • Dynamic Application Security Testing (DAST) baseline and

critical releases

Add compensating controls

  • DAST in production
  • Runtime Application Self Protection (RASP)

Secure DevOps

Addressing the challenge

slide-16
SLIDE 16

Secure Development Life-Cycle

Initiate Define Implement Design Develop Test Operate Governance Construction Operations Verification

Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Review Code Review Security Testing

Issue Management Environment Hardening

Operational Enablement

See www.opensamm.org

slide-17
SLIDE 17

Powered by Industry leading Fortify products

  • Fortify SCA

– SAST

  • With Sonatype
  • Security Assistant

– SAST

  • WebInspect

– DAST

  • Application Defender

– RASP

Available on Demand

  • Supported by Security Experts
  • Quick to get started
  • Rapid Results
  • Grows with your business
  • Global datacentres and support

Fully integrated in the DevOps Toolchain

Secure DevOps with Fortify on Demand

Application Security Testing on Demand

DevOps

Secure DevOps eLearning SAST Component Analysis SAST Baseline SAST in IDE SAST Continuous Integration DAST RASP

slide-18
SLIDE 18

Role-based Training

  • Developers
  • .NET, Java, C/C++, PHP
  • Mobile Developers
  • iOS & Android
  • Project Managers
  • QA

eLearning

  • Low cost
  • Easier to schedule
  • Highly-scalable
  • Easy to manage
  • Easy to enforce

Fortify on Demand

Role-based Secure DevOps Training

slide-19
SLIDE 19

Use secure components

  • Component selection
  • Version selection

Fortify on Demand

Component Analysis with Sonatype

slide-20
SLIDE 20

Full test with Fortify SCA

  • Industry leading SAST
  • Comprehensive
  • Accurate

Results validation

  • Ensure full coverage

Manual audit by Security Expert

  • Remove false positives

Fortify on Demand

Baseline Static Application Security Testing

slide-21
SLIDE 21

Eclipse or Visual Studio Plug-in

  • Inline analysis of the source

code as the developer types

  • Instant results
  • Continuous Feedback
  • Not a replacement for a full

assessment but catches a significant subset of vulnerabilities.

FoD IDE initiated automated scan option for non-supported languages

  • Component level scan
  • <100k TLOC 10 mins

Fortify Security Assistant

Real-time light-weight analysis of code in IDE

slide-22
SLIDE 22

Jenkins Plug-in

  • Invoke SCA scan
  • Based on baseline scan
  • Automated results audit

using Fortify Scan Analytics

  • Wait for scan to complete
  • Returns Pass or Fail based
  • n organizations security

policy

  • Option to publish any

new security vulnerabilities into Jira.

Visual Studio TFS integration also available Command-line option for

  • ther CI tools

Fortify on Demand

SAST as part of Continuous Integration

slide-23
SLIDE 23

Baseline DAST DAST for security critical releases Use DAST in production

Fortify on Demand

Dynamic Application Security Testing

slide-24
SLIDE 24

Core component of your infrastructure

  • All environments
  • Part of your deployment

process

Compensating Control

  • Monitors execution of

application

  • Looks for abnormal

behavior within application

  • Monitor or Block
  • Feedback

Integrated with Fortify

  • n Demand
  • Enable protection based on

assessment findings

Application Defender

Runtime Application Self-protection

slide-25
SLIDE 25

Best Practice Approach

slide-26
SLIDE 26

Puts security in control

  • Establish policy
  • Monitor compliance
  • Handle exceptions

Fortify on Demand addresses the key customer challenges

  • Lack of in-house resources
  • Massive scalability

Proven approach to reduce application security risk Fast enough for most application developments today

27

Implement a Security Gate First

slide-27
SLIDE 27

DevOps teams can earn the right to be exempt from the gate

  • Passed security gate with initial version
  • Secure DevOps lifecycle validated by security
  • Completeness
  • Not just CI/CD integration
  • Effectiveness
  • Finding vulnerabilities is not enough!
  • Periodic security gate tests

28

Secure DevOps Lifecycle as a Compensating Control

slide-28
SLIDE 28

Q&A

slide-29
SLIDE 29

Thank You.

#MicroFocusCyberSummit

slide-30
SLIDE 30

#MicroFocusCyberSummit