AppSec at High Speed and Scale Agility, Integration & Automation - - PowerPoint PPT Presentation

#MicroFocusCyberSummit

AppSec at High Speed and Scale

Scott Johnson, Fortify GM

Agility, Integration & Automation

This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Micro Focus's predictions and / or expectations as of the date of this document and actual results and future plans of Micro Focus may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.

2

Forward Looking Statements: Legal Disclaimer

This document contains forward looking statements

AppSec trends Today’s trend is tomorrow’s challenge Meeting the challenge, accelerating for tomorrow Roadmap

3

Agenda

AppSec Trends

Tsunami of Apps

5

1000 applications and counting…

Speed vs Depth

6

“I want 5 minute scans with no false positives.”

Developer User Story

7

We have seen the AppSec team AND IT IS YOU! (the developer)

More Code, More Problems …

More code…

9

More code, more vulns …

10

More vulns …

11

More vulns, more risk …

12

More risk, more pressure!

13

Solutions and Examples

You need an AppSec pressure relief valve!

15

Innovation/Roadmap Themes

16

Integration Automation Agility On-premise / On Demand Fortify Ecosystem Software Security Research

Static Analysis – SCA

Scan and Assess Source Code

Dynamic Analysis – WebInspect

Web Application Vuln Scanning

Runtime Analysis – App Defender

Application Protection & Monitoring

Fortify Integration Fortify Ecosystem

17

• JS Sandbox Project
• Jenkins Plugin
• Bug Tracker Tools
• Swagger supported

RestAPIs

• SSC Parser Sample

Fortify Integration

18

https://fortify.github.io/

Bamboo Plugin

Fortify Integration

19

https://marketplace.atlassian.com/plugins/com.fortify.plugi ns.atlassian.bamboo.sca.bamboo-fortify-sca- plugin/server/overview

VSTS Extension

https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe- security-fortify-vsts

Fortify Integration

Snyk Integration

20

Fortify Automation

Audit Assistant

21

Auto-train Auto-predict Auto-tag

Unaudited results enter SSC Audited issues arrive in SSC Audit assistant derives anonymous issue metrics and securely sends to scan analytics Classifiers report verified vulnerabilities with up to 98% accuracy

Fortify Automation

Centralized Translation & Scanning

22

• Light weight utility for Devs
• No need to install SCA on build server
• Payload automatically transferred to controller
• Smart control queueing & monitoring
• Automated scan results submission

Benefits

• Cross language support
• Removes dependency issues
• Reduced infrastructure costs
• Centrally managed
• Designed for Enterprise Dev enablement

Slack Enabled FoD!

• Release updates
• Applications changes
• Reports and scan status

23

Fortify Automation

Fortify Agility

Security Assistant for Visual Studio

24

Swift Language Support

• SCA 18.10 has support for:
• Swift 4
• Xcode 9, 9.1, 9.2
• Latest Obj-C
• SCA 18.11 has support for:
• Swift 4.1.x
• Xcode 9.3, 9.4
• Latest Obj-C

Fortify Agility

25

Support within 3 to 6 weeks of Apple updates!

Fortify Roadmap

Q118 Q218 28

Fortify Roadmap

Fortify- SCA / SSC / WebInspect / Fortify on Demand

This is a rolling (up to three year) Roadmap and is subject to change without notice

Targeted Available

• Application issue templates
• “Your Scans” page view
• Nexgen Open Source

integration with Sonatype

• Tools update: IntelliJ audit
• Delivery optimization

FoD 18.1

• Audit assistant prediction automation (analytics built-in)
• Languages updates: ECMA 2016/2017, Swift 4/4.1,

Xcode 9.x, Python 3.x, Xamarin, Scala- Play

• SSC scalability and token management
• SSC UX refresh and branding
• Tools update: Security Assistant for Visual Studio,

Bamboo plugin

• Headless dynamic architecture
• Dynamic setup simplification and dockerized deployment

On-Premise 18.1

• Nexgen dynamic scanning

automation

• Tools update: Security

Assistant for Visual Studio, Bamboo plugin

• Dashboarding & analytics
• Delivery optimization
• Dynamic automation
• Performance & scalability
• Faster remediation
• Improved new user UX
• Improved open source

analysis (JS support)

FoD Upcoming

• Dynamic automation (WI + nexgen platform)
• Performance & scalability
• Integrations (API v4, DevOps toolchain)
• False positive reduction
• Dashboarding & analytics
• Static automation

FoD Future ‒ High level themes On-Premise Upcoming

• Continued focus on customer driven innovation

features for: Integration / Automation / Agility

• Examples include: Plugin consolidation, Angular,

Java 11, Python- Django, Swift 5, Go, Ruby on Rails, centralized scanning and dependency

• rchestration, dynamic shift left
• Licensing simplification

On-Premise Future FoD 18.2

• SSC Audit page redesign, SSC scalability
• Centralized scanning phase 1
• Languages updates: TypeScript, Swift 4.2/Xcode 10,

Python 2 update, Obj-C, .NET MSBuild, SCA logging enhancements, C/C++

• New Jenkins plugin with pipelines and build fail support
• Dynamic headless tech preview
• WI Firefox update, extended crawling support w/Angular

4+, REST API improvements, sensor management

Thanks!

#MicroFocusCyberSummit

#MicroFocusCyberSummit