as a Service Panel Facilitator: Stan Wisseman Panelists: Troy Bowen, - - PowerPoint PPT Presentation

#MicroFocusCyberSummit

Building an AppSec Practice in a Fast-moving Environment: The Power of On-premises and as a Service

Panel Facilitator: Stan Wisseman Panelists: Troy Bowen, Verizon Steve Pettit, Verizon Michael Gutsche, Micro Focus

A Reactive Approach to AppSec is Inefficient and Expensive

Cost to Remediate Requirements Design/ Architecture Testing

15X

Coding

7X 30X

Deployments/ Maintenance We convince & pay the developer to fix it thereby delaying the release QA finds vulnerabilities in software Somebody builds insecure software We convince and pay the developer to fix it We are breached or pay to have someone tell us our code is bad IT deploys the insecure software Somebody builds insecure software

NIST Study, 2002

A successful applications security program needs to:

• Map security priorities to business priorities
• Assess the current state and target state using a security program maturity model
• And seamlessly integrate into development processes

3

Goals and Benefits of an Application Security Program

Source: “Application Security Guide for CISOs,” OWASP, 2013

The mitigation of application security risks is not a one time exercise; rather it is an ongoing activity that requires paying close attention to emerging threats and planning ahead for the deployment of new security measures to mitigate these new threats. This includes the planning for the adoption of new application security activities, processes, controls and training.

Mature / Operate Assess / Design Development Implementation Operate / Transition

SOC Process & Procedures Business Process Integration

• Activate development and SDL
• Rollout of Processes and

Procedures (documentation and training)

Deployment

• Toolset Deployment
• Toolset integration

Initial Monitoring Capability Solution Roadmap Data Onboarding Staff Planning

• Role definition
• Interviews
• Hiring

Project Planning Processes & Procedures

• Business
• Operational
• Technical
• Analytical

Analyst Development Plan

• Hiring + Training

Architecture design Workflow Creation AppSec Operations go-live AppSec Maturation

• Enhancements, monitoring &

system tuning, process and technology adjustments

Deliver KPIs and Metrics Update Roadmap

• Advanced Analysis
• Integrated Hunt Operations
• ML / Analytics
• ODS

Assess

• Workshop
• Baseline Assessment
• Requirements
• Data Readiness
• Roadmap

Maturity Assessment

Building an AppSec Program – Major Milestones

Source: Fortify Professional Services, 2018

5

Companies are Adopting DevOps for Rapid Development

… but security is often outside of the process

Source: Micro Focus 2017 Application Security Research Update

Security ?

Planning App Development App Testing App release Release decision Business Demand Deployed App

Increase Automation Reduce Latency Increase Visibility

Collaborating with security ranked as the most important strategy for DevOps in regulated industries But, security teams can’t keep up as development teams are growing at an 80:1 ratio

6

DevOps Teams Starting to Recognize the Importance

• f Integrating Security

Source: “10 Things to Get Right for Successful DevSecOps,” Gartner, Inc., 2017

7

Modern Application Security Programs Need to Adapt

Continuous Development

Micro services and containers

Bimodal IT

Mobile Apps

More robust and dynamic apps New languages

Internet of Things

Skills

Continuous Integration

Agility

Automation

Software Supply Chain Cloud

Open Source Software Components

DevOps

Panel

Thank You.

#MicroFocusCyberSummit

#MicroFocusCyberSummit