microfocuscybersummit automate static and dynamic scans
play

#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD - PowerPoint PPT Presentation

Sep 26, 2022 •348 likes •583 views

#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results Rick Smith, Senior Product Manager Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit Automation Static Analysis

  1. #MicroFocusCyberSummit

  2. Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results Rick Smith, Senior Product Manager Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit

  3. Automation – Static Analysis Place secure code in SCM 7 Build, scan Translation Code Server 1 Repair MY Source Code 6 Mgmt System issues Developer Fortify SCA Audited scans merged IDE Plug-in with new scans 2 Automated Security 6 Integration Build / Analysis Analysis New / critical issues Fortify SCA, Maven, Ant, Make, exist alert MSBuild, CI System) 3 Prerequisites: Fortify Software Security Center 1) Base line scan performed 4 2) Report is triaged 100% Defects 5 Triage & 3) Filters created in project assign ALL templates to be applied for issues future audits (applied by SSC) Project Technical Defect Mgmt System Security Leader Scan Server

  4. Automation – DevOps Tool Chain IDEs Requirements & Issues Communication & ChatOps Containers  Eclipse  Attlasian  Junit  HipChat  Docker Bamboo  Micro Focus  IntelliJ  Microsoft SharePoint  Bugzilla ALM Octane  CA Service Desk  Micro Focus  Microsoft Visual Studio  Microsoft Team Foundation Manager Quality Center Server  Datadog  Microsoft Team Foundation  Slack  FogzBugz Server  JIRA  Rally Code Repositories & Apps Build Servers & Tools Configuration Automation Cloud  Bitbucket  Apache Ant  Microsoft  Bladelogic  Amazon Web Services Powershell  Atlassian  Git  Chef  Cloudera Bamboo  Microsoft Team Foundation  Github  Puppet  Microsoft Azure  Cucumber Server  Jenkins  JIRA  Micro Focus Server  TeamCity Automation  Maven  Mercurial  Servicenow  Microsoft Team Foundation Server 4

  5. Pushing the Boundaries of Static Analysis with Automation 5

  6. Breaking Barriers and Integrating DAST to SDLC  AppSec integration specifically DAST has challenges  Dependency on App specific knowledge  Dependency on Tool specific knowledge Dev Ops  Process and configuration knowledge  Traditionally DAST is run as a gating Security process rather than an enabling process QA  Tension between feature release vs secure release 6

  7. Fortify DAST - Product Vision & Strategy Integration Automation Agility 7

  8. Customer Demo and Success Story –Aaron’s Jeremy Brooks #MicroFocusCyberSummit

  9. DAST @Aaron’s Jeremy Brooks Application Security Lead jeremy.brooks@aarons.com

  10. About Aaron’s • Founded June 19, 1955 • ~10000 Employees • ~1700 stores across the US and Canada • $3+ billion in revenue • Brick and mortar and online sales and leasing • https://www.aarons.com

  11. About Aaron’s Tech • Solutions Delivery • Culture – Squad based delivery – Embrace & Drive Change teams – Value Data Over Opinion • Omnichannel – Listen. Challenge. Commit. • Store – Think Two-Sided • Payments • Data analytics – https://tech.aarons.com – 40+ applications – Multiple releases per day

  12. Challenges For AppSec • On-boarding new applications is time consuming – Authentication – Business logic – Coverage and Discoverability • Scalability – New functionality – New end points – New applications This feels like duplication of effort. Isn’t someone already testing these applications? 12

  13. QA + Security = Better Together • Aaron’s DAST Strategy – Create a partnership with QA – Deploy technologies that enable security – Build DAST into the pipeline – Multiply effort 13

  14. Phalanx Overview • Services to manage proxies and DAST scans • Sandbox for manual scans • Coordinates load across scan agents 14

  15. Phalanx Architecture 15

  16. Web App for Manual Workflow • Self guided • Sandboxed

  17. WebInspect REST API + Phalanx • Start capturing proxy • Configure functional test to use proxy • Run functional test and capture traffic • Add scan to queue and test run completed • Tear everything down • Phalanx manages scan queue 17

  18. QA Automation Pipeline • Tests created using N-Unit • Octopus deploys application • Teamcity job polls Octopus Deploy • Triggers test run on successful build • Unit tests make calls to WI API and wire up proxy • Functional tests run, proxy collects traffic • Unit tests queues scan using proxy traffic • Phalanx manages scan queue 18

  19. Lessons Learned and Next Steps • Test in QA – DAST scans can take systems down, trigger lockouts and cause other undesirable side-effects • Make sure you can revert your environment – WebInspect can add a lot of garbage data to your databases, file systems, etc • Make sure Dev, Ops, QA and CIRT are aware of your scan schedule – No one likes surprises! • Include identifying attributes in your scan name – Make it easy to link a DAST scan back to a functional test run • Close the feedback loop – Slack integration 19

  20. Special Thanks • Edwin Deliz – QA Manager • Anthony Burt – QA Engineer

  21. Thank You. #MicroFocusCyberSummit

  22. #MicroFocusCyberSummit #MicroFocusCyberSummit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Dynamic, and Mobile with Fortify on Demand Rick Smith Product Manager #MicroFocusCyberSummit

Dynamic, and Mobile with Fortify on Demand Rick Smith Product Manager #MicroFocusCyberSummit

Using Automatic and Manual Tests for Static, Dynamic, and Mobile with Fortify on Demand Rick Smith Product Manager #MicroFocusCyberSummit Agenda Identifying the cost Identifying the tool A quick case study 2 Thinking about the cost 3

261 views • 25 slides
Web Scraping Ben Williams October 9 th 2020 Non-Static Websites Dynamic Websites APIs

Web Scraping Ben Williams October 9 th 2020 Non-Static Websites Dynamic Websites APIs

Web Scraping Ben Williams October 9 th 2020 Non-Static Websites Dynamic Websites APIs Dynamic Websites Drop-downs Scrolling Pop-ups Inputting password Examples Web-Crawling Automate movement through websites

963 views • 24 slides
Project AutoMate SESAME: Dynamic Context Aware Access Control G. Zhang, The AutoMate Group The

Project AutoMate SESAME: Dynamic Context Aware Access Control G. Zhang, The AutoMate Group The

Project AutoMate SESAME: Dynamic Context Aware Access Control G. Zhang, The AutoMate Group The Applied Software Systems Laboratory Rutgers, The State University of New Jersey http://automate.rutgers.edu CAIP Autonomic Computing

380 views • 6 slides
Static and dynamic verification Static and dynamic V&V Software inspections Concerned

Static and dynamic verification Static and dynamic V&V Software inspections Concerned

1 2 Static and dynamic verification Static and dynamic V&V Software inspections Concerned with analysis of the static system Static representation to discover problems (static verification verification) May be supplement by

107 views • 6 slides
Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have

Type Systems: Big Idea Static vs. Dynamic Typing Expressiveness (+ Dynamic) Dont have to worry about types (+ Dynamic) Dependent on input (- Dynamic) Runtime overhead (- Dynamic) Serve as documentation (+ Static)

572 views • 24 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Developer-centric Application Security Scans Ray Kelly, Practice Principal - Fortify Sherman

Developer-centric Application Security Scans Ray Kelly, Practice Principal - Fortify Sherman

Developer-centric Application Security Scans Ray Kelly, Practice Principal - Fortify Sherman Monroe, Senior Security Consultant Thomas Ryan, Fortify Solutions Architect #MicroFocusCyberSummit Session Agenda Mobile Apps The Bad, The Worse

694 views • 44 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
#MicroFocusCyberSummit Preparing for When Your Organization Will be Breached: Prioritizing and

#MicroFocusCyberSummit Preparing for When Your Organization Will be Breached: Prioritizing and

#MicroFocusCyberSummit Preparing for When Your Organization Will be Breached: Prioritizing and Protecting Paulo Veloso Shogo Cottrell #MicroFocusCyberSummit Whats happening in the market? Approximately 40,000 Tesco Bank accounts were

501 views • 36 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
How tests and proofs impede one another: The need for always-on static and dynamic feedback

How tests and proofs impede one another: The need for always-on static and dynamic feedback

How tests and proofs impede one another: The need for always-on static and dynamic feedback static and dynamic feedback Michael Ernst joint work with Michael Bayne University of Washington 3 rd Intl Conference on Tests And Proofs July 1,

790 views • 65 slides
Configuration Management wangth Computer Center, CS, NCTU Automate, automate, automate q

Configuration Management wangth Computer Center, CS, NCTU Automate, automate, automate q

Configuration Management wangth Computer Center, CS, NCTU Automate, automate, automate q Automated setup of new machines Not just OS installation, also includes all the additional software and local configuration necessary q Systematic

228 views • 18 slides
Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science &

Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science & Artificial Intelligence Lab http://pag.csail.mit.edu/~mernst/ PASTE June 7, 2004 Michael Ernst, page 1 Goals Theme: Static and dynamic analyses

451 views • 34 slides
On the dynamic programming principle for static and dynamic inverse problems Stefan Kindermann,

On the dynamic programming principle for static and dynamic inverse problems Stefan Kindermann,

On the dynamic programming principle for static and dynamic inverse problems Stefan Kindermann, Industrial Mathematics Institute Johannes Kepler University Linz, Austria joint work with Antonio Leitao, University of Santa Catarina, Brazil

585 views • 29 slides
Trade-offs in Static and Dynamic Query Evaluation Ahmet Kara, Milos Nikolic Dan Olteanu, and

Trade-offs in Static and Dynamic Query Evaluation Ahmet Kara, Milos Nikolic Dan Olteanu, and

Trade-offs in Static and Dynamic Query Evaluation Ahmet Kara, Milos Nikolic Dan Olteanu, and Haozhe Zhang fdbresearch.github.io KOCOON Workshop 2019, Arras Static and Dynamic Query Evaluation Static Query Evaluation preprocessing

1.38k views • 51 slides
EATR: ENERGETICALLY AUTONOMOUS TACTICAL ROBOT DARPA Contract W31P4Q-08-C-0292 Presented By: Dr.

EATR: ENERGETICALLY AUTONOMOUS TACTICAL ROBOT DARPA Contract W31P4Q-08-C-0292 Presented By: Dr.

BRIEF PROJECT OVERVIEW EATR: ENERGETICALLY AUTONOMOUS TACTICAL ROBOT DARPA Contract W31P4Q-08-C-0292 Presented By: Dr. Robert Finkelstein President, Robotic Technology Inc. 301-983-4194 BobF@RoboticTechnologyInc.com

449 views • 26 slides
Why mucosal? GPEN 2006 1 ``Improvements that make vaccine delivery easier and safer, decrease

Why mucosal? GPEN 2006 1 ``Improvements that make vaccine delivery easier and safer, decrease

Particulate carrier systems for mucosal DNA vaccine delivery Gerrit Borchard School of Pharmacy, Pharmaceutics and Biopharmaceutics, Geneva, Switzerland gerrit.borchard@pharm.unige.ch GPEN 2006 Why mucosal? GPEN 2006 1 ``Improvements that

634 views • 30 slides
The European Association of Pharmaceutical Full-line Wholesalers European Healthcare Distribution

The European Association of Pharmaceutical Full-line Wholesalers European Healthcare Distribution

The European Association of Pharmaceutical Full-line Wholesalers European Healthcare Distribution Association Groupement International de la Repartition Pharmaceutique The European Association of Pharmaceutical Full-line Wholesalers European

501 views • 38 slides
On the Verge of a Biologics Golden Age David Meininger Executive Director, Molecular Discovery

On the Verge of a Biologics Golden Age David Meininger Executive Director, Molecular Discovery

On the Verge of a Biologics Golden Age David Meininger Executive Director, Molecular Discovery Department of Protein Sciences, Merck & Co., Inc. Biologics: Bringing Innovation to Merck From Virgils Fourth Eclogue Novus ordo seclorum Now

759 views • 27 slides
Rise church core v alues LOVE WE BELIEVEin keeping with the two greatest

Rise church core v alues LOVE WE BELIEVEin keeping with the two greatest

Rise church core v alues LOVE WE BELIEVEin keeping with the two greatest commandmentsthat we must prioritize loving God and our neighbors. We embrace this in our dail y w alk with God and in a lifestyle of service to our famil y and

362 views • 23 slides
Budget Model Presentation UBDC 14 February 2017 Where excellence and opportunity meet.

Budget Model Presentation UBDC 14 February 2017 Where excellence and opportunity meet.

Budget Model Presentation UBDC 14 February 2017 Where excellence and opportunity meet. Outline Guiding Questions for Today Status Checklist A Tale of Three Pictures Revenue Assignment Examples Cost Assignment Examples

548 views • 18 slides
Devonport site visit summary presentation 13 th March 2019 Marine Land Aviation Nuclear

Devonport site visit summary presentation 13 th March 2019 Marine Land Aviation Nuclear

Devonport site visit summary presentation 13 th March 2019 Marine Land Aviation Nuclear www.babcockinternational.com Disclaimer This document has been prepared by Babcock International Group PLC (the Company) solely for use at a

398 views • 26 slides
Programming Hybrid CPU-GPU Clusters with Unicorn Subodh Kumar IIT Delhi Part of Tarun Beris

Programming Hybrid CPU-GPU Clusters with Unicorn Subodh Kumar IIT Delhi Part of Tarun Beris

Programming Hybrid CPU-GPU Clusters with Unicorn Subodh Kumar IIT Delhi Part of Tarun Beris PhD thesis Parallel Programming is Hard Problem decomposition Processor mapping Scheduling Communicated and synchronization

733 views • 25 slides

More recommend