#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD - - PowerPoint PPT Presentation

microfocuscybersummit automate static and dynamic scans
SMART_READER_LITE
LIVE PREVIEW

#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD - - PowerPoint PPT Presentation

Sep 26, 2022 348 likes •586 views

#MicroFocusCyberSummit Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results Rick Smith, Senior Product Manager Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit Automation Static Analysis

slide-1
SLIDE 1

#MicroFocusCyberSummit

slide-2
SLIDE 2

#MicroFocusCyberSummit

Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results

Rick Smith, Senior Product Manager Jimmy Rabon, Senior Product Manager

slide-3
SLIDE 3

Automation – Static Analysis

Developer Source Code Mgmt System Automated Integration Build / Analysis Fortify SCA, Maven, Ant, Make, MSBuild, CI System) Defect Mgmt System Fortify Software Security Center Project Technical Security Leader New / critical issues exist alert Triage & assign ALL issues Fortify SCA IDE Plug-in Repair MY issues Build, scan Code Security Analysis Defects Audited scans merged with new scans Prerequisites: 1) Base line scan performed 2) Report is triaged 100% 3) Filters created in project templates to be applied for future audits (applied by SSC) Scan Server Translation Server

6 1 2 3 4 6 5

Place secure code in SCM

7

slide-4
SLIDE 4

4

Automation – DevOps Tool Chain

IDEs Requirements & Issues Communication & ChatOps Containers Code Repositories & Apps Build Servers & Tools Configuration Automation Cloud

  • Bitbucket
  • Git
  • Github
  • JIRA
  • Mercurial
  • Microsoft Team Foundation

Server

  • Eclipse
  • IntelliJ
  • Microsoft Visual Studio
  • Apache Ant
  • Atlassian

Bamboo

  • Cucumber
  • Jenkins
  • Maven
  • Microsoft

Powershell

  • Microsoft Team

Foundation Server

  • TeamCity
  • Attlasian

Bamboo

  • Bugzilla
  • CA Service Desk

Manager

  • Datadog
  • FogzBugz
  • JIRA
  • Junit
  • Micro Focus

ALM Octane

  • Micro Focus

Quality Center

  • Microsoft Team

Foundation Server

  • Rally
  • Bladelogic
  • Chef
  • Puppet
  • HipChat
  • Microsoft SharePoint
  • Microsoft Team Foundation

Server

  • Slack
  • Amazon Web Services
  • Cloudera
  • Microsoft Azure
  • Micro Focus Server

Automation

  • Servicenow
  • Docker
slide-5
SLIDE 5

5

Pushing the Boundaries of Static Analysis with Automation

slide-6
SLIDE 6
  • AppSec integration specifically DAST

has challenges

  • Dependency on App specific knowledge
  • Dependency on Tool specific knowledge
  • Process and configuration knowledge
  • Traditionally DAST is run as a gating

process rather than an enabling process

  • Tension between feature release vs

secure release

6

Breaking Barriers and Integrating DAST to SDLC

Ops Dev QA Security

slide-7
SLIDE 7

Fortify DAST - Product Vision & Strategy

7

Integration Automation Agility

slide-8
SLIDE 8

#MicroFocusCyberSummit

Customer Demo and Success Story –Aaron’s

Jeremy Brooks

slide-9
SLIDE 9

DAST @Aaron’s

Jeremy Brooks Application Security Lead jeremy.brooks@aarons.com

slide-10
SLIDE 10

About Aaron’s

  • Founded June 19, 1955
  • ~10000 Employees
  • ~1700 stores across the US and Canada
  • $3+ billion in revenue
  • Brick and mortar and online sales and leasing
  • https://www.aarons.com
slide-11
SLIDE 11

About Aaron’s Tech

  • Culture

– Embrace & Drive Change – Value Data Over Opinion – Listen. Challenge. Commit. – Think Two-Sided – https://tech.aarons.com

  • Solutions Delivery

– Squad based delivery teams

  • Omnichannel
  • Store
  • Payments
  • Data analytics

– 40+ applications – Multiple releases per day

slide-12
SLIDE 12

Challenges For AppSec

  • On-boarding new applications is time consuming

– Authentication – Business logic – Coverage and Discoverability

  • Scalability

– New functionality – New end points – New applications

This feels like duplication of effort. Isn’t someone already testing these applications?

12

slide-13
SLIDE 13

QA + Security = Better Together

  • Aaron’s DAST Strategy

– Create a partnership with QA – Deploy technologies that enable security – Build DAST into the pipeline – Multiply effort

13

slide-14
SLIDE 14

Phalanx Overview

  • Services to manage proxies and DAST scans
  • Sandbox for manual scans
  • Coordinates load across scan agents

14

slide-15
SLIDE 15

Phalanx Architecture

15

slide-16
SLIDE 16

Web App for Manual Workflow

  • Self guided
  • Sandboxed
slide-17
SLIDE 17

WebInspect REST API + Phalanx

  • Start capturing proxy
  • Configure functional test to use

proxy

  • Run functional test and capture

traffic

  • Add scan to queue and test run

completed

  • Tear everything down
  • Phalanx manages scan queue

17

slide-18
SLIDE 18

QA Automation Pipeline

  • Tests created using N-Unit
  • Octopus deploys application
  • Teamcity job polls Octopus Deploy
  • Triggers test run on successful build
  • Unit tests make calls to WI API and wire up proxy
  • Functional tests run, proxy collects traffic
  • Unit tests queues scan using proxy traffic
  • Phalanx manages scan queue

18

slide-19
SLIDE 19

Lessons Learned and Next Steps

  • Test in QA

– DAST scans can take systems down, trigger lockouts and cause other undesirable side-effects

  • Make sure you can revert your environment

– WebInspect can add a lot of garbage data to your databases, file systems, etc

  • Make sure Dev, Ops, QA and CIRT are aware of your scan schedule

– No one likes surprises!

  • Include identifying attributes in your scan name

– Make it easy to link a DAST scan back to a functional test run

  • Close the feedback loop

– Slack integration

19

slide-20
SLIDE 20

Special Thanks

  • Edwin Deliz – QA Manager
  • Anthony Burt – QA Engineer
slide-21
SLIDE 21

Thank You.

#MicroFocusCyberSummit

slide-22
SLIDE 22

#MicroFocusCyberSummit #MicroFocusCyberSummit