Embed Size (px)
Citation preview
#MicroFocusCyberSummit
Application Security as a Service: Start Your Application Security Initiative in Less than a Day
David Harper
Practice Principal – Fortify on Demand
The Application Security Problem
Security Gate
Secure DevOps
Best Practice Approach
Q&A
3
Agenda
The Application Security Problem
5
The Majority of Security Breaches Today are From Application Vulnerabilities
Security incidents from exploits against defects in the design or code of software.2
12017 Application Security Research Update” by the HPE Software Security Research team, 2017 2U.S. Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT)
Percentage of applications containing at least one critical or high vulnerability.1
90%80%
6
Today’s business needs are dramatically increasing the number of applications and the frequency of releases
2010
Release Frequency
Number of Applications
2020+
App App
2015
Focus on “wow factor” and marketing related functionality
Frequently developed by small boutique consultancies
Intense pressure on timescales
Little thought given to non-functional requirements
Key to building the direct customer relationship
Relies on trust between customer and the brand
Websites, Facebook applications, Mobile applications, Cloud applications
Marketing Campaigns ran outside normal process, no governance
Do you even know how many applications you have?
Commissioned by the business
Capturing personal data is the norm
Applications areproliferating
BackgroundApplications are being driven by the business not IT
Customer Challenges with Application Security
Securing outsourced, 3rd party and open source code
Difficult to train and retain AppSec experts, developers
Lack of resources and expertise
Growing number of applications and attacks
Rapid release cycles and increasing pressure to push apps
into production faster
Compliance requirements
Security ChallengeKey Requirements
Systematic
Support all types of applications
Support all development approaches
No impact on time to market
No complex hardware/software to install
No need to hire, train and retain a team of application security experts
Scale rapidly to test all applications
Cheaper than existing approach
Predictable
Identify and fix application security issues before application goes into production
Implement solution rapidly
Cost Effective
Security Gate
Secure ALL your applications before deployment
Web, Facebook, Mobile, Cloud
In-house, out-sourced, third-party
Fortify on Demand Security Gate
DeployCode Test
Contract/Outsource
Procure
Security Testing Service
Security Gate
Fortify on DemandCloud-based Application Security Testing Platform
Launch your application security initiative in < 1 day
No hardware or software investments or maintenance
No experts to hire, train and retain
Scale to test all applications in your organization
1 day turn-around on application security results
Support 1000s of applications
Tests all types of applications
Web, Facebook, Mobile, Cloud, Desktop…
In-house, open source and third party, commercial applications
OWASP, PCI DSS, FISMA
Simple Fast Flexible
But can it keep up with DevOps?
Source: https://medium.com/data-ops/how-software-teams-accelerated-average-release-frequency-from-three-weeks-to-three-minutes-d2aaa9cca918
Average SoftwareRelease Cycle 12 months 3 weeks 3 minutes
(anticipated)
Secure DevOps
What exactly is DevOps?Means different things to different people
DevOps aims to bring applications to market rapidly through:
Cross-functional empowered teams (Business, Dev, Ops, QA) with full lifecycle responsibility for delivering a service
Rapid code release cycles
But large variation in release frequency
Agile Development
Trunk-based with Feature Flags
Service Orientated Architecture on a cloud-based infrastructure
Tool-chain automation
Continuous Integration/Continuous Testing/Continuous Delivery
Security is perceived an inhibitor
Penetration test based release gate is too slow
DefiningCharacteristics
of DevOps
Merging ofDev & IT Ops
(working together)
IncreasedAgility/Flexibility
ContinuousIntegration
AutomationLean
Faster Time-to-Development
ModernDevelopment
More RobustDynamic Apps
Best way to deliver secure applications is to build security in
See Software Assurance Maturity Model (SAMM)
With DevOps it’s the only way to deliver secure applications
Address security early
Developer Education
Static Application Security Testing(SAST)
Security gates still have their place
Dynamic Application Security Testing (DAST) baseline and critical releases
Add compensating controls
DAST in production
Runtime Application Self Protection (RASP)
Secure DevOpsAddressing the challenge
Secure Development Life-Cycle
Initiate Define ImplementDesign Develop Test Operate
Governance
Construction
Operations
Verification
Strategy & Metrics
Policy & Compliance
Education & Guidance
Threat Assessment
Security Requirements
Secure Architecture
Design Review
Code Review
Security Testing
Issue Management
Environment Hardening
Operational Enablement
See www.opensamm.org
Powered by Industry leading Fortify products
Fortify SCA – SAST
With Sonatype
Security Assistant – SAST
WebInspect – DAST
Application Defender – RASP
Available on Demand
Supported by Security Experts
Quick to get started
Rapid Results
Grows with your business
Global datacentres and support
Fully integrated in the DevOps Toolchain
Secure DevOps with Fortify on DemandApplication Security Testing on Demand
DevOps
SecureDevOps
eLearning
SASTComponent
Analysis
SASTBaseline
SASTin IDE
SASTContinuousIntegration
DAST
RASP
Role-based Training
Developers
.NET, Java, C/C++, PHP
Mobile Developers
iOS & Android
Project Managers
QA
eLearning
Low cost
Easier to schedule
Highly-scalable
Easy to manage
Easy to enforce
Fortify on DemandRole-based Secure DevOps Training
Use secure components
Component selection
Version selection
Fortify on DemandComponent Analysis with Sonatype
Full test with Fortify SCA
Industry leading SAST
Comprehensive
Accurate
Results validation
Ensure full coverage
Manual audit by Security Expert
Remove false positives
Fortify on DemandBaseline Static Application Security Testing
Eclipse or Visual Studio Plug-in
Inline analysis of the source code as the developer types
Instant results
Continuous Feedback
Not a replacement for a full assessment but catches a significant subset of vulnerabilities.
FoD IDE initiated automated scan option for non-supported languages
Component level scan
<100k TLOC 10 mins
Fortify Security AssistantReal-time light-weight analysis of code in IDE
Jenkins Plug-in
Invoke SCA scan
Based on baseline scan
Automated results audit using Fortify Scan Analytics
Wait for scan to complete
Returns Pass or Fail based on organizations security policy
Option to publish any new security vulnerabilities into Jira.
Visual Studio TFS integration also available
Command-line option for other CI tools
Fortify on DemandSAST as part of Continuous Integration
Baseline DAST
DAST for security critical releases
Use DAST in production
Fortify on DemandDynamic Application Security Testing
Core component of your infrastructure
All environments
Part of your deployment process
Compensating Control
Monitors execution of application
Looks for abnormal behavior within application
Monitor or Block
Feedback
Integrated with Fortify on Demand
Enable protection based on assessment findings
Application DefenderRuntime Application Self-protection
Best Practice Approach
Puts security in control
Establish policy
Monitor compliance
Handle exceptions
Fortify on Demand addresses the key customer challenges
Lack of in-house resources
Massive scalability
Proven approach to reduce application security risk
Fast enough for most application developments today
27
Implement a Security Gate First
DevOps teams can earn the right to be exempt from the gate
Passed security gate with initial version
Secure DevOps lifecycle validated by security
Completeness
Not just CI/CD integration
Effectiveness
Finding vulnerabilities is not enough!
Periodic security gate tests
28
Secure DevOps Lifecycle as a Compensating Control
Q&A
Thank You.
#MicroFocusCyberSummit
#MicroFocusCyberSummit
