Micro Focus Fortify. Andy Earle Sr. Security Solutions Architect. Haleh Nematollahy Sr. Security Solutions Architect
|
|
- Delilah Craig
- 6 years ago
- Views:
Transcription
1 Micro Focus Fortify Andy Earle Sr. Security Solutions Architect Haleh Nematollahy Sr. Security Solutions Architect
2 Introduction Derrick Wilson Civilian- Account Executive Nicole Cragin Civilian - Account Executive Andy Earle Sr. Security Solutions Architect Haleh Nematollahy Sr. Security Solutions Architect Steven Klein Carasoft - Partner Ryan Talento Carahsoft- Partner 2
3 HPE Software is now Micro Focus! Laptops Printers Enterprise Services Servers Networ k Storage Enterprise Software 3
4 Fortify Software Security Assurance Confidential
5 The majority of security breaches today are from application vulnerabilities 90% Percentage of applications containing at least one critical or high vulnerability. 1 Security incidents from exploits against defects in the design or code of software. 2 Source: Application Security Research Update by the HPE Software Security Research team, U.S. Department of Homeland Security s U.S. Computer Emergency Response Team (US-CERT) 5
6 Vision Enable DevOps and the next-gen SDLC by accelerating integration, automation and agility for both on-demand & on-premise solutions to enable customers to release the most secure applications at Enterprise speed Go Faster, more securely, with less manual intervention 6
7 Software Security Assurance (SSA & SDLC) Security Design Code Test Integration Operate - Staging Monitoring + Protection 30x more costly to secure in Production 30X Security Gate Cost Remediation + Secure SDLC 10X 15X 5X 1X Requirements Coding Integration/ Component Testing System Testing Production 7 Source: NIST
8 Vision & Strategy Build it in 1 Secure Development Continuous feedback on the developer s desktop at DevOps speed 2 Security Testing Embed scalable security into the development tool chain 3 Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC
9 Fortify is recognized for delivering value 4 out of 4 U.S. DoD Branches 14 out of 14 U.S. Federal Civilian Departments 10 out of 10 of the largest information technology companies 10 out of 10 of the largest banks 2018 Gartner Magic Quadrant for AST Fortify 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors 5 out of 5 of the largest telecommunication companies 9
10 Software Security Assurance (SSA & SDLC) Security Design Code Test Integration - Staging Operate Development Fortify Static Suite Static Code Analyzer (SCA) Audit Workbench (AWB) IDE Plugin Software Security Center (SSC) Hybrid Testing / Operations Fortify Dynamic Suite Visibility & Defense WebInspect (WI) WebInspect Enterprise (WIE) Continuous Web Monitoring (CM) On-demand Web Scans Software Security Center (SSC) Fortify Runtime Protection Logging AppDefender Fortify On Demand (FOD) / Vendor Management Application Defender
11 SCA
12 Traditional Software Scanning Process Scheduled Check-out, Build and Scan Build / Scan Static Code Analysis (SCA) Upload Scan Results Fortify SSC Code Repository Repeat as Necessary Check in Code.fpr file Developers Bug Tracking Scan Fix Developer Fixes Bug / Security Finding Submit Findings to Bug Tracker Auditor Reviews Results Auditor /Security
13 Fortify Timeline Versioning has changed to major version matching calendar year April 2014 Fortify 4.1 April 2015 Fortify 4.3 April 2016 Fortify WebInspect April 2017 Fortify WebInspect April 2018 Fortify WebInspect September 2014 Fortify 4.2 November 2015 Fortify 4.4 December 2016 Fortify WebInspect November 2017 Fortify WebInspect
14 SCA Roadmap Current Release Next Release Future Releases Release.NET Frontend Phase III VS2017 MVC.NET Core ECMAScript 2015 Scala Java 9 Swift 3.1 PHP 7.x Deployed Planned 14
15 Fortify Ver Summary April 2017 SCA Apple Swift 2.2 and support MVC Model Class Support for Xcode 8.2.Net Support for C# ver. 6 and VB.NET ver. 14.Net Async/Await support Angular Technical Preview for AngularJS Support Salesforce Support for Apex and VisualForce Python Performance improvements for Python Multi-threaded scanning
16 Static Code Analyzer Features Feature Details.NET Phase III.NET Core and ASP.NET Core frameworks MVC.NET 4.7 Latest version of VB.NET: VB.NET 15 (VB.NET 14 in 17.10) Latest version of C#: C# 7 (C# 6 in 17.10) Visual Studio 2017 PHP 7.x PHP 5.x constructs PHP 7.x new classes and interfaces PHP 7.x constructs Apple Swift 3.1 Xcode
17 Static Code Analyzer Features Feature Details Scala Scala versions: 2.12 (latest) 2.11 Play framework (except Twirl templates) Requires Lightbend license ECMAScript 2015 ECMAScript 2015 constructs such as: Arrow functions For of loops Java 9 Leveraging the changes announced in OpenJDK Scan applications written in Java 9 High performance parallel mode on by default Introduced in % reduction in scan time on average FoD used it as default mode On by default in
18 Parallel scanning The old way Introduced in version 4.0 SCA used to spawn multiple processes in parallel Process was resource heavy and required mathematical computation For example, if the machine had 32 GB of RAM and 8 cores, the recommended configuration would be: sourceanalyzer -j 2 Xmx14G Dcom.fortify.sca.RmiWorkerMaxHeap=7G And this may still lead to memory errors depending on complexity of code. Deprecated as of
19 Multithreaded parallel mode Solution Redesigned and reimplemented Uses native Java multithreading instead of creating master process and spawning separate processes Removed need for communications and monitoring between master and child processes added burden Simple to enable (no complex mathematics) Results Scans complete in 50% of the time compared to single-threaded on average Process is optimized and scales to available resources automatically It scales better to large hardware and is substantially simpler to use Enable high performance parallel mode by either: adding the mt command-line parameter to the SCA scan phase command line, or adding the property key com.fortify.sca.multithreadedanalysis=true to your fortify-sca.properties file. 19
20 SSC Roadmap Current Release Next Release Future Releases Release SSC Scalability Phase 1 New plugin framework Octane Plugin RESTful API Refactor Export to CSV SSC Setup Wizard Tool Replacement GitHub Repository w/ Parser, Bug Tracking, and JS Sandbox Deployed Planned 21
21 Ver Summary April 2016 SSC Improved interactions with Dynamic Scan results Issue Attachment support for Dynamic Scans Ability to view issues assigned to you Advanced Audit and Conflict strategy settings Scheduled alerts
22 SSC Features Feature Details Better Plugin Framework and API Samples New Plugin Framework UI Plugin Management New GitHub Repository Simple and Faster Setup Setup Wizard Tool Replacement Powerful external reporting Export to CSV Better sorting & grouping Group By Introduced Date 26
23 27 Export to CSV Powerful External Reporting
24 SSC Group by Introduced Date Better Sorting & Grouping 28
25 UI Plugin Management Better Integrations 29
26 github.com/fortify Better Integrations & API Samples Consolidated FoD and On-Premise Repository Sample Parser Plugin JS Sandbox Project w/ development tutorial Automate Predict and Train with Audit Assistant / SSC Creating / Uploading / Downloading Fortify Application Version(s) Automate Reporting Generate Authentication Tokens User Management Jenkins Plugin (Open Sourced) 30
27 31 SSC Setup Wizard Simple, Faster Setup
28 New SSC Setup Wizard
29 17.2 New Plugin Framework The new plugin framework was created support a growing ecosystem of integrations. The framework supports running third-party parser plugins, bug tracker plugins, and is designed with the core goals Isolation Granularity Reliability The framework is built with a robust and reliable messaging mechanism to ensure data integrity. 33
30 UI Plugin Management
31 Fortify Tools Roadmap Current Release Next Release Future Releases Release Visual Studio 2017 (SCA + FoD) VSTS + CloudScan Smart View (AWB) IntelliJ plugin (FoD) Phase 1 SCA MSBuild task Deployed Planned 35
32 Visual Studio 2017 Full On Premise and FoD plugin
33 Smart View for AWB Efficient Auditing and Remediation Sort by Folder -> Then by Group By any mapping -> Then by Source OR Sink OR Converged Data Flow Quickly understand how multiple issues are related from a data flow perspective Apply Smart View filters to begin triaging or fixing issues at most efficient point 37
34 Smart View for AWB (continued) Efficient Auditing and Remediation Quickly advance through three level of groupings Tiles are dynamically sized based upon the number of issues Design works with large amounts of issues and is very performant For auditors and developers 38
35 Best practices learned from securing DevOps: scan automation and integration that can be applied anywhere, parallel processing, and audit assistant
36 DevOps Definition, Principles and Benefits DevOps- A practice that emphasizes the collaboration and communication between software developers and IT professionals, with the goal of automating the process of software delivery and infrastructure changes. Principles Develop and test in an environment similar to production Deploy builds frequently Automate the process of delivering software Validate quality continuously Benefits Faster time to value Faster time to market with higher quality Stay ahead in a competitive environment 40
37 Promise vs Reality of Security in DevOps 99% of those surveyed agreed that DevOps is an opportunity to improve application security Network 25% none 17% Testing during Developme nt 20% Pre- Production Gate 38% But only 20% perform application security testing during development. Most wait until late in the SDLC or not at all! Source: HPE Secure DevOps Survey, Sept
38 42 Automation DevOps Tool Chain
39 The right approach for the new SDLC Build it in 1 Secure Development Continuous feedback on the developer s desktop at DevOps speed 2 Security Testing Embed scalable security into the development tool chain 3 Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC
40 44 Let s Talk AppSec Process, Challenges, Auditing, Remediation
41 Application Security Testing Static Analysis Dynamic Analysis 45
42 Static Software Scanning Process Check in Code Scheduled or Triggered Check-out and Build Code Repository Scrum Developers Continuous Integration Jenkins, TFS, etc. (Auto) Deliver for Analysis REPEAT AS NECESSARY Vulnerability Findings Issue Tracking Developer Fixes Bug / Finding Scanning Engine (SCA) Integrations SonarQube, Archer, etc. Mgmt Portal (SSC) Security/Tech Lead Submit Findings to Bug Tracker
43 Static Analysis - AppSec Testing Challenges Lengthy / Memory intensive scans Complex build processes, frequency of builds, difficult security integrations Volume of static findings requiring human auditing to validate (this is #1) Risk tolerance to validated findings Managed service findings require prioritization Modular builds / micro services present dataflow challenges Remediate validated findings Communicate findings to developers and metrics/kpis to management New and Improved.Net scanning 47
44 Static Analysis Lengthy / Memory Intensive Scans Use of multiple cores / processors / cloudscan Offload scans from build server to a dedicated scanning server Create scalable static scanning solutions Reduce frequency of scans Incremental scanning Large apps should sometimes be broken up into logical modules based upon data flow Lightweight static scans early in the SDLC 48
45 Static Analysis Complexity & Frequency Complex Builds AppSec team must work with developers and build engineers when automating Static integration examples on a internal wiki (proactive) Centralized scanning solution outside of the build process Frequency Ensure storage solution is sufficient/scalable when scanning multiple times a day Reasonable data retention policy for scanning result files Automate merging of new scans with previous scans. Required to preserve previous audit decisions / trending 49
46 Static Analysis - Triaging Static Findings Main blocker of effective static security scans moving at a high speed Quickest way to derail static testing is to push garbage findings to the Dev Team Security cannot be responsible for auditing findings if they don t have a development background Development must be accountable for acceptable organization s risk Available and current vulnerability training Auditing: Sort by common sources and sinks for dataflow issues Apply audit knowledge from past decisions Begin with targeted list of vulnerabilities and expand as your program matures Make previously audited scan files available Audit peer review Use a risk profile for applications (internal, external, PII, etc.) Define security controls that map to vulnerability types. Machine learning to apply past audit decisions to predict future audit decision 50
47 Static Analysis Triaging Results Demo Audit Workbench and Smart View 51
48 52 Audit Assistant/ Scan Analytics
49 Machine Learning - scan analytics & audit assistant Do more with your AppSec DATA Streamline appsec program by making the auditing process more efficient Increase the relevancy and consistency of findings unique to your organization preferences Identify relevant issues earlier in the SDLC Scale and accelerate your AppSec program with existing resources
50 Software Security Center (SSC) - Audit assistant Machine learning assisted identification of relevant scan results Exploit able Pot ent ial Vulns. Indeterminate Audit Assistant Not an Issue
51 Scan analytics Machine learning to make AppSec more efficient Identify true vulnerabilities and prioritize them for remediation faster Focus on triaging and investigating high priority vulnerabilities. Return value-added time to your developers and auditors Exploit able Pot ent ial Vulns. Fortify Scan Analytics Indeterminate Not an Issue 56
52 57 Demo Audit Assistant
53 Static Analysis Managed Service Apply Organization / Environmental / Business context if a static scan is run and audited in a third party bubble Good at removing false positives, not as good removing issues you don t care about (compensating control / unique environmental issue / etc.) SLA / turnaround time must meet development / business objectives 58
54 Static Analysis Modularity / Micro Services Security Testing Challenges: Need the entire application for data flow Different teams build different components Duplicate findings need to be accounted for Auditor s need to understand what was previously identified, what to fix and where 59
55 Static Analysis Remediation See it, Fix IT! Define effective security controls for your organizations technology stack Not every fix is created equally Talk to a software architect (if he/she is friendly) Automate recommendations via security controls Internal security libraries for common language 60
56 61 Fortify Security Assistant
57 Fortify security assistant Building in security as you code Identify weaknesses as developers write code in real-time A Spell check security scanning Identify issues earlier in the SDLC Educate developer about security Accelerate appsec program (increase productivity & efficiency)
58 Fortify security assistant Real-time lightweight analysis of the source code Fortify menu for additional options Vulnerable line of code is highlighted as developer code & provides tips for additional information Level of criticality All issues detected in the project Type of vulnerability, explanation and detailed remediation guidance
59 64 Demo Security Assistant
60 Static Analysis Communication Don t have developers go to a separate portal if they have a bug tracking solution Automate batch bug submission of security defects once findings are validated Don t submit bugs for unaudited findings Don t submit duplicate bugs Don t break builds for every unaudited static finding Understand your static analysis tools confidence thresholds and use it for automation Mark builds as unstable if critical/high findings are flagged Requires a baseline scan of the application and audit to establish Understand your defect tracking solutions or provide an alternative for security defects 65
61 Static Analysis Metrics Provide regular metrics Positive trending metrics make adoption easier Automate reporting and upload to source repository (required artifact) Tailor reports / dashboard Take advantage of available tools (GRC, etc) 66
62 Static Analysis Metrics Demo SSC 67
63 68 Fortify WebInspect
64 Fortify WebInspect Dynamics analysis find critical security issues in running applications Features: Quickly identify risk in existing applications Automate dynamic application security testing of any technology, from development through production Validate vulnerabilities in running applications, prioritizing the most critical issues for root-cause analysis
65 Included In Every WebInspect License SmartCard / CAC Authentication FISMA / / DISA STIG Compliance Reporting Scan Web Applications, SOAP and RESTful Services, URL Rewriting Scan Mobile Web sites, plus Mobile Native Scan Advanced Crawler with Javascript execution Integration into WAFs, Software Security Center, WebInspect Enterprise Hybrid scanning with the WebInspect Agent Tools for manual Testing and Penetration including automatic SQL Injection WebInspect API plus BURP Integration SmartUpdate automatic frequent security content updates from the largest dedicated Software Security Research group. OFFLINE activations and updates Incremental scan
66 Fortify WebInspect Enterprise Extending effective application security testing across the entire enterprise Problem it solves: Manages large-scale, distributed security testing programs across thousands of applications Features: Benefits: Monitor critical metrics, progress and trends across largescale application security testing programs Provide an ongoing enterprise-wide view of production and pre-production application security assurance Control your application security program through rolebased scanning and reporting administration Eliminate inefficient and inconsistent assessment and vulnerability management processes Increase visibility and control of security testing efforts and reporting Prove compliance with regulations, standards and policies
67 72 Demo WI
68 73 Fortify Support
69 Fortify Support and Versioning Case Management Service Request Management on SSO Knowledge Articles Self-Solve Knowledge on SSO Static Code Analyzer RulePacks Support.Fortify.com Premium Content Support.Fortify.com Downloads Licensing & Software Download Portal (US Gov Agencies) Documentation Documentation on Protect724 Fortify Community Protect724 Product Announcement s Subscribe to Product Announcements Board Notification Management Service Request and Document Notifications
70 75 Q&A
May Capabilities to help expand and. mature SWA program. Haleh Nematollahy Sr. Security Solutions Architect
May 2017 Capabilities to help expand and mature SWA program Haleh Nematollahy Sr. Security Solutions Architect Fortify Security Assistant 2 Fortify security assistant Building in security as you code Identify
More informationSecuring DevOps, RMF and STIG
Securing DevOps, RMF and STIG Scott Snowden Sameer Kamani May 2017 San Diego Federal Fortify Users Group DevOps definition and principles DevOps (a clipped compound of development and operations) is a
More informationPut Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018
Put Security Into Your DevOps NOW Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018 Defining Devops State of Devops Report (Puppet, Dora):..set of practices and cultural
More informationHPE Security Fortify Software
HPE Security Fortify Software What s New in HPE Security Fortify Software 17.20 November 2017 This release of HPE Security Fortify Software includes the following new functions and features. HPE Security
More informationEffective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker:
Effective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker: Cindy Blake CISSP Product Marketing Manager Hewlett Packard Enterprise Effective
More informationThis release of Micro Focus Fortify Software includes the following new functions and features. Micro Focus Fortify Software Security Center
Fortify Software What s New in Micro Focus Fortify Software 18.20 November 2018 This release of Micro Focus Fortify Software includes the following new functions and features. Micro Focus Fortify Software
More informationMicro Focus Fortify Application Security
Micro Focus Fortify Application Security Petr Kunstat SW Consultant +420 603 400 377 petr.kunstat@microfocus.com My web/mobile app is secure. What about yours? High level IT Delivery process Business Idea
More informationMicro Focus Security Fortify. Application Security
Micro Focus Security Fortify Application Security Secure the new Application security in DevOps Agenda: - Fortify in brief (Offerings) - Fortify Source Code Analyzer - Fortify WebInspect - Using Fortify
More informationDiscover Best of Show März 2016, Düsseldorf
Discover Best of Show 2016 2. - 3. März 2016, Düsseldorf 2. - 3. März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify The case for Application Security
More informationFedRAMP Fortify on Demand
FedRAMP Fortify on Demand Software Version: 17.1 Release Notes Document Release Date: Sept. 2017 Software Release Date: Sept. 2017 As organizations continue to embrace DevOps principles, the latest release
More informationBrochure. Fortify on Demand. Fortify on Demand. Static Application Security Testing
Fortify on Demand Static Application Security Testing Brochure Fortify on Demand Brochure Fortify on Demand Static Application Security Testing Static Application Security Testing Micro Focus Fortify on
More informationHPE Security Fortify Plugins for Eclipse
HPE Security Fortify Plugins for Eclipse Software Version: 17.20 Installation and Usage Guide Document Release Date: November 2017 Software Release Date: November 2017 Legal Notices Warranty The only warranties
More informationAppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager
APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous
More informationBrochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
More informationWHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family
WHITEHAT PRODUCT FAMILY WhiteHat Sentinel Product Family Combining technology with human intelligence to deliver the world's most powerful and accurate application security WhiteHat Sentinel is a software-as-a-service
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationTest Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions
Test Automation Strategies in Continuous Delivery Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions The world of application is going through a monumental shift.. Evolving
More informationSuman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017
Suman Sourav Director DevSecOps, Vantage Point Security OWASP Indonesia Day 2017 About me Certified Secure Software Lifecycle Professional (CSSLP) 12+ Years of Experience in Software Security Co-Founder
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationThe Now Platform Reference Guide
The Now Platform Reference Guide A tour of key features and functionality START Introducing the Now Platform Digitize your business with intelligent apps The Now Platform is an application Platform-as-a-Service
More informationMicro Focus Security Fortify Audit Assistant
White Paper Security Micro Focus Security Fortify Audit Assistant Table of Contents page Introduction... 1 Why Static Application Security Testing?............................................. 1 Confirmation
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationOverview of BlackBerry Dynamics Platform
Hong Kong 2018 Overview of BlackBerry Dynamics Platform Richard Schaefer, Sr. Enterprise Solutions Manager Application Models Multiple Platforms Web-based Extend Desktop Browser based rendering and APIs
More informationTransformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018
Transformation in Technology Barbara Duck Chief Information Officer Investor Day 2018 Key Takeaways 1Transformation in Technology driving out cost, supporting a more technologyenabled business Our new
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More informationHPE Security Fortify Software Security Center
HPE Security Fortify Software Security Center Software Version: 16.20 Installation and Configuration Guide Document Release Date: December 2016 Software Release Date: December 2016 Legal Notices Warranty
More informationHPE Security Fortify Audit Workbench
HPE Security Fortify Audit Workbench Software Version: 17.20 User Guide Document Release Date: November 2017 Software Release Date: November 2017 Legal Notices Warranty The only warranties for Seattle
More informationFROM VSTS TO AZURE DEVOPS
#DOH18 FROM VSTS TO AZURE DEVOPS People. Process. Products. Gaetano Paternò @tanopaterno info@gaetanopaterno.it 2 VSTS #DOH18 3 Azure DevOps Azure Boards (ex Work) Deliver value to your users faster using
More informationAzure Day Application Development. Randy Pagels Sr. Developer Technology Specialist US DX Developer Tools - Central Region
Azure Day Application Development Randy Pagels Sr. Developer Technology Specialist US DX Developer Tools - Central Region Azure App Service.NET, Java, Node.js, PHP, Python Auto patching Auto scale Integration
More informationJenkins: A complete solution. From Continuous Integration to Continuous Delivery For HSBC
Jenkins: A complete solution From Integration to Delivery For HSBC Rajesh Kumar DevOps Architect @RajeshKumarIN www.rajeshkumar.xyz Agenda Why Jenkins? Introduction and some facts about Jenkins Supported
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationHPE Security Fortify Audit Workbench Software Version: User Guide
HPE Security Fortify Audit Workbench Software Version: 16.10 User Guide Document Release Date: April 2016 Software Release Date: April 2016 Legal Notices Warranty The only warranties for Hewlett Packard
More informationIBM Rational Software
IBM Rational Software Development Conference 2008 Our Vision for Application Security David Ng Rational Software Security, Asean IBM Software Group 2008 IBM Corporation Agenda Application Security Defined
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationPlease give me your feedback
#HPEDiscover Please give me your feedback Session ID: B4385 Speaker: Aaron Spurlock Use the mobile app to complete a session survey 1. Access My schedule 2. Click on the session detail page 3. Scroll down
More informationCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services http://www.cloud-council.org/deliverables/cloud-customer-architecture-for-securing-workloads-on-cloud-services.htm Webinar April 19,
More informationManaging an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1
Managing an Application Vulnerability Management Program in a CI/CD Environment March 29, 2018 OWASP Vancouver - Karim Lalji 1 About Me Karim Lalji Managing Security Consultant (VA/PT) at TELUS Previously:
More informationHPE Security Fortify Plugins for Eclipse Software Version: Installation and Usage Guide
HPE Security Fortify Plugins for Eclipse Software Version: 16.10 Installation and Usage Guide Document Release Date: April 2016 Software Release Date: April 2016 Legal Notices Warranty The only warranties
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationFederal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity
Federal Information Security Management Act (FISMA) Operational Controls and Their Relationship to Process Maturity Ronda Henning rhenning@harris.com The Basic Premise of This Presentation Proper preparation
More informationFortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research
More informationHP APPs v.12 Solutions for Dev-Ops
HP APPs v.12 Solutions for Dev-Ops Kimberly Fort HP Software July 2014 Kimberly Fort Software Solutions Architect *5 Months with HP *17 Years experience using HP Tools & products *20 Years experience in
More informationDocker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications
Technical Brief Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications As application teams deploy their Dockerized applications into production environments,
More informationHow to Secure Your Cloud with...a Cloud?
A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud
More informationHP Fortify Technical Publications. Glossary
HP Fortify Technical Publications Glossary Document Release Date: April 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationWhite Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection
White Paper Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection Table of Contents Introduction....3 Positive versus Negative Application Security....3 Continuous Audit and Assessment
More informationHPE Fortify Software Security Assurance
HPE Fortify Software Security Assurance Jeffrey Hsiao Security Solutions Architect Jeffrey.Hsiao@hpe.com Haleh Nematollahy Sr. Security Solutions Architect Haleh.Nematollahy@hpe.com Agenda Introductions
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationGreat User Experience Starts with Continuous Testing April 19, Copyright 2016 Vivit Worldwide
Great User Experience Starts with Continuous Testing April 19, 2016 Copyright 2016 Vivit Worldwide Brought to you by Copyright 2016 Vivit Worldwide Hosted By Mark Herbert HPE Software Education SIG Leader
More informationAKAMAI CLOUD SECURITY SOLUTIONS
AKAMAI CLOUD SECURITY SOLUTIONS Whether you sell to customers over the web, operate data centers around the world or in the cloud, or support employees on the road, you rely on the Internet to keep your
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationTRAINING CURRICULUM 2017 Q2
TRAINING CURRICULUM 2017 Q2 Index 3 Why Security Compass? 4 Discover Role Based Training 6 SSP Suites 7 CSSLP Training 8 Course Catalogue 14 What Can We Do For You? Why Security Compass? Role-Based Training
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationConnect and Transform Your Digital Business with IBM
Connect and Transform Your Digital Business with IBM 1 MANAGEMENT ANALYTICS SECURITY MobileFirst Foundation will help deliver your mobile apps faster IDE & Tools Mobile App Builder Development Framework
More informationAutomated Testing of Tableau Dashboards
Kinesis Technical Whitepapers April 2018 Kinesis CI Automated Testing of Tableau Dashboards Abstract Companies make business critical decisions every day, based on data from their business intelligence
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationProactive Approach to Cyber Security
Proactive roach to Cyber Security Jeffrey Neo Sales Director HP Enterprise Security Products Customers struggle to manage the security challenge Today, security is a board-level agenda item 2 Trends driving
More informationThe 7 Habits of Highly Effective API and Service Management
7 Habits of Highly Effective API and Service Management: Introduction The 7 Habits of Highly Effective API and Service Management... A New Enterprise challenge has emerged. With the number of APIs growing
More informationMicrosoft Security Management
Microsoft Security Management MICROSOFT SECURITY MANAGEMENT SECURITY MANAGEMENT CHALLENGES Some large financial services organizations have as many as 40 or more different security vendors inside their
More informationQuality Assurance and IT Risk Management
Quality Assurance and IT Risk Deutsche Bank s QA and Testing Transformation Journey Michael Venditti Head of Enterprise Testing Services, Deutsche Bank IT RISK - REGULATORY GOVERNANCE Major shifts in the
More informationCloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.
George Gerchow, Sumo Logic Chief Information Security Officer Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops. Agenda Sumo Security
More informationFortify SCA Workshop Exercises. Haleh Nematollahy Sr. Security Solutions Architect
Fortify SCA Workshop Exercises Haleh Nematollahy Sr. Security Solutions Architect Prep Work Exercises Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx UID: Admin PWD: P@ssword1 Check Access to http://localhost:8180/ssc
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More information7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager
7 Steps to Complete Privileged Account Management September 5, 2017 Fabricio Simao Country Manager AGENDA Implications of less mature privileged account management What does a more mature approach look
More informationMICROSOFT AND SAUCE LABS FOR MODERN SOFTWARE DELIVERY
SOLUTIONS BRIEF MICROSOFT AND SAUCE LABS FOR MODERN SOFTWARE DELIVERY AUTOMATE TESTING WITH VISUAL STUDIO TEAM SERVICES (VSTS) AND TEAM FOUNDATION SERVER (TFS) The key to efficient software delivery is
More informationPrep Work Exercises. Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx UID: Admin PWD:
Prep Work Exercises Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx UID: Admin PWD: P@ssword1 Check Access to http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/ UID: Admin PWD: Fortify@01 Check
More informationVisual Studio Team Services
bgourley@microsoft.com Visual Studio Team Services Topics What are the current products What are Visual Studio Subscriptions Subscriber Benefits DevOps and VSTS VSTS licensing Developer Tools Deployment
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationLEVERAGING VISUAL STUDIO TEAM SYSTEM 2008 Course LTS08: Five days; Instructor-Led Course Syllabus
LEVERAGING VISUAL STUDIO TEAM SYSTEM 2008 Course LTS08: Five days; Instructor-Led Course Syllabus INTRODUCTION This five-day, instructor-led course provides students with the knowledge and skills to effectively
More informationDevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY
DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo
More informationIndustrial Defender ASM. for Automation Systems Management
Industrial Defender ASM for Automation Systems Management INDUSTRIAL DEFENDER ASM FOR AUTOMATION SYSTEMS MANAGEMENT Industrial Defender ASM is a management platform designed to address the overlapping
More informationSecure DevOps: A Puma s Tail
Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code
More informationContinuous Integration / Continuous Testing
Bitte decken Sie die schraffierte Fläche mit einem Bild ab. Please cover the shaded area with a picture. (24,4 x 7,6 cm) Continuous Integration / Continuous Testing IIC What s SW Integration? Integration
More informationIBM Internet Security Systems Proventia Management SiteProtector
Supporting compliance and mitigating risk through centralized management of enterprise security devices IBM Internet Security Systems Proventia Management SiteProtector Highlights Reduces the costs and
More informationTRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald
TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE John McDonald 1 What is Trust? Can I trust that my assets will be available when I need them? Availability Critical Assets Security Can I trust
More informationV Conference on Application Security and Modern Technologies
V Conference on Application Security and Modern Technologies In collaborazione con Venezia, Università Ca Foscari 6 Ottobre 2017 1 Matteo Meucci OWASP Nuovi standard per la sicurezza applicativa 2
More informationPrep Work Exercises. Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx. Check Access to
Prep Work Exercises Open Your VM c:\vm Images\2017\windows 10 x64 (2).vmx UID: Admin PWD: P@ssword1 Check Access to http://6.94.185.35.bc.googleusercontent.com:8080/ssc/#/ UID: Admin PWD: Fortify@01 Command
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationThe Convergence of Security and Compliance
ebook The Convergence of Security and Compliance How Next Generation Endpoint Security Manages 5 Core Compliance Controls Table of Contents Introduction....3 Positive versus Negative Application Security....3
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationVulnerability Management
Vulnerability Management Modern Vulnerability Management The IT landscape today is changing and because of that, vulnerability management needs to change too. IT environments today are filled with both
More informationBUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology
BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology ebook BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS
More informationRethinking Product Security: Cloud Demands a New Way
SESSION ID: CSV-R11 Rethinking Product Security: Cloud Demands a New Way Reeny Sondhi Chief of Product Security Autodesk Inc. @reenysondhi Tony Arous Head of Application Security Autodesk Inc. @tonyarous
More informationSIEMLESS THREAT MANAGEMENT
SOLUTION BRIEF: SIEMLESS THREAT MANAGEMENT SECURITY AND COMPLIANCE COVERAGE FOR APPLICATIONS IN ANY ENVIRONMENT Evolving threats, expanding compliance risks, and resource constraints require a new approach.
More informationSecurity and Compliance at Mavenlink
Security and Compliance at Mavenlink Table of Contents Introduction....3 Application Security....4....4....5 Infrastructure Security....8....8....8....9 Data Security.... 10....10....10 Infrastructure
More informationInternet Scanner 7.0 Service Pack 2 Frequently Asked Questions
Frequently Asked Questions Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions April 2005 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS)
More informationVMware PIV-D Manager Deployment Guide
VMware PIV-D Manager Deployment Guide AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product is protected
More informationTHE ART OF SECURING 100 PRODUCTS. Nir
THE ART OF SECURING 100 PRODUCTS Nir Valtman @ValtmaNir I work for as the Application Security 1st time speaking publicly, except at Mmmm OH, AND Neither of my previous startups succeeded!
More informationAppSec Pipeline Application Security in an Agile Development, DevOps and Continuous Integration/Delivery/Change world.
AppSec Pipeline Application Security in an Agile Development, DevOps and Continuous Integration/Delivery/Change world. Doug Morato Sr. Manager PwC NIS App-Sec OWASP Tampa Meeting - 02/19/2016 Who am I
More informationVisual TruView Unified Network and Application Performance Management Focused on the Experience of the End User
Visual TruView Unified Network and Application Performance Management Focused on the Experience of the End User BUSINESS CHALLENGE Problems can occur anywhere from the physical layer to wireless, across
More informationNEXT GENERATION SECURITY OPERATIONS CENTER
DTS SOLUTION NEXT GENERATION SECURITY OPERATIONS CENTER SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 - SUCCESS FACTORS SOC 2.0 - FUNCTIONAL COMPONENTS DTS SOLUTION SOC 2.0 - ENHANCED SECURITY O&M SOC 2.0 Protecting
More informationCONTINUOUS DELIVERY IN THE ORACLE CLOUD
CONTINUOUS DELIVERY IN THE ORACLE CLOUD Lykle Thijssen Bruno Neves Alves June 7, 2018 NLOUG Tech Experience Amersfoort eproseed Confidential ABOUT US Lykle Thijssen Principal Architect and Scrum Master
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationChallenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9
HAWK Overview Agenda Contents Slide Challenges 3 HAWK Introduction 4 Key Benefits 6 About Gavin Technologies 7 Our Security Practice 8 Security Services Approach 9 Why Gavin Technologies 10 Key Clients
More informationIndex. Wouter de Kort 2016 W. de Kort, DevOps on the Microsoft Stack, DOI /
Index A Agile Manifesto methodologies, 6 phrases, 5 Scrum, 4 software development, 4 Sprints, 4 testers and developers, 4 Agile project management. See also Kanban and Lean techniques basics checklist,
More informationIT Monitoring Tool Gaps are Impacting the Business A survey of IT Professionals and Executives
IT Monitoring Tool Gaps are Impacting the Business A survey of IT Professionals and Executives June 2018 1 Executive Summary This research finds that large enterprise customers and employees endure a substantial
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationAzure Highlights. Randy Pagels Sr. Developer Technology Specialist US DX Developer Tools - Central Region
Azure Highlights Randy Pagels Sr. Developer Technology Specialist US DX Developer Tools - Central Region IaaS vs PaaS Introduction to Microsoft Azure IaaS, PaaS and SaaS Self-Service Provisioning Global
More informationGetting Started with AWS Security
Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move
More informationThe Connected Worker and the Enterprise of Things
The Connected Worker and the Enterprise of Things Todd Berger Sr. Director Technical Solutions January 2018 2007 2 Apple iphone 2017 BlackBerry. All Rights Reserved. 2 2017 Apple iphone X 2017 BlackBerry.
More information