Micro Focus Fortify. Andy Earle Sr. Security Solutions Architect. Haleh Nematollahy Sr. Security Solutions Architect

Transcription

1 Micro Focus Fortify Andy Earle Sr. Security Solutions Architect Haleh Nematollahy Sr. Security Solutions Architect

2 Introduction Derrick Wilson Civilian- Account Executive Nicole Cragin Civilian - Account Executive Andy Earle Sr. Security Solutions Architect Haleh Nematollahy Sr. Security Solutions Architect Steven Klein Carasoft - Partner Ryan Talento Carahsoft- Partner 2

3 HPE Software is now Micro Focus! Laptops Printers Enterprise Services Servers Networ k Storage Enterprise Software 3

4 Fortify Software Security Assurance Confidential

5 The majority of security breaches today are from application vulnerabilities 90% Percentage of applications containing at least one critical or high vulnerability. 1 Security incidents from exploits against defects in the design or code of software. 2 Source: Application Security Research Update by the HPE Software Security Research team, U.S. Department of Homeland Security s U.S. Computer Emergency Response Team (US-CERT) 5

6 Vision Enable DevOps and the next-gen SDLC by accelerating integration, automation and agility for both on-demand & on-premise solutions to enable customers to release the most secure applications at Enterprise speed Go Faster, more securely, with less manual intervention 6

7 Software Security Assurance (SSA & SDLC) Security Design Code Test Integration Operate - Staging Monitoring + Protection 30x more costly to secure in Production 30X Security Gate Cost Remediation + Secure SDLC 10X 15X 5X 1X Requirements Coding Integration/ Component Testing System Testing Production 7 Source: NIST

8 Vision & Strategy Build it in 1 Secure Development Continuous feedback on the developer s desktop at DevOps speed 2 Security Testing Embed scalable security into the development tool chain 3 Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC

9 Fortify is recognized for delivering value 4 out of 4 U.S. DoD Branches 14 out of 14 U.S. Federal Civilian Departments 10 out of 10 of the largest information technology companies 10 out of 10 of the largest banks 2018 Gartner Magic Quadrant for AST Fortify 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors 5 out of 5 of the largest telecommunication companies 9

10 Software Security Assurance (SSA & SDLC) Security Design Code Test Integration - Staging Operate Development Fortify Static Suite Static Code Analyzer (SCA) Audit Workbench (AWB) IDE Plugin Software Security Center (SSC) Hybrid Testing / Operations Fortify Dynamic Suite Visibility & Defense WebInspect (WI) WebInspect Enterprise (WIE) Continuous Web Monitoring (CM) On-demand Web Scans Software Security Center (SSC) Fortify Runtime Protection Logging AppDefender Fortify On Demand (FOD) / Vendor Management Application Defender

11 SCA

12 Traditional Software Scanning Process Scheduled Check-out, Build and Scan Build / Scan Static Code Analysis (SCA) Upload Scan Results Fortify SSC Code Repository Repeat as Necessary Check in Code.fpr file Developers Bug Tracking Scan Fix Developer Fixes Bug / Security Finding Submit Findings to Bug Tracker Auditor Reviews Results Auditor /Security

13 Fortify Timeline Versioning has changed to major version matching calendar year April 2014 Fortify 4.1 April 2015 Fortify 4.3 April 2016 Fortify WebInspect April 2017 Fortify WebInspect April 2018 Fortify WebInspect September 2014 Fortify 4.2 November 2015 Fortify 4.4 December 2016 Fortify WebInspect November 2017 Fortify WebInspect

14 SCA Roadmap Current Release Next Release Future Releases Release.NET Frontend Phase III VS2017 MVC.NET Core ECMAScript 2015 Scala Java 9 Swift 3.1 PHP 7.x Deployed Planned 14

15 Fortify Ver Summary April 2017 SCA Apple Swift 2.2 and support MVC Model Class Support for Xcode 8.2.Net Support for C# ver. 6 and VB.NET ver. 14.Net Async/Await support Angular Technical Preview for AngularJS Support Salesforce Support for Apex and VisualForce Python Performance improvements for Python Multi-threaded scanning

16 Static Code Analyzer Features Feature Details.NET Phase III.NET Core and ASP.NET Core frameworks MVC.NET 4.7 Latest version of VB.NET: VB.NET 15 (VB.NET 14 in 17.10) Latest version of C#: C# 7 (C# 6 in 17.10) Visual Studio 2017 PHP 7.x PHP 5.x constructs PHP 7.x new classes and interfaces PHP 7.x constructs Apple Swift 3.1 Xcode

17 Static Code Analyzer Features Feature Details Scala Scala versions: 2.12 (latest) 2.11 Play framework (except Twirl templates) Requires Lightbend license ECMAScript 2015 ECMAScript 2015 constructs such as: Arrow functions For of loops Java 9 Leveraging the changes announced in OpenJDK Scan applications written in Java 9 High performance parallel mode on by default Introduced in % reduction in scan time on average FoD used it as default mode On by default in

18 Parallel scanning The old way Introduced in version 4.0 SCA used to spawn multiple processes in parallel Process was resource heavy and required mathematical computation For example, if the machine had 32 GB of RAM and 8 cores, the recommended configuration would be: sourceanalyzer -j 2 Xmx14G Dcom.fortify.sca.RmiWorkerMaxHeap=7G And this may still lead to memory errors depending on complexity of code. Deprecated as of

19 Multithreaded parallel mode Solution Redesigned and reimplemented Uses native Java multithreading instead of creating master process and spawning separate processes Removed need for communications and monitoring between master and child processes added burden Simple to enable (no complex mathematics) Results Scans complete in 50% of the time compared to single-threaded on average Process is optimized and scales to available resources automatically It scales better to large hardware and is substantially simpler to use Enable high performance parallel mode by either: adding the mt command-line parameter to the SCA scan phase command line, or adding the property key com.fortify.sca.multithreadedanalysis=true to your fortify-sca.properties file. 19

20 SSC Roadmap Current Release Next Release Future Releases Release SSC Scalability Phase 1 New plugin framework Octane Plugin RESTful API Refactor Export to CSV SSC Setup Wizard Tool Replacement GitHub Repository w/ Parser, Bug Tracking, and JS Sandbox Deployed Planned 21

21 Ver Summary April 2016 SSC Improved interactions with Dynamic Scan results Issue Attachment support for Dynamic Scans Ability to view issues assigned to you Advanced Audit and Conflict strategy settings Scheduled alerts

22 SSC Features Feature Details Better Plugin Framework and API Samples New Plugin Framework UI Plugin Management New GitHub Repository Simple and Faster Setup Setup Wizard Tool Replacement Powerful external reporting Export to CSV Better sorting & grouping Group By Introduced Date 26

23 27 Export to CSV Powerful External Reporting

24 SSC Group by Introduced Date Better Sorting & Grouping 28

25 UI Plugin Management Better Integrations 29

26 github.com/fortify Better Integrations & API Samples Consolidated FoD and On-Premise Repository Sample Parser Plugin JS Sandbox Project w/ development tutorial Automate Predict and Train with Audit Assistant / SSC Creating / Uploading / Downloading Fortify Application Version(s) Automate Reporting Generate Authentication Tokens User Management Jenkins Plugin (Open Sourced) 30

27 31 SSC Setup Wizard Simple, Faster Setup

28 New SSC Setup Wizard

29 17.2 New Plugin Framework The new plugin framework was created support a growing ecosystem of integrations. The framework supports running third-party parser plugins, bug tracker plugins, and is designed with the core goals Isolation Granularity Reliability The framework is built with a robust and reliable messaging mechanism to ensure data integrity. 33

30 UI Plugin Management

31 Fortify Tools Roadmap Current Release Next Release Future Releases Release Visual Studio 2017 (SCA + FoD) VSTS + CloudScan Smart View (AWB) IntelliJ plugin (FoD) Phase 1 SCA MSBuild task Deployed Planned 35

32 Visual Studio 2017 Full On Premise and FoD plugin

33 Smart View for AWB Efficient Auditing and Remediation Sort by Folder -> Then by Group By any mapping -> Then by Source OR Sink OR Converged Data Flow Quickly understand how multiple issues are related from a data flow perspective Apply Smart View filters to begin triaging or fixing issues at most efficient point 37

34 Smart View for AWB (continued) Efficient Auditing and Remediation Quickly advance through three level of groupings Tiles are dynamically sized based upon the number of issues Design works with large amounts of issues and is very performant For auditors and developers 38

35 Best practices learned from securing DevOps: scan automation and integration that can be applied anywhere, parallel processing, and audit assistant

36 DevOps Definition, Principles and Benefits DevOps- A practice that emphasizes the collaboration and communication between software developers and IT professionals, with the goal of automating the process of software delivery and infrastructure changes. Principles Develop and test in an environment similar to production Deploy builds frequently Automate the process of delivering software Validate quality continuously Benefits Faster time to value Faster time to market with higher quality Stay ahead in a competitive environment 40

37 Promise vs Reality of Security in DevOps 99% of those surveyed agreed that DevOps is an opportunity to improve application security Network 25% none 17% Testing during Developme nt 20% Pre- Production Gate 38% But only 20% perform application security testing during development. Most wait until late in the SDLC or not at all! Source: HPE Secure DevOps Survey, Sept

38 42 Automation DevOps Tool Chain

39 The right approach for the new SDLC Build it in 1 Secure Development Continuous feedback on the developer s desktop at DevOps speed 2 Security Testing Embed scalable security into the development tool chain 3 Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC

40 44 Let s Talk AppSec Process, Challenges, Auditing, Remediation

41 Application Security Testing Static Analysis Dynamic Analysis 45

42 Static Software Scanning Process Check in Code Scheduled or Triggered Check-out and Build Code Repository Scrum Developers Continuous Integration Jenkins, TFS, etc. (Auto) Deliver for Analysis REPEAT AS NECESSARY Vulnerability Findings Issue Tracking Developer Fixes Bug / Finding Scanning Engine (SCA) Integrations SonarQube, Archer, etc. Mgmt Portal (SSC) Security/Tech Lead Submit Findings to Bug Tracker

43 Static Analysis - AppSec Testing Challenges Lengthy / Memory intensive scans Complex build processes, frequency of builds, difficult security integrations Volume of static findings requiring human auditing to validate (this is #1) Risk tolerance to validated findings Managed service findings require prioritization Modular builds / micro services present dataflow challenges Remediate validated findings Communicate findings to developers and metrics/kpis to management New and Improved.Net scanning 47

44 Static Analysis Lengthy / Memory Intensive Scans Use of multiple cores / processors / cloudscan Offload scans from build server to a dedicated scanning server Create scalable static scanning solutions Reduce frequency of scans Incremental scanning Large apps should sometimes be broken up into logical modules based upon data flow Lightweight static scans early in the SDLC 48

45 Static Analysis Complexity & Frequency Complex Builds AppSec team must work with developers and build engineers when automating Static integration examples on a internal wiki (proactive) Centralized scanning solution outside of the build process Frequency Ensure storage solution is sufficient/scalable when scanning multiple times a day Reasonable data retention policy for scanning result files Automate merging of new scans with previous scans. Required to preserve previous audit decisions / trending 49

46 Static Analysis - Triaging Static Findings Main blocker of effective static security scans moving at a high speed Quickest way to derail static testing is to push garbage findings to the Dev Team Security cannot be responsible for auditing findings if they don t have a development background Development must be accountable for acceptable organization s risk Available and current vulnerability training Auditing: Sort by common sources and sinks for dataflow issues Apply audit knowledge from past decisions Begin with targeted list of vulnerabilities and expand as your program matures Make previously audited scan files available Audit peer review Use a risk profile for applications (internal, external, PII, etc.) Define security controls that map to vulnerability types. Machine learning to apply past audit decisions to predict future audit decision 50

47 Static Analysis Triaging Results Demo Audit Workbench and Smart View 51

48 52 Audit Assistant/ Scan Analytics

49 Machine Learning - scan analytics & audit assistant Do more with your AppSec DATA Streamline appsec program by making the auditing process more efficient Increase the relevancy and consistency of findings unique to your organization preferences Identify relevant issues earlier in the SDLC Scale and accelerate your AppSec program with existing resources

50 Software Security Center (SSC) - Audit assistant Machine learning assisted identification of relevant scan results Exploit able Pot ent ial Vulns. Indeterminate Audit Assistant Not an Issue

51 Scan analytics Machine learning to make AppSec more efficient Identify true vulnerabilities and prioritize them for remediation faster Focus on triaging and investigating high priority vulnerabilities. Return value-added time to your developers and auditors Exploit able Pot ent ial Vulns. Fortify Scan Analytics Indeterminate Not an Issue 56

52 57 Demo Audit Assistant

53 Static Analysis Managed Service Apply Organization / Environmental / Business context if a static scan is run and audited in a third party bubble Good at removing false positives, not as good removing issues you don t care about (compensating control / unique environmental issue / etc.) SLA / turnaround time must meet development / business objectives 58

54 Static Analysis Modularity / Micro Services Security Testing Challenges: Need the entire application for data flow Different teams build different components Duplicate findings need to be accounted for Auditor s need to understand what was previously identified, what to fix and where 59

55 Static Analysis Remediation See it, Fix IT! Define effective security controls for your organizations technology stack Not every fix is created equally Talk to a software architect (if he/she is friendly) Automate recommendations via security controls Internal security libraries for common language 60

56 61 Fortify Security Assistant

57 Fortify security assistant Building in security as you code Identify weaknesses as developers write code in real-time A Spell check security scanning Identify issues earlier in the SDLC Educate developer about security Accelerate appsec program (increase productivity & efficiency)

58 Fortify security assistant Real-time lightweight analysis of the source code Fortify menu for additional options Vulnerable line of code is highlighted as developer code & provides tips for additional information Level of criticality All issues detected in the project Type of vulnerability, explanation and detailed remediation guidance

59 64 Demo Security Assistant

60 Static Analysis Communication Don t have developers go to a separate portal if they have a bug tracking solution Automate batch bug submission of security defects once findings are validated Don t submit bugs for unaudited findings Don t submit duplicate bugs Don t break builds for every unaudited static finding Understand your static analysis tools confidence thresholds and use it for automation Mark builds as unstable if critical/high findings are flagged Requires a baseline scan of the application and audit to establish Understand your defect tracking solutions or provide an alternative for security defects 65

61 Static Analysis Metrics Provide regular metrics Positive trending metrics make adoption easier Automate reporting and upload to source repository (required artifact) Tailor reports / dashboard Take advantage of available tools (GRC, etc) 66

62 Static Analysis Metrics Demo SSC 67

63 68 Fortify WebInspect

64 Fortify WebInspect Dynamics analysis find critical security issues in running applications Features: Quickly identify risk in existing applications Automate dynamic application security testing of any technology, from development through production Validate vulnerabilities in running applications, prioritizing the most critical issues for root-cause analysis

65 Included In Every WebInspect License SmartCard / CAC Authentication FISMA / / DISA STIG Compliance Reporting Scan Web Applications, SOAP and RESTful Services, URL Rewriting Scan Mobile Web sites, plus Mobile Native Scan Advanced Crawler with Javascript execution Integration into WAFs, Software Security Center, WebInspect Enterprise Hybrid scanning with the WebInspect Agent Tools for manual Testing and Penetration including automatic SQL Injection WebInspect API plus BURP Integration SmartUpdate automatic frequent security content updates from the largest dedicated Software Security Research group. OFFLINE activations and updates Incremental scan

66 Fortify WebInspect Enterprise Extending effective application security testing across the entire enterprise Problem it solves: Manages large-scale, distributed security testing programs across thousands of applications Features: Benefits: Monitor critical metrics, progress and trends across largescale application security testing programs Provide an ongoing enterprise-wide view of production and pre-production application security assurance Control your application security program through rolebased scanning and reporting administration Eliminate inefficient and inconsistent assessment and vulnerability management processes Increase visibility and control of security testing efforts and reporting Prove compliance with regulations, standards and policies

67 72 Demo WI

68 73 Fortify Support

69 Fortify Support and Versioning Case Management Service Request Management on SSO Knowledge Articles Self-Solve Knowledge on SSO Static Code Analyzer RulePacks Support.Fortify.com Premium Content Support.Fortify.com Downloads Licensing & Software Download Portal (US Gov Agencies) Documentation Documentation on Protect724 Fortify Community Protect724 Product Announcement s Subscribe to Product Announcements Board Notification Management Service Request and Document Notifications

70 75 Q&A