Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1
|
|
- Lauren Leslie Bond
- 5 years ago
- Views:
Transcription
1 Managing an Application Vulnerability Management Program in a CI/CD Environment March 29, 2018 OWASP Vancouver - Karim Lalji 1
2 About Me Karim Lalji Managing Security Consultant (VA/PT) at TELUS Previously: Application Security Consultant, Software Engineer, Sysadmin M.Sc in Information Security (Candidate) B.Tech in Computer Systems / Network Security GPEN, GWAPT, GCIH, GSEC Certifications March 29, 2018 OWASP Vancouver - Karim Lalji 2
3 Application Security 2017 Verizon Data Breach Investigation Report (DBIR) March 29, 2018 OWASP Vancouver - Karim Lalji 3
4 Application Security Why is application security so important? Web apps have many moving parts Most organizations have an internet facing application in their environment Web apps deal with very sensitive data Web apps are a more reliable entry point for attackers March 29, 2018 OWASP Vancouver - Karim Lalji 4
5 Application Security So why the results in the 2017 DBIR? The field of application security is still very young The relationship between developers and InfoSec professionals often becomes adversarial Successful vulnerability management for web apps requires a paradigm shift and a new set of technologies Most InfoSec approaches stem from traditional network security March 29, 2018 OWASP Vancouver - Karim Lalji 5
6 Software Development Modern software environments are different from what they used to be: Agile methodologies Sprints, product backlogs, feature teams Single deployable units of code Many developers working on a single feature March 29, 2018 OWASP Vancouver - Karim Lalji 6
7 Software Development Agile Development General Structure Agile Team Business Analyst Scrum Master / PM Developer 1 Developer 2 QA Analyst 1 DevOps Engineer March 29, 2018 OWASP Vancouver - Karim Lalji 7
8 DevOps We ve all heard the new term DevOps but what does it mean? DevOps is a philosophy Focuses on automation Continuous Integration (CI) Continuous Delivery (CD) March 29, 2018 OWASP Vancouver - Karim Lalji 8
9 DevOps March 29, 2018 OWASP Vancouver - Karim Lalji 9
10 Branching March 29, 2018 OWASP Vancouver - Karim Lalji 10
11 CI/CD Many large software enterprises have multiple deployment environments with build cycles Environment Build Interval Development QA Staging Production N/A Daily Weekly Bi-Weekly Code that is merged in development gets pushed to QA daily Features passing QA are moving to staging; features that don t will be reverted March 29, 2018 OWASP Vancouver - Karim Lalji 11
12 CI/CD DevOps helps automate the build/release cycle CI Tools: Bamboo and Jenkins Build Tools: Maven, Ant and Gradle Version Control: Bitbucket, GIT Issue Tracking: JIRA March 29, 2018 OWASP Vancouver - Karim Lalji 12
13 Application Security Testing Security bugs found in production cost up to 30x more to fix than in development (NIST) March 29, 2018 OWASP Vancouver - Karim Lalji 13
14 Application Security Testing Many different tools available to us AST family of tools Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Human Testing (Penetration Testing ) March 29, 2018 OWASP Vancouver - Karim Lalji 14
15 SAST Static Application Security Testing (SAST) Scans source code for vulnerability White-box approach Sources and sinks Source: where external data passes into application Sink: code destination that can be abused if malicious data reaches it SAST tool must be able to follow data flow path March 29, 2018 OWASP Vancouver - Karim Lalji 15
16 SAST public void getrequestdata() { } String customername = request.getparameter(name); updatecustomername(customername) public boolean updatecustomername(customername){ Statement statement = conn.createstatement(); String sql = UPDATE Customers SET first_name = + customername + WHERE id = 5 ; SOURCE } statement.executeupdate(sql) SINK March 29, 2018 OWASP Vancouver - Karim Lalji 16
17 SAST SAST Considerations Often produces many findings Requires triage/tuning to reduce false positives Speaks to the developer in their language Provides opportunities to catch security issues early Can be executed at any S-SDLC phase but most valuable in development March 29, 2018 OWASP Vancouver - Karim Lalji 17
18 SAST SAST Frequency Frequency will depend on organization Remember quick feedback to developers! Traditionally run daily or weekly Modern CI/CD tools allow commit level scans Only scan the deltas or what has changed Prevent the change from merging before issues are fixed Allows developers to learn and promotes application security learning March 29, 2018 OWASP Vancouver - Karim Lalji 18
19 SAST March 29, 2018 OWASP Vancouver - Karim Lalji 19
20 SAST March 29, 2018 OWASP Vancouver - Karim Lalji 20
21 SAST SAST IDE Integration March 29, 2018 OWASP Vancouver - Karim Lalji 21
22 SAST SAST can usually be run on both complied and source code, pro s cons to both Incremental scans require source code Immediate feedback requires source code Some compilers have been caught inserting backdoors and rootkits. Legal issues using raw source on a SaaS platform? Option 1 (use bytecode analysis) Option 2 (consider an on-premise solution) March 29, 2018 OWASP Vancouver - Karim Lalji 22
23 DAST Dynamic Application Security Testing (DAST) Scans the running application Black-box approach Looks at application behavior, various injection points and security misconfigurations Can be executed at any development phase but most valuable in testing and production environments March 29, 2018 OWASP Vancouver - Karim Lalji 23
24 DAST Frequency will depend on organization Keep in mind, requires functional running app Generally linked to testing and production Often times run weekly or bi-weekly (sprint) Can also (and perhaps should) be run continuously Issues can be automatically pushed to issue tracking software eg: JIRA March 29, 2018 OWASP Vancouver - Karim Lalji 24
25 DAST March 29, 2018 OWASP Vancouver - Karim Lalji 25
26 IAST Interactive Application Security Testing (IAST) Aims to combine some of the functionality of DAST and SAST Places an agent in a running application Agent inspects behavior and triggers dynamic and source code scanning March 29, 2018 OWASP Vancouver - Karim Lalji 26
27 IAST By Elsane (Gimp Previously published: [GFDL ( or CC BY-SA 3.0 ( via Wikimedia Commons March 29, 2018 OWASP Vancouver - Karim Lalji 27
28 IAST IAST Pros: Libraries/frameworks cause SAST tools to produce lost sources and lost sinks which it can t analyze Correlates the running application with source code Can produce less false positives IAST Cons: Not specialized in either DAST or SAST Reduces false positives; may also reduce overall findings Can negatively impact application performance March 29, 2018 OWASP Vancouver - Karim Lalji 28
29 RASP Runtime Application Self Protection (RASP) Similar to IAST in terms of an application agent Not a scanning/testing tool More of a protection tool Designed as a sophisticated form of WAF/IPS WAF s block malicious strings without context RASP tools execute the incoming data in an instrumentation section, run it and then determine whether it s safe March 29, 2018 OWASP Vancouver - Karim Lalji 29
30 AST Tools Tool Type License Fortify by Microfocus (HP) DAST/SAST/IAST/RASP Commercial Veracode DAST/SAST/RASP Commercial IBM AppScan DAST/SAST Commercial Whitehat Sentinel DAST/SAST Commercial Acunetix DAST Commercial CheckMarx (CxSuite) SAST Commercial Contrast Security IAST Commercial Burp Suite DAST/SAST Commercial/Free OWASP ZAP DAST Free SonarQube SAST Free Arachni DAST Free March 29, 2018 OWASP Vancouver - Karim Lalji 30
31 AST Tools March 29, 2018 OWASP Vancouver - Karim Lalji 31
32 Human Testing Humans are still smarter than computers The value of manual security assessments cannot be eliminated by automated tools Penetration tests attempt to emulate risks posed by more advanced attackers PCI Requirement 11.3 mandates organizations conduct penetration testing at least annually March 29, 2018 OWASP Vancouver - Karim Lalji 32
33 SLA A note about SLA s (Service Level Agreements) DAST/SAST findings should follow normal client SLA s Ensure prioritization isn t separate Otherwise, expect them to go in the later pile Utilize time to remediate, SLA breaches and overall baseline scores as part of a Key Progress Indicator (KPI) March 29, 2018 OWASP Vancouver - Karim Lalji 33
34 Vulnerability Management How do we achieve application vulnerability management? High visibility (Dashboards) Baseline / Targets Metrics Security awareness (business and developers) March 29, 2018 OWASP Vancouver - Karim Lalji 34
35 Vulnerability Management March 29, 2018 OWASP Vancouver - Karim Lalji 35
36 Vulnerability Management March 29, 2018 OWASP Vancouver - Karim Lalji 36
37 Summary Phase Tools and Activities Production Utilize DAST/IAST at regular intervals May not be as frequent as test environment Remember test / prod may not be mirrored Integrate into issue tracking software (Eg: JIRA or Service Now) Tie security issues into regular development SLA s Conduct regular penetration testing activities Testing Run DAST/IAST tools frequently/continuously Integrate into developers issue tracking software (eg: JIRA) Development Quick developer feedback Utilize SAST tools Integrate with CI/CD tools to provide commit/build level feedback Use IDE integrations to help train developers March 29, 2018 OWASP Vancouver - Karim Lalji 37
38 Questions March 29, 2018 OWASP Vancouver - Karim Lalji 38
AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager
APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com The Evolution of Devops 2001 - Continuous
More informationSuman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017
Suman Sourav Director DevSecOps, Vantage Point Security OWASP Indonesia Day 2017 About me Certified Secure Software Lifecycle Professional (CSSLP) 12+ Years of Experience in Software Security Co-Founder
More informationAppSec Pipeline Application Security in an Agile Development, DevOps and Continuous Integration/Delivery/Change world.
AppSec Pipeline Application Security in an Agile Development, DevOps and Continuous Integration/Delivery/Change world. Doug Morato Sr. Manager PwC NIS App-Sec OWASP Tampa Meeting - 02/19/2016 Who am I
More informationApplication Security at Scale
Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale AppSec at Scale Delivering Timely Security Solutions / Services to Meet
More informationThanks to Swisscom.
Thanks to Swisscom www.swisscom.com @Swisscom_de The OWASP Foundation https://www.owasp.org S-SDLC Ready for Clouds? Robert Schneider robert.schneider@owasp.org Robert Schneider ICT Security Officer @Swisscom
More informationContinuous Opportunity: DevOps & Security
August 2017 August 15, 2017 Continuous Opportunity: DevOps & Security 2016-2017 SANS Institute All Rights Reserved Introduction Ben Allen Security Engineer at SANS Institute Operations Engineer, Developer
More informationWHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family
WHITEHAT PRODUCT FAMILY WhiteHat Sentinel Product Family Combining technology with human intelligence to deliver the world's most powerful and accurate application security WhiteHat Sentinel is a software-as-a-service
More informationA Strategic Approach to Web Application Security
A STRATEGIC APPROACH TO WEB APP SECURITY WHITE PAPER A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle The problem: websites are the new
More informationTest Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions
Test Automation Strategies in Continuous Delivery Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions The world of application is going through a monumental shift.. Evolving
More informationHow to Secure Your Cloud with...a Cloud?
A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud
More informationTHE CONTRAST ASSESS COST ADVANTAGE
WHITEPAPER THE CONTRAST ASSESS COST ADVANTAGE APPLICATION SECURITY TESTING COSTS COMPARED WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM EXECUTIVE SUMMARY Applications account for
More informationMicro Focus Security Fortify. Application Security
Micro Focus Security Fortify Application Security Secure the new Application security in DevOps Agenda: - Fortify in brief (Offerings) - Fortify Source Code Analyzer - Fortify WebInspect - Using Fortify
More informationTHE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU. Jeff Williams,
THE FUTURE OF APPSEC AUTOMATION WHY YOUR APPSEC EXPERTS ARE KILLING YOU Jeff Williams, CTO @planetlevel CONTRAST SECURITY 291 Lambert Avenue Palo Alto, California 94306 www.contrastsecurity.com ARE YOU
More informationDevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1
DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1 Agenda State of DevOps Value of DevOps Benefitting from DevOps DevSecOps What you can do as InfoSec 2 The State of DevOps - 2017 Automation is
More informationMicro Focus Fortify Application Security
Micro Focus Fortify Application Security Petr Kunstat SW Consultant +420 603 400 377 petr.kunstat@microfocus.com My web/mobile app is secure. What about yours? High level IT Delivery process Business Idea
More informationEffective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker:
Effective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker: Cindy Blake CISSP Product Marketing Manager Hewlett Packard Enterprise Effective
More informationAutomated Testing of Tableau Dashboards
Kinesis Technical Whitepapers April 2018 Kinesis CI Automated Testing of Tableau Dashboards Abstract Companies make business critical decisions every day, based on data from their business intelligence
More informationBrochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
More informationTaking Control of Your Application Security
EDUCAUSE Wednesday, May 3 rd Taking Control of Your Application Security 2017 SANS Institute All Rights Reserved INTRODUCTION Eric Johnson, CISSP, GSSP-Java, GSSP-.NET, GWAPT Application Security Curriculum
More informationA SEISMIC SHIFT IN APPLICATION SECURITY HOW TO INTEGRATE AND AUTOMATE SECURITY IN THE DEVOPS LIFECYCLE
A SEISMIC SHIFT IN APPLICATION SECURITY HOW TO INTEGRATE AND AUTOMATE SECURITY IN THE DEVOPS LIFECYCLE WHAT'S INSIDE? INTRODUCTION THE TRADITIONAL APPLICATION SECURITY WORKFLOW WHY SHIFT LEFT ISN T ENOUGH
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationSecurity Solution. Web Application
Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationWeaving Security into Every Application
Weaving Security into Every Application Paul Fox AVP Technology AT&T 2018 TM Forum 1 Cyber Security Accelerating Threat Telecom Breaches 300,000 Number of complaints filed with the FBI Internet Crime Complaint
More informationPut Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018
Put Security Into Your DevOps NOW Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018 Defining Devops State of Devops Report (Puppet, Dora):..set of practices and cultural
More informationAppSec in a DevOps World
AppSec in a DevOps World Peter Chestna Director of Developer Engagement 1 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Who am I? 27 Years Software Development Experience 12 Years Application Security
More informationAzure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region
Azure DevOps Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region What is DevOps? People. Process. Products. Build & Test Deploy DevOps is the union of people, process, and products to
More informationStrengthen and Scale security using DevSecOps
OWASP Indonesia Meetup Strengthen and Scale security using DevSecOps $ www.teachera.io!"# @secfigo % secfigo@gmail.com # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU,
More informationTHE ART OF SECURING 100 PRODUCTS. Nir
THE ART OF SECURING 100 PRODUCTS Nir Valtman @ValtmaNir I work for as the Application Security 1st time speaking publicly, except at Mmmm OH, AND Neither of my previous startups succeeded!
More informationIn collaborazione con
In collaborazione con 1. Software Security Introduction 2. SDLC frameworks: how OWASP can help on software security 3. OWASP Software Security 5 Dimension Framework 4. Apply the models to a real
More informationTHE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018
THE MAIN APPLICATION SECURITY TECHNOLOGIES TO ADOPT BY 2018 1 Application Security Continues to Evolve This September, consumer credit reporting agency Equifax reported a security breach that occurred
More informationCONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER
WHITEPAPER CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM CONTENTS What is Interactive
More informationApplication Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.
Application Security Use Cases RASP, WAF, NGWAF, What The Hell is The Difference. Acronym Soup July 29, 2016 2 July 29, 2016 3 Definition of Terms WAF Web Application Firewall / waf / noun 1. An appliance,
More informationSecurity as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS
Security as Code: The Time is Now Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS Introduction Business is moving faster to the cloud, and DevOps is accelerating scale and pushing automation
More informationSecure DevOps: A Puma s Tail
Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code
More informationDevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY
DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo
More informationWHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012
WHITEHAT SECURITY DECEMBER 2012 T.C. NIEDZIALKOWSKI Technical Evangelist tc@whitehatsec.com WhiteHat Security Company Overview Headquartered in Santa Clara, CA WhiteHat Sentinel SaaS end-to-end website
More informationSIEMLESS THREAT MANAGEMENT
SOLUTION BRIEF: SIEMLESS THREAT MANAGEMENT SECURITY AND COMPLIANCE COVERAGE FOR APPLICATIONS IN ANY ENVIRONMENT Evolving threats, expanding compliance risks, and resource constraints require a new approach.
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationOvercoming the Challenges of Automating Security in a DevOps Environment
SESSION ID: LAB-W02 Overcoming the Challenges of Automating Security in a DevOps Environment Murray Goldschmidt Chief Operating Officer Sense of Security @ITsecurityAU Michael McKinnon Director, Commercial
More informationRethinking Product Security: Cloud Demands a New Way
SESSION ID: CSV-R11 Rethinking Product Security: Cloud Demands a New Way Reeny Sondhi Chief of Product Security Autodesk Inc. @reenysondhi Tony Arous Head of Application Security Autodesk Inc. @tonyarous
More informationEmbedding GDPR into the SDLC
Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Toreon 2 Who is Who? Sebastien Deleersnyder Siebe De Roovere 5 years developer experience 15+ years information security experience
More informationTHE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security
THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security 1. TODAY S AVERAGE APPLICATION IS A SECURITY DISASTER 2. SOFTWARE IS LEAVING SECURITY IN THE DUST SOFTWARE Typical enterprise
More informationApplication Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security
Application Security at DevOps Speed and Portfolio Scale Jeff Williams @planetlevel Contrast Security OWASP XSS Prevention Cheat Sheet 1,000,000 Page Views! https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevention_cheat_sheet
More informationSecure Agile Development
Secure Agile Development With FISMA Compliance / FYRM Overview Qualifications Experience Respected Partner FedRAMP 3PAO Performance CPAR 4/4 CMS, DOE Fortune 500 Strategy Secure Agile Knowledge Sharing
More informationEmbedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere
Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Who is Who? Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant
More informationPractical Guide to Securing the SDLC
Practical Guide to Securing the SDLC Branko Ninkovic Dragonfly Technologies Founder Agenda Understanding the Threats Software versus Security Goals Secure Coding and Testing A Proactive Approach to Secure
More informationWe re redefining Software Quality
We re redefining Software Quality Continuous Testing Web Services Agile Testing Mobile Device Farm Test Lifecycle Management Performance Test Quality Assurance Mobile Device Management Test Life Cycle
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationDevOps A How To for Agility with Security
DevOps A How To for Agility with Security Murray Goldschmidt, COO Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne
More informationHow to Build an Appium Continuous Testing Pipeline
How to Build an Appium Continuous Testing Pipeline Step-by-Step Tutorial November, 2017 Today s speakers Guy Arieli, CTO, Experitest Ruth Zamir Marketing Director Experitest 01 Why do we need continuous
More informationShift Left Testing: are you ready? Live Webinar, Sept 19
Shift Left Testing: are you ready? Live Webinar, Sept 19 Guy Arieli CTO, Experitest 01 What exactly is Shift Left? Agenda 02 03 How Shift Left affects application development & testing organizational structures
More informationCompliance Audit Readiness. Bob Kral Tenable Network Security
Compliance Audit Readiness Bob Kral Tenable Network Security Agenda State of the Market Drifting Out of Compliance Continuous Compliance Top 5 Hardest To Sustain PCI DSS Requirements Procedural support
More informationShiftLeft. OWASP SAST Benchmark
ShiftLeft OWASP SAST Benchmark Table of Contents Overview... 2 Towards a new generation of static analysis products... 2 Results on the OWASP benchmark... 3 Ingredient #1: Our data flow tracker... 4 Ingredient
More informationTHE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015
THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 2 EXECUTIVE SUMMARY The growth of enterprise-developed applications has made it easier for businesses to use technology to work more efficiently and productively.
More informationSecuring DevOps, RMF and STIG
Securing DevOps, RMF and STIG Scott Snowden Sameer Kamani May 2017 San Diego Federal Fortify Users Group DevOps definition and principles DevOps (a clipped compound of development and operations) is a
More informationDiscover Best of Show März 2016, Düsseldorf
Discover Best of Show 2016 2. - 3. März 2016, Düsseldorf 2. - 3. März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify The case for Application Security
More informationINTERACTIVE APPLICATION SECURITY TESTING (IAST)
WHITEPAPER INTERACTIVE APPLICATION SECURITY TESTING (IAST) Software affects virtually every aspect of an individual s finances, safety, government, communication, businesses, and even happiness. Individuals
More informationShiftLeft. Real-World Runtime Protection Benchmarking
ShiftLeft Real-World Runtime Protection Benchmarking Table of Contents Executive Summary... 02 Testing Approach... 02 ShiftLeft Technology... 04 Test Application... 06 Results... 07 SQL injection exploits
More informationBUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:
BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE: 15 Questions to Ask Yourself and Your DAST Vendor > An Introduction to the AppSec Market Page 3 Dynamic Application Security Testing Requirements Page
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationHow to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M. Matias Madou Ph.D., Secure Code Warrior
How to spend $3.6M on one coding mistake and other fun stuff you can do with $3.6M Matias Madou Ph.D., Secure Code Warrior Matias Madou, Ph.D. CTO and Co-Founder Ph.D. in Computer Engineering from Ghent
More informationAbout Us. Services CONSULTING OUTSOURCING TRAINING MENTORING STAFF AUGMENTATION 9/9/2016
About Us Incorporated in January, 2003 QA and QC in expertise focused on functional, performance and application security validation HPE Software Gold Partner, HPE Authorized Software Support Partner &
More informationVulnerability Assessment with Application Security
Vulnerability Assessment with Application Security Targeted attacks are growing and companies are scrambling to protect critical web applications. Both a vulnerability scanner and a web application firewall
More informationDefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider
DefectDojo The Good, the Bad and the Ugly OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider 2018-05-31 PREFACE CIO: What is the security posture of our applications? How do you handle and communicate
More informationDevOps and DevSec with
DevOps and DevSec with Joona Immonen Software architect Solita Oy https://www.linkedin.com/in/joonaimmonen Twitter @rinorragi @SolitaOy THIS IS SOLITA Turnover 2015 49,7 Million euros Nearly 500 professionals
More informationBuilding Security Into Applications
Building Security Into Applications Cincinnati Chapter Meetings Marco Morana Chapter Lead Blue Ash, July 30 th 2008 Copyright 2008 The Foundation Permission is granted to copy, distribute and/or modify
More informationBEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION
GUIDE BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION CONTINUOUS SECURITY With attackers getting more sophisticated every day, manual methods of locating and testing web-based apps
More informationBUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology
BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology ebook BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS
More informationSecure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO
Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO tom.stiehm@coveros.com 1 About Coveros Coveros helps organizations accelerate the delivery of business value through
More informationIBM Application Security on Cloud
April, 2017 IBM Application Security on Cloud Service Overview Security has and will always be about understanding, managing, and mitigating the risk to an organization s most critical assets. - Dr. Eric
More informationTHE REAL ROOT CAUSES OF BREACHES. Security and IT Pros at Odds Over AppSec
THE REAL ROOT CAUSES OF BREACHES Security and IT Pros at Odds Over AppSec EXECUTIVE SUMMARY Breaches still happen, even with today s intense focus on security. According to Verizon s 2016 Data Breach Investigation
More informationSAMPLE QUESTIONS for: Test C , Security Dynamic and Static Applications V2, Fundamentals
SAMPLE QUESTIONS for: Test C2150-500, Security Dynamic and Static Applications V2, Fundamentals Note: The bolded response option is the correct answer. Item 500.1.1.5 A customer of five years calls on
More informationSuma Soft s IT Risk & Security Management Solutions for Global Enterprises
Suma Soft s IT Risk & Security Management Solutions for Global Enterprises Overview: For over 16 years, Suma Soft has provided IT risk management solutions for varied SMEs and MNCs and helped solve regulatory,
More informationSafety and Speed How Tenable Runs Swift and Sure in a DevOps World
SESSION ID: GPS-F02B Safety and Speed How Tenable Runs Swift and Sure in a DevOps World Dave Cole Chief Product Officer Tenable @mediafishy Agenda The Problem Hypothesis What We Did Results Key Takeaways
More informationMcAfee Product Security Practices
McAfee Product Security Practices 12 October 2017 McAfee Public Page 1 of 8 12 October 2017 Expires 12 Apr 2018 Importance of Security At McAfee (formerly Intel Security) we take product security very
More informationContinuous Integration & Code Quality MINDS-ON NUNO 11 APRIL 2017
Continuous Integration & Code Quality MINDS-ON NUNO BETTENCOURT (NMB@ISEP.IPP.PT) @DEI, 11 APRIL 2017 Continuous Integration - THE THEORY - NMB@DEI - 11 April, 2017 CONTINUOUS INTEGRATION & SOFTWARE QUALITY
More informationThinkPalm s BreakThrough DevOps Capabilities ThinkPalm
ThinkPalm s BreakThrough DevOps Capabilities ThinkPalm Dev Ops Business Planning Collaborative Development Customer Feedback & Optimization Testing Monitoring Release and Deployment STANDARDS OPERATE DEPLOY
More informationSunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.
Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS 1 Introduction MOBILE, SOCIAL & CLOUD ARE RAISING CUSTOMER EXPECTATIONS We need a way to deliver software so fast that our
More informationTeam Foundation Consulting. Training. Team Member Training User training designed to cater for specific roles within your team. Developer TFVC / Git
Team Foundation Consulting Training Team Member Training User training designed to cater for specific roles within your team. Project Manager Developer TFVC / Git Tester DevOps End-to-End ALM Application
More informationWas gibt es Neues Better Team Work with Cloud
Was gibt es Neues Better Team Work with Cloud Dana Singleterry Produktmanager Oracle Mobility & Dev Tools, Oracle dana.singleterry@oracle.com +++ Bitte nutzen Sie die integrierte Audio-Funktion von WebEx
More informationWHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION
WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION 2 Web application firewalls (WAFs) entered the security market at the turn of the century as web apps became increasingly
More informationThreat Landscape 2017
Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Threat
More informationWhat is database continuous integration?
What is database continuous integration? Database continuous integration (CI) is the rapid integration of database schema and logic changes into application development efforts and to provide immediate
More informationIBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners
IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners Anton Barua antonba@ca.ibm.com October 14, 2014 Abstract: To manage the challenge of addressing application security at
More informationDevOps, Continuous Integration & Automated Testing: Rule Them All
DevOps, Continuous Integration & Automated Testing: Rule Them All SAMIR BEHARA Solution Architect EBSCO, Birmingham, AL DATABASE RELEASE? EMAIL THE SCRIPTS & I WILL EXECUTE IT Database Lifecycle Management
More informationPresentation Overview
Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application
More informationCYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun Reading This lecture [McGraw]: Ch. 7-9 2 Seven Touchpoints 1. Code review 2. Architectural
More informationCAPABILITY. Managed testing services. Strong test managers experienced in working with business and technology stakeholders
TESTING SERVICES 1 CAPABILITY Innovative use of open source tools helping early and frequent and reducing license costs Test strategy Managed services Test management Functional Strong test managers experienced
More informationMarc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute
HOST EXPERT PANEL Shashi Kiran CMO Quali Marc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute Pascal Joly Director, Technology Partnerships
More informationNathan Desmet. Lead Engineer
Nathan Desmet Lead Engineer Degree in Applied Informatics - Computer and Cyber Crime Professional Co-founder of Sensei Security (which is merged with SCW) Leading the development of Sensei. Pieter De Cremer,
More informationMARCH Secure Software Development WHAT TO CONSIDER
MARCH 2017 Secure Software Development WHAT TO CONSIDER Table of Content Introduction... 2 Background... 3 Problem Statement... 3 Considerations... 4 Planning... 4 Start with security in requirements (Abuse
More informationMcAfee Product Security Practices
McAfee Product Security Practices 5 July 2018 McAfee Public Page 1 of 12 2 April 2018 Expires 5 July 2019 Table of Contents Importance of Security... 3 Software Development Lifecycle (SDLC) at McAfee...
More informationState of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode
State of Software Security Report Volume 2 Jeff Ennis, CEH Solutions Architect Veracode 1 Agenda Background Metrics, Distribution of Applications Security of Applications Third Party Risk Summary 2 Background
More information4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints
Reading This lecture [McGraw]: Ch. 7-9 CYSE 411/AIT 681 Secure Software Engineering Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun 2 Seven Touchpoints Application of Touchpoints
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationDevOps Made Easy. Shireesh Thanneru, Platform Architect. Intel. Linoy Alexander, Director, DevOps
DevOps Made Easy Shireesh Thanneru, Platform Architect Intel Linoy Alexander, Director, DevOps Justyna Kucharczak, Sr. Product Marketing Manager, Platform Pegasystems Agenda Why DevOps? A look at benefits
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More information