AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Similar documents
How to Secure Your Cloud with...a Cloud?

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

Web Applications (Part 2) The Hackers New Target

Application Security at Scale

IBM Application Security on Cloud

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Put Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

Test Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions

THE ART OF SECURING 100 PRODUCTS. Nir

IBM Rational Software

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

Weaving Security into Every Application

DevOps A How To for Agility with Security

Adopting Agile Practices

In collaborazione con

IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners

Continuously Discover and Eliminate Security Risk in Production Apps

SAMPLE QUESTIONS for: Test C , Security Dynamic and Static Applications V2, Fundamentals

Managed Application Security trends and best practices in application security

THE CONTRAST ASSESS COST ADVANTAGE

Discover Best of Show März 2016, Düsseldorf

Rethinking Product Security: Cloud Demands a New Way

Managed Security Services - Endpoint Managed Security on Cloud

Security Solution. Web Application

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS

Trustwave Managed Security Testing

McAfee Product Security Practices

Strengthen and Scale security using DevSecOps

A Strategic Approach to Web Application Security

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

HP Fortify Software Security Center

Micro Focus Fortify Application Security

Quality Assurance and IT Risk Management

Name Aaron Clark. Title: Security Shifts to the Application

Vulnerability Management

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Shift Left Testing: are you ready? Live Webinar, Sept 19

Quality Engineering in DevOps world a Strategic Enabler

Presentation Overview

Brochure. Fortify on Demand. Fortify on Demand. Static Application Security Testing

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

SIEMLESS THREAT DETECTION FOR AWS

SDLC Maturity Models

Secure DevOps: A Puma s Tail

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Automated Testing of Tableau Dashboards

Micro Focus Security Fortify. Application Security

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

How to shift from compliance to proactive security

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

113 BSIMM Activities at a Glance

Secure Development Lifecycle

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

Integrate IBM Rational Application Developer and IBM Security AppScan Source Edition

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

Visual Studio Team Services

PCI Compliance Assessment Module with Inspector

Micro Focus Security Fortify Audit Assistant

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

The New Era of Cognitive Security

FROM VSTS TO AZURE DEVOPS

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

SIEMLESS THREAT MANAGEMENT

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Shift Left, Automation, and Other Smart Strategies for Getting Ahead in QA

How to Build an Appium Continuous Testing Pipeline

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Fintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

Comprehensive Test Management with Parametrization Manual and Automated Test Execution Test Case Library Management & Re-use Requirements Test

An Introduction to the Waratek Application Security Platform

Modern Database Architectures Demand Modern Data Security Measures

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Development*Process*for*Secure* So2ware

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017

Marc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

SECURITY TRAINING SECURITY TRAINING

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Turbo boost your digital app test automation with Jenkins

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Building a Resilient Security Posture for Effective Breach Prevention

PROFESSIONAL SERVICES (Solution Brief)

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Building Security Into Applications

Technology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Transcription:

APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms www.hcltech.com

The Evolution of Devops 2001 - Continuous Integration / Continuous Delivery 2008 - DevOps 1999 - Extreme Prototyping / Programming 2001 - AGILE Development 1992 - RAD/JAD 1991 - Rapid Application Development 1985 - Joint Application Development 1980 s - Evolutionary Prototyping 1980 s - Throwaway Prototyping 1975 - Prototyping 1960s - Monolithic Software Development

3 6/19/18

What are DevOps all about? The collaboration of Development and IT Operations. Its goal is Automation of the Software Delivery processes. Releasing software quickly and reliably. Development DevOps Continuous Delivery IT Operations Where does testing fit into this model? How do we maintain security of the applications? 4 6/19/18

What are DevOps all about? Testing is overcome by introducing QA into the model. An emphasis is on automation of the QA process through tooling. Development Acceptance Test Quality DevOps Continuous Delivery However Security is still not part of most DevOps models. (minor mention on the wiki Definition Page) Security is an afterthought! Quality Assurance IT Audit & Governance IT Operations 5 6/19/18

What are DevOps all about? Security needs to play a part for DevOps to truly work. However, it can t be a barrier to the objectives of DevOps. Tooling and Automation is essential Development Acceptance Test QA Security Test Continuous Delivery Security Build Automation Secure Quality DevOps Security Application Pen Test Security Operations (ISOC) Network Pen Test Are Organizations capable of reaching this?? Quality Assurance IT Audit & Governance IT Operations 6 6/19/18

Which Life Cycle? 7 6/19/18

SDLC - The Waterfall Approach Requirements Design STATIC ANALYSIS (Dev) IBM Security (SAST) Code & Unit Test DYNAMIC ANALYSIS (QA) IBM Security (DAST) Integration PENETRATION TEST (Security) (SAST) IBM Security AppScan Standard (DAST) Manual Testing System Test

SDLC DevOps suggests an Agile Approach (SAST) (Filtering on High Confidence) Daily Review SPRINT 2-3 weeks (SAST) (DAST) Product Backlog Sprint Backlog Iteration Product Shipping PENETRATION TEST (Security) (SAST) AppScan Standard (DAST) Manual Testing

SDLC - The Agile-Fall Approach This is the reality for most.is it any different to waterfall? Requirements Design (SAST) Integration DYNAMIC ANALYSIS (QA) (DAST) System Test PENETRATION TEST (Security) (SAST) AppScan Standard (DAST) Manual Testing

Application Security Maturity Operational Excellence Unaware Awareness Phase Internal Pen Testing Application Security Gates Vulnerability Reporting Internal Assessments Corrective Phase Code based Assessments Build integration Automation Security Gate / Pen Testing Application Risk Management Some Levels of Automation Developer IDE Scanning Devops Integration Build integration Automation Pass Fail Gates for CI Gate QA Security Testing Security Gate / Pen Testing Application Risk Management Repeatable Process No Application Security Program Source: If applicable, describe source origin

Increase SDLC testing to increase maturity Unaware Awareness Phase Corrective Phase Operations Excellence Phase Security Maturity Development Appscan Source QA Team Appscan Enterprise Development Appscan Source Appscan Enterprise QA Team Appscan Enterprise Security Team Security Team Security Team Appscan Standard Appscan Standard Appscan Standard Manual Pen Test Manual Pen Test Manual Pen Test Doing Nothing Ad Hoc Testing Testing Before Deployment Testing Throughout SDLC TIME

Example: Assessing application security risk with AppScan Application Name IT Help Product catalog Travel Reservation Online store Description Internal IT help Online product catalog Internal employee travel reservation Online store Exposure Internal External Internal External Stores sensitive information No No Yes Yes PCI compliance No No Yes Yes Business impact Low Medium High Critical Security assessment policy (based on Business Impact) Vulnerability Pre Prod Scan Annual Prod Test 2 Med: Session identifier not updated Code Scan on Builds Pre Prod Scan Manual Pen test Annual Prod Test Dev Code Scanning Code Scan on Builds QA Dynamic Scan Pre Prod Scan Manual Pen test Bi-Annual Prod Test Dev Code Scanning Code Scan on Builds QA Dynamic Scan Pre Prod Scan Manual Pen test External Security Test Quarterly Prod Test 2 High: SQL Injection 1 Med: Open redirect 1 High: SQL Injection Risk rating = Business Impact x Vulnerability Low High Medium Very High

DAST Deployment Models 14 6/19/18

The Life Cycle of an Application (DAST) CODE BUILD QA SECURITY PRODUCTION Development Gate QA Gate Security Gate Developers Quick Scans Continuous Integration DAST Automation Automated Scans Application Only Test Policy AppScan Standard Dynamic Scans Complete Test Policy Manual Pen Testing Internal & External testing Input Control Test Policy Developers & QA Testers Dynamic Scans Ad Hoc Testing Application Only Test Policy Security Champion Pen Testing deep dive review of application Gate Conditions Developer self Scan Optional gate Self assessment Gate Conditions All High & Medium risk Application issue resolved All Input Validation issues resolved Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

Dynamic Analysis Phase 1 Security Centric / Pen Testing Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification PDF Reports Security Team AppScan Standard Conduct Scans, compliance reports Complete Full Coverage Test Policy Findings Summary & Compliance Reports PDF Reports Detailed Findings Report Development Teams Manual Pen Test Managers

Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file)

Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports

Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings

Dynamic Analysis Phase 3 Advanced Scanning & Reporting Web Application(s) Conduct Scans Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Dynamic Analysis Scanners Scan results AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings

Dynamic Analysis Phase 4 Introduce QA Security Testing Web Application(s) Conduct Scans AppScan Standard Desktop Client Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Dynamic Analysis Scanners Scan results Server User Administration Run on-demand or Scheduled Scans Review Results Manage Issues QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings

Dynamic Analysis Phase 5 Full Enterprise wide testing Conduct Scans Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Server AppScan Enterprise DB Dynamic Analysis Scanners Scan results User Administration Run on-demand or Scheduled Scans Review Results Manage Issues Scan results QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Dynamic Analysis Scanners Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Run Quick Scans Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams Dynamic User Run Quick Scans, manage issues, review findings Limited / Input Control Test Policy

Dynamic Analysis Enterprise DAST Evolves over time Conduct Scans Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Server AppScan Enterprise DB Dynamic Analysis Scanners Scan results User Administration Run on-demand or Scheduled Scans Review Results Manage Issues Scan results QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Dynamic Analysis Scanners Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Run Quick Scans Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams Dynamic User Run Quick Scans, manage issues, review findings Limited / Input Control Test Policy

DAST Scanning Automation / Scan and Review Continuous Integration DAST Automation Application Only Test Policy Managers View Application Metrics Security Team are Champions Automation from Functional testing tools Web Application(s) Conduct Scans Application Security Management Reports & dashboards Dynamic Analysis Scanners Scan results SQL Server DB Security Team Create Policy Scan Applications Approve Findings Complete Test Policy Run detailed Scans Run on-demand or Scheduled Scans Developers & QA Scan Applications Review Findings Input Only Test Policy Review Results Approve Results Integration with QA testing tools for DAST Automation Regular scans can be conducted after every build or at strategic points such as the end of a sprint. QA conduct scans for Ad Hoc Testing Security team provide deep dive scanning in conjunction with manual pen testing Regular management metrics

DAST Process High Level Scan Validate Release Remediate Security IRMD - Set Goals for AVA scans - Approve authorisation - Govern AVA scanning schedule - Annual Review and Incident Response Application On- Boarding (configure and execute scan) AVA Scan Results Triage -Review trend -Determine security priorities -Evaluate Risk Reported Findings - Validate scan results - Verify fixes - Share results with HODs AVA scan findings remediated? Yes Code cleared for release App Lead AVA New Application Scan Configuration Completed Scan No Assign Remediation Tasks Developers Provide Application Details & Function Flows Review Findings Correct Code to Fix Vulnerabilities LEGEND Security App Lead Developer Infra

SAST Deployment Models 26 6/19/18

The Life Cycle of an Application (SAST) CODE BUILD QA SECURITY PRODUCTION CI - Development Gate Security Gate Continuous Integration IFA For Automation IFA Delta Findings For Analysis Periodic deep dive review of application Security Champion IFA For Analysis Onboard application using IFA to establish baseline Security Champion Gate Conditions Build process controls Pass / Fail IFA Delta Scans (only new issues reported) Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

CASE 1 Initial Distributed Model Application Security Management Reports & dashboards Managers Reporting View Application Metrics Manage Risk AppScan Source DB One Champion per Development team (10 in total) Developers For Remediation Open Assessments Fix Findings Administration (Access) Publish Assessments Create Shared configuration Files Create Shared filters (Security Policy) Markup Management Resolve lost sinks Identify lost sources Create custom rules Assessment Data (Bundles) Lead Developer Champion(s) Security Team For Analysis Scan (full coverage) Onboard Applications Conduct Scans For Analysis Review assessments Approve scan results Triage scan results Source Code & Dependencies Key objective was to get development teams scanning Security team not part of the process - IBM performed this role initially Management Metrics and Risk scoring were unclear Each team used different SDLC approaches Lots of Legacy code in scope

Should All Data be Trusted? Consider the interactions with one central Database 3 rd Party Application(s) Unknown Central Client Policy Database New Business Application.NET Untrusted Data Trusted Data Sanitize Data Trusted Data Trusted Data This data should NOT be trusted Reporting Application JAVA Trusted Data Middleware Unsanitized Return Data Trusted Data Mobile Application Android & ios Number Cruncher COBOL Customer Statements JAVA 29 6/19/18

CASE 2 Automation as a priority AUTO Publish Findings Application Security Management Reports & dashboards Managers / PCI Auditor Reporting View Application Metrics No Security Champions in place AppScan Source DB Build Server For Automation Scan (Auto) Config / Filter (Baseline Policy) Security Team For Analysis Create Policy / Baseline Review assessments Network Share Assessment Results Integration with Build Process (Jenkins Maven - CLI) Developers For Remediation Open Assessments Fix Findings Conduct Scans Source Code & Dependencies DevOps focused on automation and tooling Results and findings are less important than getting the scans run on a regular basis Full on-boarding of applications to be done at a later phase Education to Developers on secure coding also earmarked for a later phase

CASE 3 Developer Scanning Application Security Management Thousands of Developers No Security Champions in place AppScan Source DB Extract scan metrics Auto communicates scan statistics to server Developers For Development Scan Applications and Projects Fix Findings Administration Maintain users Maintain Application Management Scan Results Scan Metrics and usage Stats Conduct Scans Security Team For Analysis Create Policy / Baseline Review assessments Network Share Shared Scan configuration Files Shared Scan filters (Security Policy) Shared Scan Markup settings configuration, filters and updates pushed to developers workstations (end point management) Source Code & Dependencies Priority to get security scanning to each and every developer Very small Security team with minimal global reach Results not being reviewed by Security Metrics based on who has the software installed and who has run a scan Developers confused as to why this is happening Findings and risk a lower priority

CASE 3 DevOps CI Pipe expansion Developer Assisted Tooling Security Assurance Design & Plan CODE CI & BUILD TEST RUN Senior Developers SAST IDE Scanning For Development Scan Applications and Projects Interactive Application Security Test (IAST) Runtime Application Self Protection (RASP) SECURITY Self Service Portal Security Audit Security Team For Automation Submitted Application Code and Dependencies SAST Automation Portal Reporting Security Champions For Analysis Create Scan configuration Files Create Scan filters Markup Rules for applications

CASE 4 SAST Automation and Security Testing AUTO Publish Findings Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Security Team are Champions Each application scanned By Security team to ensure full coverage Build Server For Automation Scan (Auto) Custom rules (Application Policy) Markup Management Ensure Scan Coverage IFA Security Team For Analysis Create Policy / Baseline Scan applications Markup to ensure coverage Integration with Build Process (TFS - CLI) Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Conduct Scans Conduct Scans Source Code & Dependencies Security Team working through applications to onboard them Developers get results from the Security team and then set priorities Automation used to maintain steady state scanning On Premise Auto Triage (IFA) is used to speed up the triage process

- The Security Life Cycle of an Application IFA enhances continuous testing 34 6/19/18

Cognitive computing applied to security vulnerability analysis Machine learning with Intelligent Findings Analytics IFA * Now Available on Premise! Fast AppScan SAST results Intelligent Findings Analytics Fully automated review of scan findings Trained by IBM/HCL Security Experts Early and repeatable vulnerability analysis drives cost reduction for fixes 1 Learned results Reduce false positives Minimize unlikely attack scenarios Provide fix recommendations that resolve multiple vulnerabilities ** NOTE : Only available with Automation License

The Life Cycle of an Application (SAST) CODE BUILD QA SECURITY PRODUCTION CI - Development Gate Security Gate Continuous Integration IFA For Automation IFA Delta Findings For Analysis Periodic deep dive review of application Security Champion IFA For Analysis Onboard application using IFA to establish baseline Security Champion Gate Conditions Build process controls Pass / Fail IFA Delta Scans (only new issues reported) Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Each application is scanned by Security team Review conducted to ensure full coverage 1. Identified any Missing Sources 2. Resolve Lost Sinks to help resolve Scan Coverage exceptions 3. Mark only Genuine Sinks 4. Scan with a config that will automatically mark all remaining lost sinks as a taint propagators. Maximising the data flow. Security Team For Analysis Create Config / Filters Scan applications Rescans Markup to ensure coverage Conduct Scans Source Code & Dependencies

Phase 1 : Application On Boarding Security Team are Champions Application Security Management IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results The deeper triage of findings is conducted using Intelligent Findings Analytics (IFA) IFA to focus on Actionable findings IFA also used to provide delta reports. This initial cycle formulating the baseline Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Conduct Scans Source Code & Dependencies

Phase 1 : Application On Boarding Security Team are Champions The initial IFA Triage scan results are reviewed with the development team Application Security Management IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Developers For Remediation Open Assessments Fix Findings Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Conduct Scans Source Code & Dependencies

Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings The initial IFA Triage scan results are reviewed with the development team The development team may choose to filter additional findings where data points can be trusted. The remainder are then assigned as defects to be corrected. Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies

Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Publish Baseline Assessment Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings The initial IFA Triage scan results are reviewed with the development team The development team may choose to filter additional findings where data points can be trusted. The remainder are then assigned as defects. A final scan is conducted and the results published as the baseline findings. Managers Reporting View Application Metrics Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies

Phase 2 : Build Integration Security Team are Champions Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Build Server For Automation Publish Delta Assessment Scan (Auto) IFA Security Team For Analysis Update Config / Filters Integration with Build Process (Jenkins - CLI) Develop CLI Script to Scan, Run IFA and Publish via Build Conduct Scans Source Code & Dependencies With the application on boarded, CLI scripts can be developed to initiate the scan from the Build Cycle. Post build Script called from CI environment such Jenkins or TFS Script will scan the application run IFA and publish the delta results

Phase 3 : On Going Scan and Review Security Team are Champions Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Build Server For Automation Publish Delta Assessment Markup Management Modify Filters Scan (Auto) IFA Security Team For Analysis Update Config / Filters Issue to Filter Integration with Build Process (Jenkins - CLI) Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Fix code Conduct Scans Source Code & Dependencies Automation of the application is complete Regular scans can be conducted after every build or at strategic points such as the end of a sprint. Delta reports from the baseline report on only newly found issues Security team role is reduced to approving filter alterations

Phase 4 : Periodic Full Review Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Add missing Sources Resolve genuine Lost Sinks Review excluded findings Mark no-trace findings IFA Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Security team provides periodic reviews of the application These reviews are needed to assess the rules written, the scan exclusions and investigate the scan coverage These reviews enhance the mark up of the application Provides a deeper level of analysis Security Team For Analysis Update Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies

Triage with IFA Suggested Workflow Security Analyst Lead Developer / Champion Developer Maintain Users Conduct Normal Scan Conduct Scan from IDE (optional) Define Scan Policies Any Scan Coverage Issues? No Conduct Auto Taint Propagation Scan Analyze Reported findings Periodically Review Scan Results Yes Maintain Scan Metrics Create Custom Rules (for sources and genuine Sinks) Filter False Positive (using pre scan filter) Manually Run IFA in Triage Mode Publish IFA Findings to ASE Is Finding Genuine? Yes Fix Finding No Report Findings

Application SAST Timeline Time spent for every 250K lines of Code (Hours) 13.2 8.3 6.5 2.5 On Boarding Activities Build Integration Steps OnGoing Scan and Review Periodic Full Application SAST Review

- The Security Life Cycle of an Application ASoC Scanning and Enablement 47 6/19/18

Application Security on Cloud (ASoC) Dynamic Analysis Static Analysis Mobile Analysis Open Source Analysis

ASoC Application Security Gates Multiple Gates CODE BUILD QA SECURITY PRODUCTION CI - Development Gate QA Gate Security Gate Continuous Integration SAST Automation DAST Automation PEN Testing Ad Hoc Scanning Mobile Scanning DAST SAST Open Source IDE SAST Scanning Developers Developers Developers & QA Testers Security Champion Pen Testing Gate Conditions Build process controls Pass / Fail Must pass organizations BASELINE Filter Gate Conditions All High & Medium risk Application issue resolved All Input Validation issues resolved Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved

ASoC Scanning Automation / Scan and Review Managers View Application Metrics Use a single console for managing application risk, test results, reporting and policies DAST Automation Automation from Functional testing tools Continuous Integration Web Application(s) Conduct Scans SAST Automation IRX (intermediate Representation of code) IDE Scans Run Mobile Scans Security Team Create Policy Scan Applications Approve Findings Developers Scan Applications Review Findings Mobile Interactive testing of a Mobile binary Integration with CI testing tools for DAST & SAST Automation Regular scans can be conducted after every build or at strategic points such as the end of a sprint. Open Source Analysis on all scans Mobile Scanning Analysis Regular management metrics

Questions??? 51 6/19/18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback