Put Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

Similar documents
Securing DevOps, RMF and STIG

Effective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker:

Micro Focus Fortify. Andy Earle Sr. Security Solutions Architect. Haleh Nematollahy Sr. Security Solutions Architect

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Brochure. Fortify on Demand. Fortify on Demand. Static Application Security Testing

Micro Focus Security Fortify. Application Security

Accelerate your Software Delivery Lifecycle with IBM Development and Test Environment Services

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

AppSec Pipeline Application Security in an Agile Development, DevOps and Continuous Integration/Delivery/Change world.

HP APPs v.12 Solutions for Dev-Ops

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

Kako napraviti Cloud?

DevOps and Continuous Delivery USE CASE

Strengthen and Scale security using DevSecOps

May Capabilities to help expand and. mature SWA program. Haleh Nematollahy Sr. Security Solutions Architect

FedRAMP Fortify on Demand

Automating Security Practices for the DevOps Revolution

Discover Best of Show März 2016, Düsseldorf

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

HPE Security Fortify Software Security Center

Secure DevOps: A Puma s Tail

Day One Success for DevSecOps and Automation on Azure

Micro Focus Fortify Application Security

COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY

Orchestrating the Continuous Delivery Process

Reinvent Your 2013 Security Management Strategy

HPE Security Fortify Software

How to Secure Your Cloud with...a Cloud?

Quality Engineering in DevOps world a Strategic Enabler

Overcoming the Challenges of Automating Security in a DevOps Environment

Development. Architecture QA. Operations

I keep hearing about DevOps What is it?

Application Security at Scale

HP Fortify Scanning Plugin for Xcode

DevNet Workshop-Hands-on with CloudCenter and Jenkins

Fortify WebInspect Workshop. Lab Exercises

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

This release of Micro Focus Fortify Software includes the following new functions and features. Micro Focus Fortify Software Security Center

Visual Studio Team Services

How Can Testing Teams Play a Key Role in DevOps Adoption?

Continuously Discover and Eliminate Security Risk in Production Apps

Vulnerability Management

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

DefectDojo. The Good, the Bad and the Ugly. OWASP Stammtisch Hamburg Tilmann Haak Manuel Schneider

SOLUTION BRIEF CA TEST DATA MANAGER FOR HPE ALM. CA Test Data Manager for HPE ALM

CA Test Data Manager Key Scenarios

HP Fortify Software Security Center

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

CONTINUOUS DELIVERY IN THE ORACLE CLOUD

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Taking Control of Your Application Security

TM DevOps Use Case. 2017TechMinfy All Rights Reserved

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Micro Focus Security Fortify Audit Assistant

Revolutionize the Way You Work With IMS Applications Using IBM UrbanCode Deploy Evgeni Liakhovich, IMS Developer

Chapter 1 - Continuous Delivery and the Jenkins Pipeline

HP Fortify Technical Publications. Glossary

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Test Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Continuous Integration & Continuous Deployment (CI/CD) with a Cloud Delivery Platform

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Turbo boost your digital app test automation with Jenkins

AWS Reference Design Document

Continuous Opportunity: DevOps & Security

THE ART OF SECURING 100 PRODUCTS. Nir

SELLING YOUR ORGANIZATION ON APPLICATION SECURITY. Navigating a new era of cyberthreats

CLOUD WORKLOAD SECURITY

SUSE s vision for agile software development and deployment in the Software Defined Datacenter

We re redefining Software Quality

Converged Security - Protect your Digital Enterprise May 24, Copyright 2016 Vivit Worldwide

TM DevOps Use Case TechMinfy All Rights Reserved

No Limits Cloud Introducing the HPE Helion Cloud Suite July 28, Copyright 2016 Vivit Worldwide

DevOps Tooling from AWS

DevOps Agility in the Evolving Cloud Services Landscape

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

How to Build an Appium Continuous Testing Pipeline

SECURITY & PRIVACY DOCUMENTATION

Jenkins: A complete solution. From Continuous Integration to Continuous Delivery For HSBC

Cloud Essentials for Architects using OpenStack

DevOps in the Cloud A pipeline to heaven?! Robert Cowham BCS CMSG Vice Chair

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

A10 HARMONY CONTROLLER

Going cloud-native with Kubernetes and Pivotal

DEVOPSIFYING NETWORK SECURITY. An AlgoSec Technical Whitepaper

HPE Security Fortify Plugins for Eclipse

Aspirin as a Service: Using the Cloud to Cure Security Headaches

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

How to Keep UP Through Digital Transformation with Next-Generation App Development

Automating the Software-Defined Data Center with vcloud Automation Center

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Delivering Complex Enterprise Applications via Hybrid Clouds

Docker CaaS. Sandor Klein VP EMEA

DevOps A How To for Agility with Security

Transcription:

Put Security Into Your DevOps NOW Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

Defining Devops State of Devops Report (Puppet, Dora):..set of practices and cultural values that has been proven to help organizations of all sizes improve their software release cycles, software quality, security, and ability to get rapid feedback on product development. Amazon Web Services: cultural philosophies, practices, and tools that increases an organization s ability to deliver applications and services at high velocity Wikipedia: strongly advocate automation and monitoring at all steps of software construction, from integration, testing, releasing to deployment and infrastructure management. DevOps aims at shorter development cycles, increased deployment frequency, more dependable releases, in close alignment with business objectives. Sources: 2017 State of DevOps Report, Presented by Puppet and DORA Amazon Web Services : https://aws.amazon.com/devops/what-is-devops/ Wikipedia: https://en.wikipedia.org/wiki/devops 2

More Applications released 30x Faster 2020+ Software @ DevOps Speed d 2015 2010 App App App App Number of Applications Release Frequency 3 Source: Better outcomes, faster results. Continuous delivery and the race for better business performance, Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise)

AppSec Risk by the Numbers 1,900,000,000 Records lost globally in the first half of 2017 1,400,000 Sensitive PII records lost in a single US breach 15% Survey respondents reported a breach 23% Survey respondents citing their application as source 4 References: breachlevelindex.com and SANS 2017 Application Security survey

Top Breaches by Type 1H 2017 571 5 Reference: Verizon DBIR 2017

Embedding Security into the SDLC= Huge Benefits Without Fortify, you deal with: With Fortify, you benefit from: Slow time to market Lots of false positives Longer scans Slow remediation Few vulnerabilities found 30x faster time to market 95% fewer false positives 10 15x faster scans 10x faster remediation 2x more vulnerabilities found 6

Promise vs Reality of Security in DevOps Where does security currently fit 99% of those surveyed agreed that DevOps is an opportunity to improve application security none 17% Testing during Development 20% But only 20% perform application security testing during development. Most wait until late in the SDLC or not at all! Network 25% Pre-Production Gate 38% 7 Reference: Application Security and DevOps Report 2016

If there s something we need to comply with, let s turn it into an automated test. Mark Schwartz, former CIO USCIS DevOps Enterprise Summit 2014

Tenants of Dev Sec Ops Automated Testing Security Testing must be comprehensive and automated within the pipeline Able to make automated decisions on security testing Fail Fast Fix Fast Developers equipped to fix security issues rapidly Immediate security feedback into into singular Issue Management Integrated Feedback Cloud Deployable Able to provision entire pipeline as code 10

Integrate application security with DevOps DevOps requires an expanded scope of application security from development through Traditional scanning and testing and into production. SCA, FoD WebInspect 11 Confidential

Fortify Software Security Assurance Automated Comprehensive Security Focused static analysis Dedicated Software Security Research Group not crowdsourced nor after-thought Over 800 Vulnerability Categories covered with quarterly updates Developers Plugins to take them to Vulnerable Line Of Code for fix, and Security Assistant for Prevention Build Adapters for automating build integration CI Plugins for scanning at build time and updating build status Issue Management Integrations Headless installs for cloud deployment into ephemeral environments 12

Best Programming Language Coverage 25+ Programming Languages supported and counting + 10

Static Software Scanning Process Check in Code Scheduled or Triggered Check-out and Build Continuous Integration Jenkins, TFS, etc. (Auto) Deliver for Analysis Code Repository REPEAT AS NECESSARY Vulnerability Findings Developers Issue Tracking Developer Fixes Bug / Finding Scrum Scanning Engine (SCA) Submit Findings to Bug Tracker Mgmt Portal (SSC) Security/Tech Lead

Developer Desktop Security Assistant Real time checking for most common issues as you type 15

Developer Desktop IDE Plugins Scan and fix vulnerabilities before committing. Open scan files generated from build integrations or security auditors for line of code detail vulnerability overlaid on your code and fix information 16

Build Integrations Out of the Box GNU Make MSBuild XCodeBuild Build Integrations make it easy to integrate automated static analysis into the complete build process. Out of the box support for a wide variety of BUILD TOOLS Robust Fortify Command Line utilities exist for additional integrations. 17

Continuous Integration Plugins Fortify Client Fortify FPR Utility 18

Jenkins Plugin Simplifies creating a Fortify Scan job via Jenkins Performs scan, uploads to Software Security Center Updates BUILD STATUS based on criteria Reports security status within the plugin no need to login anywhere else for quick status checks. 19

Jenkins Plugin Filter results based on template of your prioritizations Fail the build based on a search syntax 20

Fortify SCA With Continuous Integration Easy Integration: Integrate into the actual build with out-of-the-box integrations and utilities Flexible Architecture: Perform scan directly on build server or offload to included CloudScan array Deployable: Source Code Analyzer is easily deployed via a Jenkins job for ephemeral systems Build Status Support: Using integrations, utilities or API to read results and make realtime build status decision 21

CloudScan Optional Architecture included with Fortify Only code translation performed on build machine, then shipped to CloudScan for longer running scan phase. FPR file is uploaded to SSC and parsed for build status as normal. Centralizes scanning to a few machines shared across multiple build machines Removes intensive and slower scanning process from build pipeline. 22

Software Security Center Enterprise Ready Software Security Management LDAP/SSO/CAC Ready Artifact and Vulnerability Management Portfolio level KPI s and Metrics Open Reporting Interface with STIG and FISMA Reports Swaggerized RESTFul APIs Issue Management Integrations 23

Issue Management Integrations Application Lifecycle Management Fortify Service Integration Extendable Plugin Architecture 24

Key Software Security Center Integrations Automatically Receive scan files from build integrations Automated management metrics updating Swaggerized APIs for deeper automation Web-based results reviewing Automated downloading of scan files to developers Fortify instances on their desktop Push results automatically to issue management with extensible plugin framework STIG Compliance Reporting 25

Audit Assistant Machine learning to make AppSec more efficient Identify true vulnerabilities with up to 98% accuracy and prioritize them for remediation faster Return value-added time to your developers and auditors Focus on triaging and investigating high priority vulnerabilities. 26

WebInspect Automated Dynamic Scanning Remote headless provisioning for ephemeral environments (requires on-site persistent license management server in infrastructure) Swaggerized API for automated scanning. Import test results into Software Security Center to aggregate with Static analysis metrics and Issue Management integration Results exportable as FPR format and can be opened and viewed in IDE Plugins or Audit Workbench just like static results. 27

Developer Code Repository Continuous Integration Jenkins, TFS, etc. Continuous Delivery Docker Dynamic Testing WebInspect, Functional Test, Performance Test Deployment IDE Plugin Security Assistant Static Code Analyzer Correct vulns as typing Scans full unit code and corrects before committing Reviews and fixes issues identified in downstream testing Issue Tracking CI Plugins Build Integration, Static Code Analyzer Triggered or scheduled build and scan Software Security Center Security Auditor WebInspect Jenkins job to API to perform scan Audit workbench Review results, update templates, submit findings to Issue Management

Where are you with Devops? Do you have a plan for embedding security into it?

Thank You.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback