Application Security as a Service: Start Your Application Security - PowerPoint PPT Presentation

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal – Fortify on Demand #MicroFocusCyberSummit

Agenda The Application Security Problem Security Gate Secure DevOps Best Practice Approach Q&A 3

The Application Security Problem

The Majority of Security Breaches Today are From Application Vulnerabilities 80% 90% Percentage of applications containing at Security incidents from exploits against least one critical or high vulnerability. 1 defects in the design or code of software. 2 1 2017 Application Security Research Update” by the HPE Software Security Research team, 2017 5 2 U.S . Department of Homeland Security’s U.S. Computer Emergency Response Team (US -CERT)

Today’s business needs are dramatically increasing the number of applications and the frequency of releases 2020+ 2015 App App 2010 Number of Applications Release Frequency 6

Background Applications are being driven by the business not IT Commissioned by the Capturing personal data is Applications are business the norm proliferating  Focus on “wow factor” and  Key to building the direct  Websites, Facebook marketing related customer relationship applications, Mobile functionality applications, Cloud  Relies on trust between applications  Frequently developed by customer and the brand small boutique  Marketing Campaigns ran consultancies outside normal process, no governance  Intense pressure on timescales  Do you even know how many applications you  Little thought given to non- have? functional requirements

Customer Challenges with Application Security Difficult to train and retain Lack of resources and Growing number of applications AppSec experts, developers expertise and attacks Rapid release cycles and Compliance requirements Securing outsourced, increasing pressure to push apps 3rd party and open source code into production faster

Security Challenge Key Requirements Identify and fix application Implement security issues before Cost Effective application goes into solution rapidly production  Systematic  No complex  Cheaper than existing hardware/software approach  Support all types to install of applications  Predictable  No need to hire, train  Support all development and retain a team of approaches application security experts  No impact on time to market  Scale rapidly to test all applications

Security Gate

Fortify on Demand Security Gate Secure ALL your applications before deployment  Web, Facebook, Mobile, Cloud  In-house, out-sourced, third-party Security Testing Service Code Test Deploy Contract/Outsource Procure Security Gate

Fortify on Demand Cloud-based Application Security Testing Platform Simple Fast Flexible Launch your application security Scale to test all applications in your  Tests all types of applications initiative in < 1 day organization  Web, Facebook, Mobile, Cloud,  No hardware or software investments  1 day turn-around on application Desktop… or maintenance security results  In-house, open source and third  No experts to hire, train and retain  Support 1000s of applications party, commercial applications  OWASP, PCI DSS, FISMA

But can it keep up with DevOps? 3 minutes Average Software 12 months 3 weeks Release Cycle (anticipated) Source: https://medium.com/data-ops/how-software-teams-accelerated-average-release-frequency-from-three-weeks-to-three-minutes-d2aaa9cca918

Secure DevOps

What exactly is DevOps? Means different things to different people DevOps aims to bring applications to market rapidly through:  Cross-functional empowered teams (Business, Dev, Ops, QA) with full lifecycle responsibility for delivering a service Merging of Dev & IT Ops  Rapid code release cycles (working together) Continuous Increased  But large variation in release frequency Integration Agility/Flexibility  Agile Development  Trunk-based with Feature Flags Lean Automation Defining  Service Orientated Architecture on a cloud-based infrastructure Characteristics of DevOps  Tool-chain automation  Continuous Integration/Continuous Testing/Continuous Delivery Faster Time-to- Modern Development Development Security is perceived an inhibitor More Robust Dynamic Apps  Penetration test based release gate is too slow

Secure DevOps Addressing the challenge Best way to deliver secure applications is to build security in  See Software Assurance Maturity Model (SAMM)  With DevOps it’s the only way to deliver secure applications Address security early  Developer Education  Static Application Security Testing(SAST) Security gates still have their place  Dynamic Application Security Testing (DAST) baseline and critical releases Add compensating controls  DAST in production  Runtime Application Self Protection (RASP)

Secure Development Life-Cycle Initiate Define Design Develop Test Implement Operate Strategy & Metrics Policy & Compliance Governance Education & Guidance Threat Assessment Construction Security Requirements Secure Architecture Design Review Verification Code Review Security Testing Issue Management Environment Operations Hardening Operational Enablement See www.opensamm.org

Secure DevOps with Fortify on Demand Application Security Testing on Demand Powered by Industry leading Fortify products Secure DevOps  Fortify SCA – SAST eLearning  With Sonatype SAST Component RASP  Security Assistant – SAST Analysis  WebInspect – DAST  Application Defender – RASP DevOps Available on Demand SAST DAST Baseline  Supported by Security Experts  Quick to get started  Rapid Results SAST  Grows with your business SAST Continuous in IDE  Global datacentres and support Integration Fully integrated in the DevOps Toolchain

Fortify on Demand Role-based Secure DevOps Training Role-based Training  Developers  .NET, Java, C/C++, PHP  Mobile Developers  iOS & Android  Project Managers  QA eLearning  Low cost  Easier to schedule  Highly-scalable  Easy to manage  Easy to enforce

Fortify on Demand Component Analysis with Sonatype Use secure components  Component selection  Version selection

Fortify on Demand Baseline Static Application Security Testing Full test with Fortify SCA  Industry leading SAST  Comprehensive  Accurate Results validation  Ensure full coverage Manual audit by Security Expert  Remove false positives

Fortify Security Assistant Real-time light-weight analysis of code in IDE Eclipse or Visual Studio Plug-in  Inline analysis of the source code as the developer types  Instant results  Continuous Feedback  Not a replacement for a full assessment but catches a significant subset of vulnerabilities. FoD IDE initiated automated scan option for non-supported languages  Component level scan  <100k TLOC 10 mins

Fortify on Demand SAST as part of Continuous Integration Jenkins Plug-in  Invoke SCA scan  Based on baseline scan  Automated results audit using Fortify Scan Analytics  Wait for scan to complete  Returns Pass or Fail based on organizations security policy  Option to publish any new security vulnerabilities into Jira. Visual Studio TFS integration also available Command-line option for other CI tools

Fortify on Demand Dynamic Application Security Testing Baseline DAST DAST for security critical releases Use DAST in production

Application Defender Runtime Application Self-protection Core component of your infrastructure  All environments  Part of your deployment process Compensating Control  Monitors execution of application  Looks for abnormal behavior within application  Monitor or Block  Feedback Integrated with Fortify on Demand  Enable protection based on assessment findings

Best Practice Approach

Implement a Security Gate First Puts security in control  Establish policy  Monitor compliance  Handle exceptions Fortify on Demand addresses the key customer challenges  Lack of in-house resources  Massive scalability Proven approach to reduce application security risk Fast enough for most application developments today 27

Secure DevOps Lifecycle as a Compensating Control DevOps teams can earn the right to be exempt from the gate  Passed security gate with initial version  Secure DevOps lifecycle validated by security  Completeness  Not just CI/CD integration  Effectiveness  Finding vulnerabilities is not enough!  Periodic security gate tests 28

Q&A

#MicroFocusCyberSummit Thank You.

#MicroFocusCyberSummit