AppSec at High Speed and Scale Agility, Integration & Automation Scott Johnson, Fortify GM #MicroFocusCyberSummit
Forward Looking Statements: Legal Disclaimer This document contains forward looking statements This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Micro Focus's predictions and / or expectations as of the date of this document and actual results and future plans of Micro Focus may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions. 2
Agenda AppSec trends Today’s trend is tomorrow’s challenge Meeting the challenge, accelerating for tomorrow Roadmap 3
AppSec Trends
Tsunami of Apps 1000 applications and counting… 5
Speed vs Depth “I want 5 minute scans with no false positives.” 6
Developer User Story We have seen the AppSec team AND IT IS YOU! (the developer) 7
More Code, More Problems …
More code… 9
More code, more vulns … 10
More vulns … 11
More vulns, more risk … 12
More risk, more pressure! 13
Solutions and Examples
You need an AppSec pressure relief valve! 15
Innovation/Roadmap Themes Agility Integration Automation On-premise / On Demand Static Analysis – SCA Dynamic Analysis – WebInspect Runtime Analysis – App Defender Scan and Assess Source Code Web Application Vuln Scanning Application Protection & Monitoring Software Security Research Fortify Ecosystem 16
Fortify Integration Fortify Ecosystem 17
Fortify Integration JS Sandbox Project Jenkins Plugin Bug Tracker Tools Swagger supported RestAPIs SSC Parser Sample https://fortify.github.io/ 18
Fortify Integration Bamboo Plugin VSTS Extension https://marketplace.atlassian.com/plugins/com.fortify.plugi https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe- ns.atlassian.bamboo.sca.bamboo-fortify-sca- security-fortify-vsts plugin/server/overview 19
Fortify Integration Snyk Integration 20
Fortify Automation Audit Assistant Auto-train Audit assistant derives anonymous issue metrics and Unaudited securely sends to results enter Auto-predict scan analytics SSC Classifiers report verified vulnerabilities with up to 98% accuracy Audited issues arrive in SSC Auto-tag 21
Fortify Automation Centralized Translation & Scanning Smart control queueing & monitoring Automated scan results submission Benefits Cross language support Removes dependency issues Light weight utility for Devs Reduced infrastructure costs No need to install SCA on build server Centrally managed Payload automatically transferred to controller Designed for Enterprise Dev enablement 22
Fortify Automation Slack Enabled FoD! Release updates Applications changes Reports and scan status 23
Fortify Agility Security Assistant for Visual Studio 24
Fortify Agility Swift Language Support SCA 18.10 has support for: Swift 4 Xcode 9, 9.1, 9.2 Latest Obj-C SCA 18.11 has support for: Swift 4.1.x Xcode 9.3, 9.4 Latest Obj-C Support within 3 to 6 weeks of Apple updates! 25
Fortify Roadmap
Fortify Roadmap Fortify- SCA / SSC / WebInspect / Fortify on Demand This is a rolling (up to three year) Roadmap and is subject to change without notice Q118 Q218 FoD 18.1 FoD Future FoD Upcoming FoD 18.2 Nexgen dynamic scanning Dynamic automation Dynamic automation (WI + nexgen platform) Application issue templates automation Performance & scalability Performance & scalability “Your Scans” page view Tools update: Security Faster remediation Integrations (API v4, DevOps toolchain) Nexgen Open Source Assistant for Visual Studio, integration with Sonatype Bamboo plugin Improved new user UX False positive reduction Tools update: IntelliJ audit Improved open source Dashboarding & analytics Dashboarding & analytics analysis (JS support) Delivery optimization Static automation Delivery optimization On-Premise Future On-Premise 18.1 On-Premise Upcoming ‒ High level themes Audit assistant prediction automation (analytics built-in) Continued focus on customer driven innovation SSC Audit page redesign, SSC scalability features for: Languages updates: ECMA 2016/2017, Swift 4/4.1, Centralized scanning phase 1 Xcode 9.x, Python 3.x, Xamarin, Scala- Play Integration / Automation / Agility Languages updates: TypeScript, Swift 4.2/Xcode 10, SSC scalability and token management Python 2 update, Obj-C, .NET MSBuild, SCA logging Examples include: Plugin consolidation, Angular, enhancements, C/C++ SSC UX refresh and branding Java 11, Python- Django, Swift 5, Go, Ruby on Rails, centralized scanning and dependency New Jenkins plugin with pipelines and build fail support Tools update: Security Assistant for Visual Studio, orchestration, dynamic shift left Bamboo plugin Dynamic headless tech preview Licensing simplification Headless dynamic architecture WI Firefox update, extended crawling support w/Angular 4+, REST API improvements, sensor management Dynamic setup simplification and dockerized deployment Available Targeted 28
#MicroFocusCyberSummit Thanks!
#MicroFocusCyberSummit
Recommend
More recommend