AppSec at High Speed and Scale Agility, Integration & Automation - PowerPoint PPT Presentation

AppSec at High Speed and Scale Agility, Integration & Automation Scott Johnson, Fortify GM #MicroFocusCyberSummit

Forward Looking Statements: Legal Disclaimer This document contains forward looking statements This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Micro Focus's predictions and / or expectations as of the date of this document and actual results and future plans of Micro Focus may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions. 2

Agenda AppSec trends Today’s trend is tomorrow’s challenge Meeting the challenge, accelerating for tomorrow Roadmap 3

AppSec Trends

Tsunami of Apps 1000 applications and counting… 5

Speed vs Depth “I want 5 minute scans with no false positives.” 6

Developer User Story We have seen the AppSec team AND IT IS YOU! (the developer) 7

More Code, More Problems …

More code… 9

More code, more vulns … 10

More vulns … 11

More vulns, more risk … 12

More risk, more pressure! 13

Solutions and Examples

You need an AppSec pressure relief valve! 15

Innovation/Roadmap Themes Agility Integration Automation On-premise / On Demand Static Analysis – SCA Dynamic Analysis – WebInspect Runtime Analysis – App Defender Scan and Assess Source Code Web Application Vuln Scanning Application Protection & Monitoring Software Security Research Fortify Ecosystem 16

Fortify Integration Fortify Ecosystem 17

Fortify Integration  JS Sandbox Project  Jenkins Plugin  Bug Tracker Tools  Swagger supported RestAPIs  SSC Parser Sample https://fortify.github.io/ 18

Fortify Integration Bamboo Plugin VSTS Extension https://marketplace.atlassian.com/plugins/com.fortify.plugi https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe- ns.atlassian.bamboo.sca.bamboo-fortify-sca- security-fortify-vsts plugin/server/overview 19

Fortify Integration Snyk Integration 20

Fortify Automation Audit Assistant Auto-train Audit assistant derives anonymous issue metrics and Unaudited securely sends to results enter Auto-predict scan analytics SSC Classifiers report verified vulnerabilities with up to 98% accuracy Audited issues arrive in SSC Auto-tag 21

Fortify Automation Centralized Translation & Scanning  Smart control queueing & monitoring  Automated scan results submission Benefits  Cross language support  Removes dependency issues  Light weight utility for Devs  Reduced infrastructure costs  No need to install SCA on build server  Centrally managed  Payload automatically transferred to controller  Designed for Enterprise Dev enablement 22

Fortify Automation Slack Enabled FoD!  Release updates  Applications changes  Reports and scan status 23

Fortify Agility Security Assistant for Visual Studio 24

Fortify Agility Swift Language Support  SCA 18.10 has support for:  Swift 4  Xcode 9, 9.1, 9.2  Latest Obj-C  SCA 18.11 has support for:  Swift 4.1.x  Xcode 9.3, 9.4  Latest Obj-C Support within 3 to 6 weeks of Apple updates! 25

Fortify Roadmap

Fortify Roadmap Fortify- SCA / SSC / WebInspect / Fortify on Demand This is a rolling (up to three year) Roadmap and is subject to change without notice Q118 Q218 FoD 18.1 FoD Future FoD Upcoming FoD 18.2  Nexgen dynamic scanning  Dynamic automation  Dynamic automation (WI + nexgen platform)  Application issue templates automation  Performance & scalability  Performance & scalability  “Your Scans” page view  Tools update: Security  Faster remediation  Integrations (API v4, DevOps toolchain)  Nexgen Open Source Assistant for Visual Studio, integration with Sonatype Bamboo plugin  Improved new user UX  False positive reduction  Tools update: IntelliJ audit  Improved open source  Dashboarding & analytics  Dashboarding & analytics analysis (JS support)  Delivery optimization  Static automation  Delivery optimization On-Premise Future On-Premise 18.1 On-Premise Upcoming ‒ High level themes  Audit assistant prediction automation (analytics built-in)  Continued focus on customer driven innovation  SSC Audit page redesign, SSC scalability features for:  Languages updates: ECMA 2016/2017, Swift 4/4.1,  Centralized scanning phase 1 Xcode 9.x, Python 3.x, Xamarin, Scala- Play Integration / Automation / Agility  Languages updates: TypeScript, Swift 4.2/Xcode 10,  SSC scalability and token management Python 2 update, Obj-C, .NET MSBuild, SCA logging  Examples include: Plugin consolidation, Angular, enhancements, C/C++  SSC UX refresh and branding Java 11, Python- Django, Swift 5, Go, Ruby on Rails, centralized scanning and dependency  New Jenkins plugin with pipelines and build fail support  Tools update: Security Assistant for Visual Studio, orchestration, dynamic shift left Bamboo plugin  Dynamic headless tech preview  Licensing simplification  Headless dynamic architecture  WI Firefox update, extended crawling support w/Angular 4+, REST API improvements, sensor management  Dynamic setup simplification and dockerized deployment Available Targeted 28

#MicroFocusCyberSummit Thanks!

#MicroFocusCyberSummit