Using Automatic and Manual Tests for Static, Dynamic, and Mobile with Fortify on Demand Rick Smith Product Manager #MicroFocusCyberSummit
Agenda Identifying the cost Identifying the tool A quick case study 2
Thinking about the cost 3
Cliché Alert: Nothing in Life is Free Challenge becomes identifying the cost: Opportunity Time Risk Reputation Features Productivity Relationships Sanity!
Application Security Today is Complex Monitoring / Protecting Production Software Securing legacy Certifying new applications releases In-house Development Legacy Software Demonstrating Compliance Procuring secure software Outsourced Commercial Open Source 5
It isn’t getting easier 2020+ Software @ DevOps Speed 2015 App App 2010 Number of Applications Release Frequency 6
Identifying the Right Tool
Enterprise DevSecOps 8
To a Hammer, Everything is a Nail Do you need a hammer?
Choosing the Right Tool
The Right Fit Dynamic Open Source Analysis Static Real-time Static Mobile Continuous Monitoring
Static Made Simple Easily upload source from the IDE, and audit there as well
Static – Full Build Integration Fortify on Demand Step 1: Develop & check-in code Step 4 : (Optional) Step 5 : Automated Developers (IDE) Manual Audit Audit Fortify Scan Fortify SCA Analytics Step 3 : Start Static Assessment Audited static results at DevOps speed Vulnerabiliti es Continuous Bill of materials FoD security Source control Known integration server expert repository vulnerabilities Vulnerabiliti Step 2 : Scheduled or triggered License risk es check-out & build Open Source Analysis Defect management Step 6: Triage, assign & fix vulnerabilities Vulnerability Management
Dynamic Results at Scale – Speed and Depth Your applications Our infrastructure & expertise Fast dynamic, augmented with human testing
Mobile – Blazing Fast + Thorough Automated results in 1 minute Full device stack testing
Open Source Component Analysis Are your libraries introducing risk?
Real-time Static Analysis Instant feedback within the IDE
Continuous Monitoring Focusing on the OWASP Top 10 with fast & lightweight scanning 18
Putting it all together 19
Balancing the Pace of Development
Balancing the Pace of Development Flexibility is critical Automate where possible Leverage integrations Build security in as quality
Case Study: Fortify on Demand 22
Case Study: Fortify on Demand Continuous lightweight static Dynamic after deploy Defects to Octane Weekly static Continuous monitoring in prod Constant feedback 23
Question & Answer
#MicroFocusCyberSummit Thank You.
Recommend
More recommend