#MicroFocusCyberSummit
Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results Rick Smith, Senior Product Manager Jimmy Rabon, Senior Product Manager #MicroFocusCyberSummit
Automation – Static Analysis Place secure code in SCM 7 Build, scan Translation Code Server 1 Repair MY Source Code 6 Mgmt System issues Developer Fortify SCA Audited scans merged IDE Plug-in with new scans 2 Automated Security 6 Integration Build / Analysis Analysis New / critical issues Fortify SCA, Maven, Ant, Make, exist alert MSBuild, CI System) 3 Prerequisites: Fortify Software Security Center 1) Base line scan performed 4 2) Report is triaged 100% Defects 5 Triage & 3) Filters created in project assign ALL templates to be applied for issues future audits (applied by SSC) Project Technical Defect Mgmt System Security Leader Scan Server
Automation – DevOps Tool Chain IDEs Requirements & Issues Communication & ChatOps Containers Eclipse Attlasian Junit HipChat Docker Bamboo Micro Focus IntelliJ Microsoft SharePoint Bugzilla ALM Octane CA Service Desk Micro Focus Microsoft Visual Studio Microsoft Team Foundation Manager Quality Center Server Datadog Microsoft Team Foundation Slack FogzBugz Server JIRA Rally Code Repositories & Apps Build Servers & Tools Configuration Automation Cloud Bitbucket Apache Ant Microsoft Bladelogic Amazon Web Services Powershell Atlassian Git Chef Cloudera Bamboo Microsoft Team Foundation Github Puppet Microsoft Azure Cucumber Server Jenkins JIRA Micro Focus Server TeamCity Automation Maven Mercurial Servicenow Microsoft Team Foundation Server 4
Pushing the Boundaries of Static Analysis with Automation 5
Breaking Barriers and Integrating DAST to SDLC AppSec integration specifically DAST has challenges Dependency on App specific knowledge Dependency on Tool specific knowledge Dev Ops Process and configuration knowledge Traditionally DAST is run as a gating Security process rather than an enabling process QA Tension between feature release vs secure release 6
Fortify DAST - Product Vision & Strategy Integration Automation Agility 7
Customer Demo and Success Story –Aaron’s Jeremy Brooks #MicroFocusCyberSummit
DAST @Aaron’s Jeremy Brooks Application Security Lead jeremy.brooks@aarons.com
About Aaron’s • Founded June 19, 1955 • ~10000 Employees • ~1700 stores across the US and Canada • $3+ billion in revenue • Brick and mortar and online sales and leasing • https://www.aarons.com
About Aaron’s Tech • Solutions Delivery • Culture – Squad based delivery – Embrace & Drive Change teams – Value Data Over Opinion • Omnichannel – Listen. Challenge. Commit. • Store – Think Two-Sided • Payments • Data analytics – https://tech.aarons.com – 40+ applications – Multiple releases per day
Challenges For AppSec • On-boarding new applications is time consuming – Authentication – Business logic – Coverage and Discoverability • Scalability – New functionality – New end points – New applications This feels like duplication of effort. Isn’t someone already testing these applications? 12
QA + Security = Better Together • Aaron’s DAST Strategy – Create a partnership with QA – Deploy technologies that enable security – Build DAST into the pipeline – Multiply effort 13
Phalanx Overview • Services to manage proxies and DAST scans • Sandbox for manual scans • Coordinates load across scan agents 14
Phalanx Architecture 15
Web App for Manual Workflow • Self guided • Sandboxed
WebInspect REST API + Phalanx • Start capturing proxy • Configure functional test to use proxy • Run functional test and capture traffic • Add scan to queue and test run completed • Tear everything down • Phalanx manages scan queue 17
QA Automation Pipeline • Tests created using N-Unit • Octopus deploys application • Teamcity job polls Octopus Deploy • Triggers test run on successful build • Unit tests make calls to WI API and wire up proxy • Functional tests run, proxy collects traffic • Unit tests queues scan using proxy traffic • Phalanx manages scan queue 18
Lessons Learned and Next Steps • Test in QA – DAST scans can take systems down, trigger lockouts and cause other undesirable side-effects • Make sure you can revert your environment – WebInspect can add a lot of garbage data to your databases, file systems, etc • Make sure Dev, Ops, QA and CIRT are aware of your scan schedule – No one likes surprises! • Include identifying attributes in your scan name – Make it easy to link a DAST scan back to a functional test run • Close the feedback loop – Slack integration 19
Special Thanks • Edwin Deliz – QA Manager • Anthony Burt – QA Engineer
Thank You. #MicroFocusCyberSummit
#MicroFocusCyberSummit #MicroFocusCyberSummit
Recommend
More recommend
