A New View of Your Application Security Program with Snyk and ThreadFix

•

0 likes•919 views

Snyk continuously monitors your application’s dependencies and lets you quickly respond when new vulnerabilities are disclosed. Threadfix allows organizations to gain true visibility into a your project’s security posture by cross referencing results on an app from multiple sources (SCA, SAST, DAST, etc.), ultimately enabling better prioritization, while Snyk focuses on remediation at the source with the automated fix pull requests. Join us to see how, together, Snyk and ThreadFix can enhance application security and prevent risks, while preserving development scale and speed.

© 2019 Denim Group – All Rights Reserved
A New View of Your Application
Security Program with Snyk and
ThreadFix
November 12, 2019
Dan Cornell, CTO, Denim Group
Hayley Denbraver, Developer Advocate, Snyk

© 2019 Denim Group – All Rights Reserved
Agenda
2

© 2019 Denim Group – All Rights Reserved
Agenda
• Snyk Background and Demo
• ThreadFix Background
• Snyk and ThreadFix
3

© 2019 Denim Group – All Rights Reserved
Snyk
4

© 2019 Denim Group – All Rights Reserved
Production Code
5

© 2019 Denim Group – All Rights Reserved
Production Code
6
Original Code

© 2019 Denim Group – All Rights Reserved
Production Code
7

© 2019 Denim Group – All Rights Reserved
Production Code
8

© 2019 Denim Group – All Rights Reserved
Snyk: Use Open Source, Stay Secure
• Snyk helps you find and fix vulnerabilities
in your open source dependencies
• Snyk allows developers to address open
source security throughout the software
development lifecycle
• Snyk meets developers where they are—in
the languages and tools that they use
every day
9

© 2019 Denim Group – All Rights Reserved 10

© 2019 Denim Group – All Rights Reserved
Snyk
11

© 2019 Denim Group – All Rights Reserved
Snyk
12

© 2019 Denim Group – All Rights Reserved
Snyk
13

© 2019 Denim Group – All Rights Reserved 14

© 2019 Denim Group – All Rights Reserved
Snyk Demo
15

© 2019 Denim Group – All Rights Reserved
Vulnerable App
16

© 2019 Denim Group – All Rights Reserved
Snyk UI
17

© 2019 Denim Group – All Rights Reserved
Snyk UI
18

© 2019 Denim Group – All Rights Reserved
Snyk UI
19

© 2019 Denim Group – All Rights Reserved
Snyk UI
20

© 2019 Denim Group – All Rights Reserved
Snyk UI
21

© 2019 Denim Group – All Rights Reserved
Snyk UI
22

© 2019 Denim Group – All Rights Reserved
Snyk UI
23

© 2019 Denim Group – All Rights Reserved
GitHub
24

© 2019 Denim Group – All Rights Reserved
ThreadFix Background
25

© 2019 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your applications and
vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools
they are already using
• Provide access to powerful analytics
26

© 2019 Denim Group – All Rights Reserved
ThreadFix Overview
27

© 2019 Denim Group – All Rights Reserved
Create a consolidated view of
your applications and
vulnerabilities 
28

© 2019 Denim Group – All Rights Reserved
Application Portfolio Tracking
29

© 2019 Denim Group – All Rights Reserved
Vulnerability Consolidation
30

© 2019 Denim Group – All Rights Reserved
Prioritize application risk
decisions based on data 
31

© 2019 Denim Group – All Rights Reserved
Vulnerability Prioritization
32

© 2019 Denim Group – All Rights Reserved
Reporting and Metrics
33

© 2019 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools they
are already using 
34

© 2019 Denim Group – All Rights Reserved
Defect Tracker Integration
35

© 2019 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your
pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
http://www.slideshare.net/denimgroup/rsa2015-blending-
theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
36

© 2019 Denim Group – All Rights Reserved
AppSec Testing for DevOps
• Configuring Testing Policies
• AppSec Testing for DevOps in Action
37

© 2019 Denim Group – All Rights Reserved
Policy Configuration
• Testing
• Synchronous
• Asynchronous
• Decision
• Reporting
Blog Post: Effective Application
Security Testing in DevOps Pipelines
http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
https://www.denimgroup.com/resources/effective-application-security-for-devops/
38

© 2019 Denim Group – All Rights Reserved
Testing Configuration
39

© 2019 Denim Group – All Rights Reserved
Testing in Action
40

© 2019 Denim Group – All Rights Reserved
Testing in Action
41

© 2019 Denim Group – All Rights Reserved
Testing in Action
42

© 2019 Denim Group – All Rights Reserved
Snyk and ThreadFix Together
43

© 2019 Denim Group – All Rights Reserved
Snyk and ThreadFix Integration
• Documentation: https://pypi.org/project/snyk-threadfix/
44

© 2019 Denim Group – All Rights Reserved
@denimgroup
www.threadfix.it
www.denimgroup.com
@snyksec
www.snyk.io
45

Overwhelmed with security issues in your Node.js applications? Not entirely sure how to write secure code? Join us in this workshop where you’ll learn how to improve security without being a security professional. We’ll use Snyk Code’s VS Code extension to catch and find security issues while you code, automatically fix security issues in your open source libraries, and see first-hand how to weaponize vulnerabilities to exploit working Node.js applications. You will also learn about the multiple ways of using Snyk to secure your projects, from the CLI, to CI/CD pipelines with GitHub Actions, and extend your know from secure code and secure dependencies to that of building secure containers to your Node.js apps on Docker.

DevSecOps Jenkins Pipeline -Security

n|u - The Open Security Community

DevSecOps 101

Narudom Roongsiriwong, CISSP

Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations. This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.

Benefits of DevSecOps

Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS

DevOps to DevSecOps Journey..

Siddharth Joshi

CICD with Jenkins

Vietnam Open Infrastructure User Group

CI/CD on AWS

Amazon Web Services

How can you accelerate the delivery of new, high-quality services? How can you be able to experiment and get feedback quickly from your customers? To get the most out of the agility afforded by serverless and containers, it is essential to build CI/CD pipelines that help teams iterate on code and quickly release features. In this talk, we demonstrate how developers can build effective CI/CD release workflows to manage their serverless or containerized deployments on AWS. We cover infrastructure-as-code (IaC) application models, such as AWS Serverless Application Model (AWS SAM) and new imperative IaC tools. We also demonstrate how to set up CI/CD release pipelines with AWS CodePipeline and AWS CodeBuild, and we show you how to automate safer deployments with AWS CodeDeploy.

Introduction to DevSecOps

Amazon Web Services

Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.

Are you looking to automate your infrastructure but not sure where to start? View this presentation on ‘Getting started with Infrastructure as code’ to learn how to leverage IaC to deploy and manage resources on Azure. You will learn: • Introduction to IaC • Develop a simple IaC using Terraform • Manage the deployed infrastructure using Terraform View webinar recording at https://www.winwire.com/webinars

Practical DevSecOps Course - Part 1

Mohammed A. Imran

DevSecOps: Key Controls for Modern Security Success

Puma Security, LLC

In this updated slideshare, Principal Security Engineer, Eric Johnson shows engineers, developers and application security professionals how to start conversations on implementing security into the DevOps workflow. You’ll learn about: 1) Cloud and DevSecOps Practices 2) Pre-Commit: The Paved Road 3) Commit: CI / CD Security Controls 4) Acceptance: Supply Chain Security 5) Operations: Continuous Security Compliance For questions, please contact our team at sales [at] pumascan [dot] com. Thanks for taking time to further your understanding of DevSecOps!

Terraform introduction

Jason Vance

This beginning terraform workshop will teach you how to safely create and provision Infrastructure as Code (IAC) using Hashicorp Terraform in an AWS environment. In this class you will learn how to setup and install terraform. You will also be given a walkthrough of Terraform fundamentals. You will be lead through the process of deploying a single server, deploying a cluster and setting up a load balancer. You will also learn how to author Terraform Modules, work with Route53 and how to manage DNS. Requirements. You will need to have an AWS account set up already with Terraform v0.9.3 installed. You will also need to have git install to download the workshop material. You can find more informaiton on how to install terraform here: https://www.terraform.io/intro/getting-started/install.html. You can sign up for an AWS account here: https://aws.amazon.com/account/ https://github.com/jasonvance/terraform-introduction

An introduction to terraform

Julien Pivotto

Overview of Site Reliability Engineering (SRE) & best practices

Ashutosh Agarwal

Gitlab CI/CD

JEMLI Fathi

Cncf checkov and bridgecrew

LibbySchulze

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

Mohamed Nizzad

Azure DevOps & GitHub... Better Together!

Lorenzo Barbieri

DevSecOps and the CI/CD Pipeline

James Wickett

All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Presented at OWASP NoVA, Sept 25th, 2018

DevSecOps

Joel Divekar

CKA Certified Kubernetes Administrator Notes

Adnan Rashid

DevSecOps What Why and How

NotSoSecure Global Services

Default GitLab CI Pipeline - Auto DevOps

Rajith Bhanuka Mahanama

CI/CD Best Practices for Your DevOps Journey

DevOps.com

The journey to realizing DevOps in any organization is fraught with a number of obstacles for developers and other stakeholders. These challenges are often caused by key CI/CD practices being misunderstood, partially implemented or even completely skipped. Now, as the industry positions itself to build on DevOps practices with a Software Delivery Management strategy, it’s more important than ever that we implement CI/CD best practices, and prepare for the future. Join host Mitchell Ashely, and CloudBees’ Brian Dawson, DevOps evangelist, and Doug Tidwell, technical marketing director, as they explore and review the CI/CD best practices which serve as your stepping stones to DevOps and a successful Software Delivery Management strategy. The webinar will cover CI/CD best practices including: Containers and environment management Continuous delivery or deployment Movement from Dev to Ops By the end of the webinar, you’ll understand the key steps for implementing CI/CD and powering your journey to DevOps and beyond.

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com

Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can: Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities. Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence. Fully automate secure app delivery and deployment, without the need for extra security scans or processes. Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.

TechnicalTerraformLandingZones121120229238.pdf

MIlton788007

Enabling Developers in Your Application Security Program With Coverity and Th...

Denim Group

Developers need to move quickly and efficiently. Coverity’s speed, accuracy, ease of use, and scalability meet the needs of even the largest, most complex environments. ThreadFix allows you to centralize all test and vulnerability data in one place so your software security team can spend less time on manually correlating results and more time focusing on higher-level risk decisions. Join us to get a firsthand look at how Coverity and ThreadFix arm development teams with the tools they need to advance security programs in real time.

Enabling Developers in Your Application Security Program With Coverity and Th...

Denim Group

What's hot

DevSecOps: Key Controls to Modern Security Success

Puma Security, LLC

HelloCloud.io - Introduction to IaC & Terraform

Hello Cloud

Getting Started with Infrastructure as Code

WinWire Technologies Inc

Practical DevSecOps Course - Part 1

Mohammed A. Imran

DevSecOps: Key Controls for Modern Security Success

Puma Security, LLC

Terraform introduction

Jason Vance

An introduction to terraform

Julien Pivotto

Overview of Site Reliability Engineering (SRE) & best practices

Ashutosh Agarwal

Gitlab CI/CD

JEMLI Fathi

Cncf checkov and bridgecrew

LibbySchulze

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

Mohamed Nizzad

Azure DevOps & GitHub... Better Together!

Lorenzo Barbieri

DevSecOps and the CI/CD Pipeline

James Wickett

DevSecOps

Joel Divekar

CKA Certified Kubernetes Administrator Notes

Adnan Rashid

DevSecOps What Why and How

NotSoSecure Global Services

Default GitLab CI Pipeline - Auto DevOps

Rajith Bhanuka Mahanama

CI/CD Best Practices for Your DevOps Journey

DevOps.com

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com

TechnicalTerraformLandingZones121120229238.pdf

MIlton788007

What's hot (20)

DevSecOps: Key Controls to Modern Security Success

HelloCloud.io - Introduction to IaC & Terraform

Getting Started with Infrastructure as Code

Practical DevSecOps Course - Part 1

DevSecOps: Key Controls for Modern Security Success

Terraform introduction

An introduction to terraform

Overview of Site Reliability Engineering (SRE) & best practices

Gitlab CI/CD

Cncf checkov and bridgecrew

DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...

Azure DevOps & GitHub... Better Together!

DevSecOps and the CI/CD Pipeline

DevSecOps

CKA Certified Kubernetes Administrator Notes

DevSecOps What Why and How

Default GitLab CI Pipeline - Auto DevOps

CI/CD Best Practices for Your DevOps Journey

Bridging the Security Testing Gap in Your CI/CD Pipeline

TechnicalTerraformLandingZones121120229238.pdf

Similar to A New View of Your Application Security Program with Snyk and ThreadFix

Enabling Developers in Your Application Security Program With Coverity and Th...

Denim Group

Enabling Developers in Your Application Security Program With Coverity and Th...

Denim Group

Enumerating Enterprise Attack Surface

Denim Group

Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.

An OWASP SAMM Perspective on Serverless Computing

Denim Group

Serverless architectures enable organizations to build and deploy software and services without maintaining or provisioning any physical or virtual servers. They are an excellent choice for a wide range of services, and can scale elastically as cloud workloads grow, and as a result have become a popular architectural element for development teams. However, this new approach can have a significant impact on the security of systems, and many teams are not familiar with how to securely incorporate serverless elements into their architectures. Using the OWASP SAMM maturity model as a framework, this webinar walks through how teams adopting serverless computing can do so in a secure manner and consistent with their organization’s roadmap for maturing their application security posture.

Elevate Your Application Security Program with Burp Suite and ThreadFix

Denim Group

Burp Suite is the premier software for web security testing, allowing organizations to deploy cutting-edge scanning technology to identify the very latest serious application vulnerabilities. ThreadFix is the industry leading vulnerability resolution platform that provides a window into the state of application security programs for organizations that build software. The combination of ThreadFix and Burp Suite allows organizations to efficiently identify security vulnerabilities, correlate and trend test results, and prioritize application risk to resolve vulnerabilities more quickly and more efficiently. This webinar will demonstrate how organizations can use ThreadFix and Burp Suite together to integrate application security into DevOps CI/CD pipelines and to track organization-wide metrics on progress finding and resolving web application vulnerabilities.

Enumerating Enterprise Attack Surface

Denim Group

Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have an attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.

Running a Comprehensive Application Security Program with Checkmarx and Threa...

Denim Group

This webinar demonstrates the value of combining the powerful and easy-to-use Checkmarx CxSAST engine with the application vulnerability correlation capabilities of the ThreadFix vulnerability resolution platform to create a comprehensive application security program. Specifically, it will examine: Correlating Checkmarx CxSAST results with DAST scans via Hybrid Analysis Mapping to help developers maximize the value from both security testing approaches and increase the confidence in testing results Using Checkmarx CxSAST and ThreadFix’s HotSpot identification technology to highlight vulnerable components developed and shared within your organization Onboarding Checkmarx CxSAST scanning results and operations into ThreadFix to get up and running quickly Integrating both Checkmarx CxSAST and dynamic application security testing into developers’ CI/CD pipelines to reduce critical metrics like mean-time-to-discover and mean-time-to-fix

ThreadFix 2.5 Webinar

Denim Group

ThreadFix 2.5 automates application security in the DevOps CI/CD pipeline, enabling applications to be delivered more rapidly without sacrificing security. With the 2.5 release, security teams can centrally enforce application security policies and enable development teams to automatically orchestrate application testing. This enables development teams to seamlessly incorporate security testing into their CI/CD pipelines based on predefined security policies.

The As, Bs, and Four Cs of Testing Cloud-Native Applications

Denim Group

Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.

Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...

Denim Group

ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources

Denim Group

ThreadFix 2.1 and Your Application Security Program

Denim Group

ThreadFix allows security analysts to create a consolidated view of applications and vulnerabilities, prioritize application risk decisions based on data, and translate application vulnerabilities to developers in the tools they are already using. This webinar examines how organizations can use ThreadFix 2.1 to help establish and scale their application security programs. Using a combination of demos and real-world examples, attendees will learn how to best use ThreadFix's capabilities to support their application security program. See more at: http://www.denimgroup.com/blog/denim_group/2014/12/threadfix-webinar-recording.html http://threadfix.org

Assessing Business Operations Risk With Unified Vulnerability Management in T...

Denim Group

For almost 10 years, ThreadFix has been the preeminent solution for managing your application vulnerabilities. In that time, it has grown from that initial correlation and reporting engine which brought your SAST and DAST vulnerabilities together, into a developer-integrated, CI/CD-enabling management platform. Deployed and used in Fortune 100 companies ranging from entertainment to banking to health care, in addition to some of the largest organizations within the Federal Government, ThreadFix now helps organizations correlate and prioritize risk across their applications and the network infrastructure that supports them. Join us as we debut the largest update to the ThreadFix platform to date, ThreadFix 3.0. Featuring new network vulnerability management tools, a new containerized microservices architecture, and a new user interface, ThreadFix 3.0 is the solution for comprehensive and correlated risk-based reporting on your entire portfolio of applications and infrastructure assets.

Application Asset Management with ThreadFix

Denim Group

Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.

Secure DevOps with ThreadFix 2.3

Denim Group

This webinar looks at the new features included in the upcoming 2.3 release of ThreadFix that help organizations secure their DevOps initiatives. These include greatly expanded Scan Orchestration capabilities to support ThreadFix's use in Continuous Integration/Continuous Development (CI/CD) environments as well as tighter integrations with developer tools to reduce the effort and time required for vulnerability remediation. We will also highlight generous contributions from the ThreadFix community from organizations such as Pearson and Samsung.

How to Integrate AppSec Testing into your DevOps Program

Denim Group

During this live webinar, IBM & Denim Group join forces to demonstrate how Application Security Testing can be integrated with DevOps methodologies to identify and remediate high-risk vulnerabilities quickly, with minimal overhead. Specifically, we’ll discuss how you can integrate Dynamic Application Security Testing (DAST) using IBM AppScan Enterprise REST API into a DevOps CI/CD pipeline, which helps you to automatically identify high-risk vulnerabilities within web applications and web services. We’ll also show how using Denim Group’s ThreadFix offering with AppScan Enterprise allows for seamless integration with typical DevOps tool-sets, in order to further reduce the overhead associated with AppSec testing within the SDLC.

AppSec in a World of Digital Transformation

Denim Group

The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed security throughout the new tech stack. This session will cover emerging strategies that security leaders are using to ensure they keep up with this massive industry change.

AppSec in a World of Digital Transformation

Denim Group

Webinar–2019 Open Source Risk Analysis Report

Synopsys Software Integrity Group

Create a Unified View of Your Application Security Program – Black Duck Hub a...

Denim Group

Effective application security programs rely on multiple sources for vulnerability data – from traditional static and dynamic testing, interactive testing, to manual and 3rd-party testing. Unfortunately, many organizations fail to consider the impact of open source software use and reuse on their security posture. This webinar will demonstrate how Black Duck Hub can identify security issues associated with open source usage and how ThreadFix’s correlation engine can provide a comprehensive view of an organization’s application security posture. In addition, the webinar demonstrates how ThreadFix’s HotSpot detection technology identifies security issues created by internally developed components – providing a complete of both open source and proprietary component usage.

Similar to A New View of Your Application Security Program with Snyk and ThreadFix (20)

Enabling Developers in Your Application Security Program With Coverity and Th...

Enumerating Enterprise Attack Surface

An OWASP SAMM Perspective on Serverless Computing

Elevate Your Application Security Program with Burp Suite and ThreadFix

Enumerating Enterprise Attack Surface

Running a Comprehensive Application Security Program with Checkmarx and Threa...

ThreadFix 2.5 Webinar

The As, Bs, and Four Cs of Testing Cloud-Native Applications

Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...

ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources

ThreadFix 2.1 and Your Application Security Program

Assessing Business Operations Risk With Unified Vulnerability Management in T...

Application Asset Management with ThreadFix

Secure DevOps with ThreadFix 2.3

How to Integrate AppSec Testing into your DevOps Program

AppSec in a World of Digital Transformation

Webinar–2019 Open Source Risk Analysis Report

Create a Unified View of Your Application Security Program – Black Duck Hub a...

More from Denim Group

Long-term Impact of Log4J

Denim Group

In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Denim Group

The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors. This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Denim Group

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

Denim Group

Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.

OWASP San Antonio Meeting 10/2/20

Denim Group

Title: AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program Abstract: With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies. Speaker: Dan Cornell Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program

Denim Group

With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.

Using Collaboration to Make Application Vulnerability Management a Team Sport

Denim Group

Vulnerability management - especially application vulnerability management - is a challenging business function because it crosses disciplinary boundaries. Security teams find and adjudicate vulnerabilities, DevOps and server ops teams have to fix them, and GRC teams need to be kept apprised of status and progress. As has always been the case - but especially in a necessarily remote work environment - collaboration is key to making these business functions operate efficiently and effectively. This webinar looks at common bottlenecks that snarl vulnerability remediation workflows and discusses strategies to address these issues via collaboration. Examples are given of implementing these via the ThreadFix platform, but the strategies are universally-applicable for vulnerability management professionals looking to streamline their vulnerability remediation workflows.

Security Champions: Pushing Security Expertise to the Edges of Your Organization

Denim Group

Application security teams are outnumbered. Even in security-conscious environments, application developers often exceed application security professionals by a ratio of 100:1. In addition, the push for digital transformation is accelerating the pace of development – exacerbating these challenges. One technique forward-looking security teams have adopted to stay afloat is to deploy security champions into development teams throughout the organization. This webinar looks at different models for standing up security champion initiatives and relates Denim Group’s experiences helping organizations craft and staff these programs.

The As, Bs, and Four Cs of Testing Cloud-Native Applications

Denim Group

An Updated Take: Threat Modeling for IoT Systems

Denim Group

The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives, the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device, these devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting. A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture. This webinar looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.

Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...

Denim Group

The tempo for software delivery to the warfighter continues to accelerate to meet the goals and demands of their missions. Pressures to rapidly build and deploy mission software drive the need to deliver new capabilities via DevSecOps pipelines. Many of the latest leading-edge DevSecOps practices draw heavily from commercial tech companies and innovative programs across DoD like Kessel Run. What are these latest trends, and how do you take advantage of them? How do you quantify the risk of microservices, new languages and frameworks, and cloud environments and still obtain authority to operate (ATO)? The ThreadFix platform has built-in automation and orchestration capabilities to enable your teams to provide immediate feedback in the form of policy evaluation, notifications in the form of emails and automated developer defect creation, and decision-making on your CI program as scan results are generated. In addition to built-in automation, plugins and the ThreadFix API enable CI programs to seamlessly integrate security testing into existing build/release pipelines to provide evaluation of code changes directly to your development tools. These key issue items and other trends will be discussed in this highly interactive briefing, providing critical insights on how to inject agility and responsiveness into environments that have traditionally struggled to keep pace with modern development approaches.

Optimize Your Security Program with ThreadFix 2.7

Denim Group

ThreadFix 2.7’s feature set represents the most significant expansion to the platform since ThreadFix was first released almost 10 years ago. This release bundles new application risk-ranking capabilities with the powerful addition to receive a 3rd party assessment for any application managed within ThreadFix. Join us to see how your team’s capacity and capabilities can be instantly expanded through on-demand application security assessments delivered directly into your ThreadFix instance, adding Denim Group’s nearly two decades of application security experience to your team anytime you need it.

Application Security Testing for a DevOps Mindset

Denim Group

The cultural transition to DevOps is coming to organizations, and security teams must learn to adapt or be marginalized. Forward-thinking security teams will use this transition to their advantage and will reap the benefits of better and more frequent security insight into development cycles. By understanding the goals of development teams, security representatives can help to meaningfully include themselves in the development process and provide value through sensible risk management.

Reducing Attack Surface in Budget Constrained Environments

Denim Group

Sprawling networks, streaming vendor vulnerability updates, and an application portfolio that remains a mystery keep you up late wondering where your weakest link exists. Budget constraints make you wonder where to begin, given that the responsibility to protect your organization remains firmly on your shoulders. How do savvy leaders identify the most pressing exposures and prioritize their efforts given limited budgets? What are the strategies that sophisticated IT and security leaders pursue to identify the scariest vulnerabilities and fix them before attackers find them? This session will lay out actionable plans to immediately identify and reduce more of your organization’s attack surface.

Securing Voting Infrastructure before the Mid-Term Elections

Denim Group

The prospect of nation state interference with our 2018 mid-term elections is a reality that secretaries of state are facing. Given the fast-changing nature of the threat and the sprawling election infrastructure across the country, how are state officials securing their voting systems and databases in anticipation of the election? What are emerging strategies given the limited resources and unlimited needs? Where are the most vulnerable parts of the election systems and where should state officials focus their efforts given the potential for disruption? This webinar will provide an attacker’s view of a typical state-run election system and will make recommendations where to focus limited time and resources in the run up of the 2018 mid-term election in November.

Threat Modeling for IoT Systems

Denim Group

Understanding IoT Security: How to Quantify Security Risk of IoT Technologies

Denim Group

IoT devices are proliferating throughout corporate networks raising concerns about security risks they may introduce. However, IoT technologies differ in many ways from most enterprise-ready technologies that currently exist. Understanding the risks that IoT represents and how to best quantify that risk can be a challenge for many security leaders. This webinar provides an overview of IoT architectures, how they differ from existing infrastructure devices, and how best to measure the risk IoT devices represent. It will expose attendees to concepts like Threat Modeling for IoT and provide additional references that will help build a successful IoT security assessment program.

More from Denim Group (17)

Long-term Impact of Log4J

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

OWASP San Antonio Meeting 10/2/20

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program

Using Collaboration to Make Application Vulnerability Management a Team Sport

Security Champions: Pushing Security Expertise to the Edges of Your Organization

The As, Bs, and Four Cs of Testing Cloud-Native Applications

An Updated Take: Threat Modeling for IoT Systems

Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...

Optimize Your Security Program with ThreadFix 2.7

Application Security Testing for a DevOps Mindset

Reducing Attack Surface in Budget Constrained Environments

Securing Voting Infrastructure before the Mid-Term Elections

Threat Modeling for IoT Systems

Understanding IoT Security: How to Quantify Security Risk of IoT Technologies

Recently uploaded

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

Knowledge engineering: from people to machines and back

Elena Simperl

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

Bits & Pixels using AI for Good.........

Alison B. Lowndes

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Recently uploaded (20)

JMeter webinar - integration with InfluxDB and Grafana

FIDO Alliance Osaka Seminar: Overview.pdf

Knowledge engineering: from people to machines and back

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Accelerate your Kubernetes clusters with Varnish Caching

Key Trends Shaping the Future of Infrastructure.pdf

UiPath Test Automation using UiPath Test Suite series, part 4

UiPath Test Automation using UiPath Test Suite series, part 3

Essentials of Automations: Optimizing FME Workflows with Parameters

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

When stars align: studies in data quality, knowledge graphs, and machine lear...

Bits & Pixels using AI for Good.........

ODC, Data Fabric and Architecture User Group

The Art of the Pitch: WordPress Relationships and Sales

Neuro-symbolic is not enough, we need neuro-*semantic*

Assuring Contact Center Experiences for Your Customers With ThousandEyes

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

A New View of Your Application Security Program with Snyk and ThreadFix

1. © 2019 Denim Group – All Rights Reserved A New View of Your Application Security Program with Snyk and ThreadFix November 12, 2019 Dan Cornell, CTO, Denim Group Hayley Denbraver, Developer Advocate, Snyk

9. © 2019 Denim Group – All Rights Reserved Snyk: Use Open Source, Stay Secure • Snyk helps you find and fix vulnerabilities in your open source dependencies • Snyk allows developers to address open source security throughout the software development lifecycle • Snyk meets developers where they are—in the languages and tools that they use every day 9

26. © 2019 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using • Provide access to powerful analytics 26

36. © 2019 Denim Group – All Rights Reserved Secure DevOps with ThreadFix • What does your pipeline look like? http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending- theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html 36

38. © 2019 Denim Group – All Rights Reserved Policy Configuration • Testing • Synchronous • Asynchronous • Decision • Reporting Blog Post: Effective Application Security Testing in DevOps Pipelines http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/ https://www.denimgroup.com/resources/effective-application-security-for-devops/ 38

A New View of Your Application Security Program with Snyk and ThreadFix

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to A New View of Your Application Security Program with Snyk and ThreadFix

Similar to A New View of Your Application Security Program with Snyk and ThreadFix (20)

More from Denim Group

More from Denim Group (17)

Recently uploaded

Recently uploaded (20)

A New View of Your Application Security Program with Snyk and ThreadFix