Denim Group, profile picture
Uploaded byDenim Group
281 views

Application Security Testing for a DevOps Mindset

The document discusses integrating application security testing within DevOps workflows to enhance security insights and reduce vulnerabilities early in the development process. It emphasizes the importance of collaboration between security and DevOps teams, alongside the use of tools like Threadfix for managing security vulnerabilities and automating assessments. A case study in the financial services sector demonstrates the successful implementation of these strategies to improve security within CI/CD pipelines.

Embed presentation

Downloaded 11 times
Application Security Testing for the DevOps Mindset October 2018
DevOps Is Coming! 2
Some Security Teams Will Adapt, Others Will Not 3
Security Advantages: Auditability 4
Security Advantages: Automation 5
Security Advantages: Collaboration 6
Use This Transition to Your Advantage 7
Use This Transition to Your Advantage 8
Move Security to the Left and Get Buy-In 9
Better Security Insight, More Often 10
So What Does Application Security Want? 11 • Reduce Risk Exposure • Introduce Fewer Vulnerabilities • Find Vulnerabilities Early • Fix Vulnerabilities Quickly
And What Do DevOps Teams Want? 12
How Do We Make This a Reality? 13
Application Security Testing in CI/CD Pipelines 14
Security People Love Policies 15
Effective Application Security Testing 16 • Reduce Noise • Run Fast
Testing Tradeoffs 17
Decision-Making Factors 18
Reporting Recommendations 19 Hint: Not With These…
© confidential 20 ThreadFix Application Security Platform ThreadFix helps enterprises manage application security vulnerabilities Scanner Integration Vulnerability Correlation Faster Vulnerability Rem edition ThreadFix Workflow SAST, DAST, IAST Scanner Tools Manual Assessments 3rd Party Manual Assessments AppSec False Positive Assessments Reporting & Analytics Defect Trackers IDEs GAC Threadfix scanner integrations • ThreadFix creates a single comprehensive view of the security status of all applications within an organization • Provides a comprehensive view of software security for an organization by aggregating vulnerability test results, scanning tools, manual penetration and code review • Integrates security into development workflow • Provides automation for application security assessment • Helps prioritize vulnerabilities and enable higher level risk decision • ThreadFix infrastructure integrates security and DevOps environments • The platform allows organizations to embed security into organizations’ Continuous Integration / Continuous Delivery (CI/CD) pipelines
ThreadFix Integrates Security into DevOps Development Defect Tracker CI/CD SAST DAST IAST Risk Management & Compliance World Code/Apps to Test CI/CD Security Policy Defects Code Repositor y GRC Capabilities of Integration § Create a consolidated view of applications and vulnerabilities § Prioritize vulnerabilities to enable decision making § Streamline remediation by translating vulnerability data for developers in the tools they already use Metrics Penetration Testing Vulnerability Testing 3rd Party Reviews Security Application Vulnerabilities Orchestration & Automation Risk&Compliance
© confidential 22 Case Study: Secure DevOps with ThreadFix in Financial Services Vulnerability consolidation and reporting using Jira Integrates AppSec in to CI/CD pipelines Earlier knowledge of security issues and increased fix rate ThreadFix platform used to both manage results from DevOps CI/CD pipeline application security testing as well as more comprehensive application security testing efforts, providing a single centralized view of all application security testing activities
Applying In Your Organization 23 Next week you should: • Pick a DevOps team and take the development manager to lunch – talk about their tools and processes In the first three months following this presentation you should: • Enumerate the DevOps teams in your organization and the applications they are building • Craft a couple of policies that are appropriate for different types of applications in your environment • Integrate application security testing into one CI/CD pipeline Within six months you should: • Have a schedule to get application security testing spread across your portfolio
Thank you for your time

More Related Content

PDF
AppSec Pipelines and Event based Security
byMatt Tesauro
 
PDF
Long-term Impact of Log4J
byDenim Group
 
PDF
Automating OWASP Tests in your CI/CD
byrkadayam
 
PPTX
Shifting left – embedding security into the devops pipeline by Mike d. Kail
byDevSecCon
 
ODP
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
PDF
OWASP San Antonio Meeting 10/2/20
byDenim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
AppSec is Eating Security
byAlex Stamos
 
AppSec Pipelines and Event based Security
byMatt Tesauro
 
Long-term Impact of Log4J
byDenim Group
 
Automating OWASP Tests in your CI/CD
byrkadayam
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
byDevSecCon
 
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
OWASP San Antonio Meeting 10/2/20
byDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
AppSec is Eating Security
byAlex Stamos
 

What's hot

PDF
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
PDF
SDLC & DevSecOps
byIrina Kostina
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
PDF
DevOps: A Culture Transformation, More than Technology
byCA Technologies
 
PDF
Zen and the art of Security Testing
byTEST Huddle
 
PPTX
DevOps Transformations
byErnest Mueller
 
PDF
Devops: A History
byNell Shamrell-Harrington
 
PPTX
DevSecOps - It can change your life (cycle)
byQualitest
 
PPTX
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
ODP
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
byMatt Tesauro
 
PPTX
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
byDevOpsDays Tel Aviv
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
PDF
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
PDF
Blending Automated and Manual Testing
byDenim Group
 
PPTX
DevOps is for Everyone - DevOps East
byChris Riley ☁
 
PPTX
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
From rogue one to rebel alliance by Peter Chestna
byDevSecCon
 
PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
PDF
A Secure DevOps Journey
bySonatype
 
New Era of Software with modern Application Security v1.0
byDinis Cruz
 
SDLC & DevSecOps
byIrina Kostina
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
DevOps: A Culture Transformation, More than Technology
byCA Technologies
 
Zen and the art of Security Testing
byTEST Huddle
 
DevOps Transformations
byErnest Mueller
 
Devops: A History
byNell Shamrell-Harrington
 
DevSecOps - It can change your life (cycle)
byQualitest
 
The End of Security as We Know It - Shannon Lietz
bySeniorStoryteller
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
byMatt Tesauro
 
KEYNOTE | WHAT'S COMING IN THE NEXT 10 YEARS OF DEVOPS? // ELLEN CHISA, bolds...
byDevOpsDays Tel Aviv
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
Devops: Security's big opportunity by Peter Chestna
byDevSecCon
 
Blending Automated and Manual Testing
byDenim Group
 
DevOps is for Everyone - DevOps East
byChris Riley ☁
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
From rogue one to rebel alliance by Peter Chestna
byDevSecCon
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
A Secure DevOps Journey
bySonatype
 

Similar to Application Security Testing for a DevOps Mindset

PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
DevOpsDays 2023: Security is about to become a DevOps Problem
byCharles Johnson
 
PDF
Top 20 DevSecOps Interview Questions.pdf
byinfosec train
 
PDF
Top 20 DevSecOps Interview Questions.pdf
byinfosec train
 
PDF
Top 20 DevSecOps Interview Questions and Answers
bypriyanshamadhwal2
 
PDF
Top 20 DevsecOps Interview Questions.pdf
byinfosecTrain
 
PDF
🚨 𝐀𝐫𝐞 𝐘𝐨𝐮 𝐑𝐞𝐚𝐝𝐲 𝐭𝐨 𝐀𝐜𝐞 𝐘𝐨𝐮𝐫 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰? 🚨
byMansi Kandari
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
PDF
𝐓𝐨𝐩 𝟐𝟎 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬
byInfosecTrain
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PPTX
DevOps to DevSecOps: Enhancing Software Security Throughout The Development L...
byAnowar Hossain
 
PDF
Security's DevOps Transformation
byMichele Chubirka
 
PPTX
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
PPTX
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
PDF
ThreadFix 2.5 Webinar
byDenim Group
 
PPTX
DevSecOps without DevOps is Just Security
byKevin Fealey
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
DevOpsDays 2023: Security is about to become a DevOps Problem
byCharles Johnson
 
Top 20 DevSecOps Interview Questions.pdf
byinfosec train
 
Top 20 DevSecOps Interview Questions.pdf
byinfosec train
 
Top 20 DevSecOps Interview Questions and Answers
bypriyanshamadhwal2
 
Top 20 DevsecOps Interview Questions.pdf
byinfosecTrain
 
🚨 𝐀𝐫𝐞 𝐘𝐨𝐮 𝐑𝐞𝐚𝐝𝐲 𝐭𝐨 𝐀𝐜𝐞 𝐘𝐨𝐮𝐫 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰? 🚨
byMansi Kandari
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
𝐓𝐨𝐩 𝟐𝟎 𝐃𝐞𝐯𝐒𝐞𝐜𝐎𝐩𝐬 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬
byInfosecTrain
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
DevOps to DevSecOps: Enhancing Software Security Throughout The Development L...
byAnowar Hossain
 
Security's DevOps Transformation
byMichele Chubirka
 
State of DevSecOps - DevSecOpsDays 2019
byStefan Streichsbier
 
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
ThreadFix 2.5 Webinar
byDenim Group
 
DevSecOps without DevOps is Just Security
byKevin Fealey
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Security at the Speed of Software Development
byDevOps.com
 

More from Denim Group

PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
PPTX
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
byDenim Group
 
PDF
A New View of Your Application Security Program with Snyk and ThreadFix
byDenim Group
 
PDF
Security Champions: Pushing Security Expertise to the Edges of Your Organization
byDenim Group
 
PDF
An Updated Take: Threat Modeling for IoT Systems
byDenim Group
 
PDF
Assessing Business Operations Risk With Unified Vulnerability Management in T...
byDenim Group
 
PDF
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
byDenim Group
 
PDF
Application Asset Management with ThreadFix
byDenim Group
 
PDF
Using Collaboration to Make Application Vulnerability Management a Team Sport
byDenim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
PDF
Enumerating Enterprise Attack Surface
byDenim Group
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PDF
AppSec in a World of Digital Transformation
byDenim Group
 
PDF
AppSec in a World of Digital Transformation
byDenim Group
 
PDF
An OWASP SAMM Perspective on Serverless Computing
byDenim Group
 
PDF
Enumerating Enterprise Attack Surface
byDenim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
byDenim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
byDenim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
byDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
byDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
byDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
byDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
byDenim Group
 
Application Asset Management with ThreadFix
byDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
byDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
Enumerating Enterprise Attack Surface
byDenim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
AppSec in a World of Digital Transformation
byDenim Group
 
AppSec in a World of Digital Transformation
byDenim Group
 
An OWASP SAMM Perspective on Serverless Computing
byDenim Group
 
Enumerating Enterprise Attack Surface
byDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
byDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 

Recently uploaded

PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PPTX
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
PPTX
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PPTX
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Oracle SCM Cloud Solutions for Smart Supply Chain Management
byChetu
 
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 

Application Security Testing for a DevOps Mindset

  • 1.
    Application Security Testing forthe DevOps Mindset October 2018
  • 2.
  • 3.
    Some Security TeamsWill Adapt, Others Will Not 3
  • 4.
  • 5.
  • 6.
  • 7.
    Use This Transitionto Your Advantage 7
  • 8.
    Use This Transitionto Your Advantage 8
  • 9.
    Move Security tothe Left and Get Buy-In 9
  • 10.
  • 11.
    So What DoesApplication Security Want? 11 • Reduce Risk Exposure • Introduce Fewer Vulnerabilities • Find Vulnerabilities Early • Fix Vulnerabilities Quickly
  • 12.
    And What DoDevOps Teams Want? 12
  • 13.
    How Do WeMake This a Reality? 13
  • 14.
    Application Security Testingin CI/CD Pipelines 14
  • 15.
  • 16.
    Effective Application SecurityTesting 16 • Reduce Noise • Run Fast
  • 17.
  • 18.
  • 19.
  • 20.
    © confidential 20 ThreadFixApplication Security Platform ThreadFix helps enterprises manage application security vulnerabilities Scanner Integration Vulnerability Correlation Faster Vulnerability Rem edition ThreadFix Workflow SAST, DAST, IAST Scanner Tools Manual Assessments 3rd Party Manual Assessments AppSec False Positive Assessments Reporting & Analytics Defect Trackers IDEs GAC Threadfix scanner integrations • ThreadFix creates a single comprehensive view of the security status of all applications within an organization • Provides a comprehensive view of software security for an organization by aggregating vulnerability test results, scanning tools, manual penetration and code review • Integrates security into development workflow • Provides automation for application security assessment • Helps prioritize vulnerabilities and enable higher level risk decision • ThreadFix infrastructure integrates security and DevOps environments • The platform allows organizations to embed security into organizations’ Continuous Integration / Continuous Delivery (CI/CD) pipelines
  • 21.
    ThreadFix Integrates Securityinto DevOps Development Defect Tracker CI/CD SAST DAST IAST Risk Management & Compliance World Code/Apps to Test CI/CD Security Policy Defects Code Repositor y GRC Capabilities of Integration § Create a consolidated view of applications and vulnerabilities § Prioritize vulnerabilities to enable decision making § Streamline remediation by translating vulnerability data for developers in the tools they already use Metrics Penetration Testing Vulnerability Testing 3rd Party Reviews Security Application Vulnerabilities Orchestration & Automation Risk&Compliance
  • 22.
    © confidential 22 CaseStudy: Secure DevOps with ThreadFix in Financial Services Vulnerability consolidation and reporting using Jira Integrates AppSec in to CI/CD pipelines Earlier knowledge of security issues and increased fix rate ThreadFix platform used to both manage results from DevOps CI/CD pipeline application security testing as well as more comprehensive application security testing efforts, providing a single centralized view of all application security testing activities
  • 23.
    Applying In YourOrganization 23 Next week you should: • Pick a DevOps team and take the development manager to lunch – talk about their tools and processes In the first three months following this presentation you should: • Enumerate the DevOps teams in your organization and the applications they are building • Craft a couple of policies that are appropriate for different types of applications in your environment • Integrate application security testing into one CI/CD pipeline Within six months you should: • Have a schedule to get application security testing spread across your portfolio
  • 24.