Downloaded 24 times
More Related Content
![[OPD 2019] AST Platform and the importance of multi-layered application secu...](https://cdn.slidesharecdn.com/ss_thumbnails/uriaankorionastplatformandtheimportanceofmultilayeredapplicationsecuritytesting-191021171736-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Fortify dev ops (002)
Fortify dev ops (002)
- 1. Fortify + DevOps forMBFS March 17, 2016
- 2. Application Delivery Stream Planning App Development AppTesting App release Release decision Business Demand Deployed App
- 3. Planning App Development App Testing App release Release decision Business Demand Deployed App Continuous Integration & Testing Continuous Delivery & Deployment Continuous Operations ContinuousAssessment Increase Automation Reduce Latency Increase Visibility Enterprise DevOps by Design
- 4. App Testing Develop Development QA Production Business Demand Plan BuildTest QA Release MonitorOperate Deploy Deploy Deploy Fund Decision Release Decision Build Gate Runtime Application Self Protection SAST & IAST Desktop App Journey SAST Automated DAST / IAST
- 5. HPE End toEnd Application Security Dynamic RuntimeStatic Production Fortify on Demand App Defender On Premise App Defender Application Development TestCodeDesign Integration & Staging IT Operations On Demand WebInspectStatic Code Analyzer DevInspect Protect against known and unknown vulnerabilities in production to give time for the developers to fix them. Integrate to the SEIM and FOD for visibility and control.
- 6. © Copyright 2016Hewlett-Packard Enterprise. The information contained herein is subject to change without notice. HPE CONFIDENTIAL Application Defender
- 7. © Copyright 2016Hewlett-Packard Enterprise. The information contained herein is subject to change without notice. HPE CONFIDENTIAL Application Defender
- 8. © Copyright 2016Hewlett-Packard Enterprise. The information contained herein is subject to change without notice. HPE CONFIDENTIAL 27 Vulnerability Categories – Feb 2016 Discovery: Known Vulnerability Scanner Activity Directory Listing Privacy Violation: Internal ClassLoader Manipulation: Struts Forceful Browsing Slow Method Call: Slow Database Query (Batch Processing) Command Injection Header Manipulation Slow Method Call: Slow Database Query (Web Request) Command Injection: Shellshock Malformed Request: Missing Accept Header SQL Injection Cookie Security: HTTPOnly not Set on Session Cookie Malformed Request: Missing Content- Type System Information Leak Cross-Site Scripting Attack Malformed Request: Use of Unsupported Method XML Entity Expansion Injection Dangerous File Inclusion: Local Method Call Failure: Database Query XML External Entity Injection Dangerous File Inclusion: Remote Open Redirect XPath Injection Denial of Service: Parse Double Poor Error Handling: Unhandled Exception Java Deserialization Application Defender
- 9. © Copyright 2016Hewlett-Packard Enterprise. The information contained herein is subject to change without notice. HPE CONFIDENTIAL 60 Application Logging Categories – Feb 2016 Command Execution HTTP Session Start Security Exception Created: Illegal Access Unified Logging: Slf4j Crypto Exception Created: Bad Padding HTTP Session Stop Security Exception Created: Invalid Algorithm Parameter User Logoff Crypto Exception Created: Exemption Mechanism Network Socket Bind Security Exception Created: Invalid Key Specifications User Logon: Failure Crypto Exception Created: Illegal Block Size Network Socket Close Security Exception Created: Invalid Parameter Specification User Logon: Success Crypto Exception Created: No Such Cryptographic Algorithm Network Socket Connect Security Exception Created: Login Exception User Management: Add User to Group Crypto Exception Created: No Such Padding Network Socket Shutdown Security Exception Created: No Such Provider User Management: Change Password Crypto Exception Created: Short Buffer Security Exception Created: Access Control Security Exception Created: Privileged Action User Management: Create Group Database Query Security Exception Created: Basic Key Exception Security Exception Created: Signature User Management: Create User File Copy Security Exception Created: CERT Certificate Security Exception Created: Unrecoverable KeyStore Entry User Management: Delete Group File Create Security Exception Created: CERT Certificate Revocation List Security Exception Created: Unrecoverable KeyStore Key User Management: Delete User File Delete Security Exception Created: CERT Path Builder Spring Validation Failure User Management: Remove User from Group File Move Security Exception Created: CERT Path Validator Struts Validation Failure Web AccessLog File Read Security Exception Created: CERT Store Unified Logging: JCL Web Application Running File Write Security Exception Created: Digest Security Unified Logging: JUL Web Application Start General Exception Created Security Exception Created: Generic KeyStore Exception Unified Logging: Log4j Web Application Stop Application Defender
- 10. © Copyright 2016Hewlett-Packard Enterprise. The information contained herein is subject to change without notice. HPE CONFIDENTIAL HPE Fortify Market Leadership
- 11.
- 12. Thank You! Mike Coleman HPESP - Enterprise Security Products FORTIFY Strategic Account Executive, North East (301) 602-8228 coleman@hpe.com Thomas Ryan HP ESP - Enterprise Security Products Solutions Architect, Security SME (408) 757-6118 tom.ryan@hpe.com
Editor's Notes
- #6 Only AppSec provider to cover SAST, DAST, IAST and RASP
- #11 HP Fortify SCA / Continuous Integration and Testing Environment They key to integrating static analysis into any continuous integration process is efficiency and accuracy. In the Use Case Above: Automate Fortify SCA scans with a supported build tool (Ant, Maven, Make, MSBuild, etc via script or custom target / goal. Jobs can be easily cloned in all continuous Integration servers (Jenkins, etc) and the appropriate Fortify SCA command for translation added. We recommend only performing the translation on the build server in CI environments to avoid memory / processor / time intensive static analysis scans from occurring on the build server. Once the translation has completed, we can move the translated files to a dedicated scan server where the static analysis scan can be completed. This will ensure an accurate and timely completion of the scan. The scan server will then upload the artifact to the appropriate Project & Version in Software Security Center. The baseline scan Fortify Project Report will merge with the new scan file. All previously triaged issues (audit tags / comments / etc) will be applied. Rules will alert auditors to any new issues that have been previously un-triaged. The auditors will audit any new issue and assign them to a user for remediation / inspection. The developer will download the Fortify Project Report into his / her IDE to see what issues have been assigned. There is a “My Issues” checkbox to see only assigned issues. The developer can respond to each assigned issue with either a comment or they can accept the issue needs to be remediated. Comments are sent to the server for the auditor to review, secure code is placed in the SCM system.
- #12 Lets start by understanding the security challenge in more detail