SlideShare a Scribd company logo

Fortify-Application_Security_Foundation_Training.pptx

Download as PPTX, PDF
Y
YoisRoberthTapiadeLa

Security Devops

Technology
1 of 36
Application Security Foundation Training, L200 You can: Download the presentation. View slide notes.
Introduction to the Sales Enablement Curriculum Where does this Session fit within the learning path? 100 L100 CyberRes Business Overview L110 CyberRes Partner Ecosystem L140 CyberRes Discovery L160 CyberRes Competitive Overview L170 CyberRes Enterprise Licensing L200 Identity & Access Management Foundation L200 Data Privacy and Protection Foundation L200 Security Operations Foundation L200 Application Security Foundation L200 Application Security Foundation
1 Market Observations Customer Challenges Key Trends, Primary Use Cases, and Stakeholders Priority Fortify Portfolio Overview and Business Value Customer Success Market Insights – Competition 2 3 4 5 6 About This Course Things You’ll Learn
Market Observations
Market Observations v There is an ever-increasing shortage of skilled security staff, which dilutes security best practices. Organizations worldwide are facing sophisticated ransomware, deeply embedded vulnerabilities, and attacks on the digital supply chain. The COVID-19 pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise.
Financial Impacts of Security Breaches Average total cost and frequency of data breaches by initial attack vector Source: Cost of a data breach report 2021 by Ponemon Institute and IBM
Top Security and Risk Management Trends for 2022 New responses to sophisticated threats Digital Supply Chain Risk Cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021 Attack Surface Expansion Risks associated with the use of cyber- physical systems and IoT, open-source code, cloud applications, and more have made organizations’ exposed surfaces outside of a set of controllable assets Identity Threat Detection and Response Organizations have spent considerable effort improving user authentication, which increases the attack surface. Credential misuse is now a primary attack vector. The evolution and reframing of the security practice Distributing Decisions The CISO role has moved from a technical subject matter expert to that of an executive risk manager,” said Firstbrook. CISOs must reconceptualize their responsibility matrix to empower Boards of Directors, CEOs and other business leaders to make their own informed risk decisions.” Beyond Awareness Human error continues to be a factor in many data breaches, demonstrating that traditional approaches to security awareness training are ineffective. Progressive organizations are investing in holistic security behavior and culture programs (SBCPs), rather than outdated compliance-centric security awareness campaigns. The consolidation of security products Vendor Consolidation Security technology convergence is accelerating, driven by the need to reduce complexity, reduce administration overhead and increase effectiveness. This consolidation will lower total cost of ownership and improve operational efficiency in the long term, leading to better overall security. Cybersecurity Mesh The security product consolidation trend is driving integration of security architecture components. However, there is still a need to define consistent security policies, enable workflows and exchange data between consolidated solutions. A cybersecurity mesh architecture (CSMA) helps provide a common, integrated security structure and posture to secure all assets, whether they’re on-premises, in data centers or in the cloud. https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for- 2022
Application Security Challenges
Attackers Move from Infrastructure Level to App Level Application layer attacks are perceived as normal traffic and pass-through network, perimeter, data, and endpoint security systems. Application security • Not mature; lack of developer training • Growing attack surface: more applications, more connected to the Internet • Accelerating releases reduces time available for security Application Security Security Functionality Identity & Access Management Network & Perimeter Avoiding bypassing Application level Infrastructure level Controlled access * Security functionality testing is different from application security testing. Infrastructure security • Highly mature • Substantial investments in place • Systems are more secure out-of-the-box than ever
Security Is Often Left Out Why? • Need for Speed Developers have to deliver functional code fast – anything else is friction. • Digital Transformation 82% of CIOs say they have implemented new technologies, IT strategies, and/or methodologies due to the COVID-19 pandemic*. • More Volume Because of the volume of apps being pushed into production, security is not the focus of DevOps. * IDG 2021 State of the CIO Report
Customers Need Help! Training Developers around Security Testing • Engage developers early in the testing process • Make it easy for developers to initiate security scans on the code • Prioritize security alerts to drive productivity of developers People Third-Party and Open-Source Vulnerabilities • As much as 90% of applications use open- source software and libraries while they are available under GNU general public license. Inherited Vulnerabilities • Blindly using code previously written by someone else is a huge risk. You cannot know what security measures had been taken; the code might contain many weaknesses and omissions. • By reusing old code or legacy applications, without adequate security testing or validating the health of the project can lead to vulnerabilities getting embedded in the new application . This is known as technical debt. • Open-source modules might have security defects or known vulnerabilities, which could lead to software supply chain attacks. Process Technology Maturing DevSecOps Many customers are still in their early phases of adopting an integrated approach. • They lack an understanding of the impact of not remediating vulnerabilities early in the development cycle. • Involve developers to shift security left in the development cycle. • Break Silo’s through a centralized reporting and monitoring solution for found vulnerabilities
AppSec Trends, Stakeholders Priorities, and Primary Use Cases
Application Security Key Trends 2022 Shift left Cloud Transformation AppSec Maturity OpenSource Risk Securing the Software Supply Chain Supply chains have many blind spots or cracks that attackers can take advantage of, resulting in increased severity and frequency of attacks. AppSec Orchestration and Correlation • AppSec orchestration and correlation has increasingly become a hot topic in the industry, with many benefits and challenges Next Generation DAST • We are starting to see developer-driven DAST testing expand, extending the use of DAST beyond the hands of AppSec/QA and fully within the Dev CI/CD automation pipelines Machine Learning and AI are key to the next evolution of automation Companies who use automation are twice as likely to implement security testing, in addition, there are numerous use cases for machine learning advancements Cloud-Native AppSec • With the broad IT industry trend towards the cloud, a modern software stack includes many cloud-native elements of the architecture. • As a result, the demarcation between AppSec and InfraSec is becoming blurred API security needs are growing ever larger • APIs are the most rapidly growing attack surface, but still aren´t widely understood and are often overlooked by developers and AppSec managers AppSec Is evolving from Shift-Left to Shift Everywhere • Test early is now test everywhere and often! • There is no one-size fits all, but finding the right tools for right job, at the right time. • It´s all about defense in depth.
Stakeholder Priorities Henk Visscher Chief Information Security Officer (CISO) Anika Bendali DevOps Manager (DevOps) . Julia Zanberch Application Security Manager (AppSec) Troy Michanna Product Owner (DevLead) Protect the organization’s brand, information, applications, and infrastructure. Cost optimization for security and risk. Manager with a technical background, responsible for developer tooling and overall CI/CD pipeline lights on operation Identify, track, and reduce application security risks across the applications catalog. Release schedules and deadlines; ensures applications are secure before releasing to production.
Primary Use Cases
Fortify Business Value
Why Fortify ? AppSec on demand Application Security-as-a-Service with security testing and vulnerability management gets you started with minimal skilled resources. High-quality AppSec With Fortify, you don’t need to trade quality of results for speed in order to scale up your DevSecOps processes. Industry-leading research Our research supports 1,224 vulnerability categories across 30+ languages and over 1 million APIs to improve threat detection. Protect your software Software resilience from a partner you can trust Detect risk Focus on whats matters with accurate, through results. Evolve your AppSec A holistic, scalable platform that supports your needs Benefits
What we do – Enable Secure Code Development Find and fix security vulnerabilities with fast and accurate results, whether the application is built in-house, by a third party, or using open- source libraries. Automatically identify and tune out false positives with machine learning. Fix known issues with minimal developer friction. Flexibility in testing application security on- premises, hosted, or delivered as a SaaS managed service. Cloud SDK’s to support cloud DevOps integration ad testing cloud microservices Fortify offers end-to-end application security solutions, including integration with the developer (IDE) as well as the DevOps tool chain (CI/CD). Fortify is named #1 for Enterprise by Gartner (Critical Capabilities report), including its machine learning capabilities. Fortify customers benefit from a holistic, inclusive, and extensible platform that uses a single taxonomy and provides building blocks to mature your software security assurance efforts.
aka “Check the Box” aka “Stage Gate” aka “Shift Left” aka ”Speed vs Cost” ERA OF COMPLIANCE 2001 - 2008 ERA OF THREAT MANAGEMENT 2008 - 2014 ERA OF DX TRANSFORM 2014 - 2020 ERA OF GROWTH 2021+ COMPLY DE-RISK ENABLE RESILIENT 2020 COVID DRIVING DX 2008 + MAJOR CYBERATTACKS 2001 SOX AppSec’s Journey Toward Cyber Resilience Then, now, and in the future
Fortify Portfolio Overview
Fortify Product Offerings Flexible offering for Modern Development  Static Code Analyzer: Analyzes source code for security vulnerabilities to enable Static Application Security Testing (SAST).  Software Composition Analysis (SCA): Scans open-source components for vulnerabilities, either using Debricked (SaaS) or through our partnership with Sonatype (on-premises).  WebInspect: Analyzes applications in their running state and simulates attacks to find vulnerabilities to enable Dynamic Application Security Testing (DAST).  Software Security Center (SSC): Holistic application security platform included with on- premises or hosted solutions to centralize the visibility of application security risks  Fortify on Demand (FoD): AppSec as a managed service that includes SAST, DAST, SCA, and MAST capabilities and managed by CyberRes security analysts.  Fortify Hosted: SaaS-based offering deployed in the cloud with managed infrastructure deployment and support. Solutions that Align with DevSecOps Success Integration Automation Speed Backed by the Market-Leading Software Security Research Team 1,244 Vulnerability Categories | 30 Programming Languages | 1M+ Individual APIs
Enterprise-level security at each stage of development Strong integration with industry-leading tools Fortify Embodies DevSecOps
Fortify Portfolio Software Resilience for Modern Development
Customer Success
The world’s leading enterprises entrust their AppSec needs to Fortify 9 out of 10 of the largest information technology companies 5 out of 5 of the largest telecommunication companies 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors Federal Strongest AppSec solution provider in Federal space (FedRAMP Certified) "Micro Focus Fortify really addresses the needs of the developers. It makes sense to them.“ - Damien Suggs, AppSec Director “This is a partnership to drive AppSec modernization with Fortify on Demand to deliver actionable, data driven results.” - Rajan Gupta, VP, Product Security
Fortify Has a Continued Leadership Position in the Market Fortify Key Competitive Differentiation Maturity at Scale Fortify is a good fit for enterprises with complex application projects and AST users with experience and advanced requirements. Shift-Left Security Fortify Security Assistant is a real-time security checker that operates in the IDE. It is not a replacement for a comprehensive SAST scan, but can provide a lightweight automatic check for developer security mistakes as the developer codes. Fewer False Positives The Fortify Audit Assistant feature has been extended to allow teams the flexibility to either manually review artificial intelligence (AI) predictions on issues or to opt in to “automatic predictions,” which support completely in-band automated triaging of This contributes to reducing false positives. Enterprise DAST Micro Focus provides DAST that is able to address many of the challenges with modern applications, such as scanning client-side vulnerabilities or support for 2FA, among other things. Leader in Application Security Testing 1 2 3 4
But don’t take our word for it…
Market Insights
Application Security Testing Market Size and Growth Market Drivers • Increasing investment in AppSec aligned with risk of breaches. • Emergence of DevSecOps: Security becoming a critical component of DevOps, on-premises or in the cloud. • Open Source: Significant % of production application has OSS code, leading to software supply chain risks. • Developer-Lead: Developers are both users and a source for insider threats, which requires zero trust in the SDLC. • Shift Left: Faster time to vuln identification and fix, driven by DevOps and the cost impact of remediation if done during production. Source: Forrester Analytics: Application Security Solutions Forecast, 2017 to 2023 (Global) F = Forecast 2018 (F) 2023 (F) Market Size Forecast 2017 to 2023 (Global) $3.3B $7.1B Static Application Security Testing (SAST)* Dynamic Application Security Testing (DAST)* Software Composition Analysis (SCA)* Interactive Application Security Testing (IAST)* Security Scanning Tools Web Application Firewall (WAF) Bot Management Runtime Application Self-protection (RASP) Runtime Protection Tools *Fortify’s currently served market segments
Key Competitors SCA DAST SAST Invicti BlackDuck Coverity
Strengthen Your Cyber Resilience CyberRes at a Glance Protect. Protect across your identities, applications, and data. Detect. Detect, respond, and recover from advanced threats. Evolve. Evolve your security posture at the speed of change. Data Privacy and Protection Identity and Access Management Application Security Security Operations Identities Data Applications
Summary • Important Points • Congratulations • Before You Leave • Thank You
Top 4 Points for Learners to Remember 1 2 3 Application Security is a growing market Every customer is a potential prospects for Application Security needs Fortify is a leader in the Application Security market 4 Fortify offers a Full Spectrum solution for SCA, SAST, DAST and MAST
What’s next? Congratulations! You completed the course. But this is not the end … Stay tuned for Application Security Solutions & Capabilities Training, L210 Download any course attachments for future study!
Thank You. www.cyberres.com 35 For customer facing material, visit Sales Enablement Central: https://se.microfocus.com/en-us/cyberres Make sure to fill out your survey after the course!
36 Before You Leave . . . 1 Exit from full screen mode (if used). 2 Close the window containing the presentation. 3 Close any intermediate screens. 4 When you return to the course page in SABA, it should say “Completed.” 5 Close the browser.

Recommended

Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
111.pptx
111.pptx111.pptx
111.pptxJESUNPK
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security
 

Recommended

Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
111.pptx
111.pptx111.pptx
111.pptxJESUNPK
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)SecPod Technologies
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentPanoptica
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Troy Marshall
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

More Related Content

Similar to Fortify-Application_Security_Foundation_Training.pptx

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentPanoptica
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Troy Marshall
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 

Similar to Fortify-Application_Security_Foundation_Training.pptx (20)

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
Secure Digital Transformation- Cybersecurity Skills for a Safe Journey to Dev...
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

Fortify-Application_Security_Foundation_Training.pptx

  • 1. Application Security Foundation Training, L200 You can: Download the presentation. View slide notes.
  • 2. Introduction to the Sales Enablement Curriculum Where does this Session fit within the learning path? 100 L100 CyberRes Business Overview L110 CyberRes Partner Ecosystem L140 CyberRes Discovery L160 CyberRes Competitive Overview L170 CyberRes Enterprise Licensing L200 Identity & Access Management Foundation L200 Data Privacy and Protection Foundation L200 Security Operations Foundation L200 Application Security Foundation L200 Application Security Foundation
  • 3. 1 Market Observations Customer Challenges Key Trends, Primary Use Cases, and Stakeholders Priority Fortify Portfolio Overview and Business Value Customer Success Market Insights – Competition 2 3 4 5 6 About This Course Things You’ll Learn
  • 5. Market Observations v There is an ever-increasing shortage of skilled security staff, which dilutes security best practices. Organizations worldwide are facing sophisticated ransomware, deeply embedded vulnerabilities, and attacks on the digital supply chain. The COVID-19 pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise.
  • 6. Financial Impacts of Security Breaches Average total cost and frequency of data breaches by initial attack vector Source: Cost of a data breach report 2021 by Ponemon Institute and IBM
  • 7. Top Security and Risk Management Trends for 2022 New responses to sophisticated threats Digital Supply Chain Risk Cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021 Attack Surface Expansion Risks associated with the use of cyber- physical systems and IoT, open-source code, cloud applications, and more have made organizations’ exposed surfaces outside of a set of controllable assets Identity Threat Detection and Response Organizations have spent considerable effort improving user authentication, which increases the attack surface. Credential misuse is now a primary attack vector. The evolution and reframing of the security practice Distributing Decisions The CISO role has moved from a technical subject matter expert to that of an executive risk manager,” said Firstbrook. CISOs must reconceptualize their responsibility matrix to empower Boards of Directors, CEOs and other business leaders to make their own informed risk decisions.” Beyond Awareness Human error continues to be a factor in many data breaches, demonstrating that traditional approaches to security awareness training are ineffective. Progressive organizations are investing in holistic security behavior and culture programs (SBCPs), rather than outdated compliance-centric security awareness campaigns. The consolidation of security products Vendor Consolidation Security technology convergence is accelerating, driven by the need to reduce complexity, reduce administration overhead and increase effectiveness. This consolidation will lower total cost of ownership and improve operational efficiency in the long term, leading to better overall security. Cybersecurity Mesh The security product consolidation trend is driving integration of security architecture components. However, there is still a need to define consistent security policies, enable workflows and exchange data between consolidated solutions. A cybersecurity mesh architecture (CSMA) helps provide a common, integrated security structure and posture to secure all assets, whether they’re on-premises, in data centers or in the cloud. https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for- 2022
  • 9. Attackers Move from Infrastructure Level to App Level Application layer attacks are perceived as normal traffic and pass-through network, perimeter, data, and endpoint security systems. Application security • Not mature; lack of developer training • Growing attack surface: more applications, more connected to the Internet • Accelerating releases reduces time available for security Application Security Security Functionality Identity & Access Management Network & Perimeter Avoiding bypassing Application level Infrastructure level Controlled access * Security functionality testing is different from application security testing. Infrastructure security • Highly mature • Substantial investments in place • Systems are more secure out-of-the-box than ever
  • 10. Security Is Often Left Out Why? • Need for Speed Developers have to deliver functional code fast – anything else is friction. • Digital Transformation 82% of CIOs say they have implemented new technologies, IT strategies, and/or methodologies due to the COVID-19 pandemic*. • More Volume Because of the volume of apps being pushed into production, security is not the focus of DevOps. * IDG 2021 State of the CIO Report
  • 11. Customers Need Help! Training Developers around Security Testing • Engage developers early in the testing process • Make it easy for developers to initiate security scans on the code • Prioritize security alerts to drive productivity of developers People Third-Party and Open-Source Vulnerabilities • As much as 90% of applications use open- source software and libraries while they are available under GNU general public license. Inherited Vulnerabilities • Blindly using code previously written by someone else is a huge risk. You cannot know what security measures had been taken; the code might contain many weaknesses and omissions. • By reusing old code or legacy applications, without adequate security testing or validating the health of the project can lead to vulnerabilities getting embedded in the new application . This is known as technical debt. • Open-source modules might have security defects or known vulnerabilities, which could lead to software supply chain attacks. Process Technology Maturing DevSecOps Many customers are still in their early phases of adopting an integrated approach. • They lack an understanding of the impact of not remediating vulnerabilities early in the development cycle. • Involve developers to shift security left in the development cycle. • Break Silo’s through a centralized reporting and monitoring solution for found vulnerabilities
  • 13. Application Security Key Trends 2022 Shift left Cloud Transformation AppSec Maturity OpenSource Risk Securing the Software Supply Chain Supply chains have many blind spots or cracks that attackers can take advantage of, resulting in increased severity and frequency of attacks. AppSec Orchestration and Correlation • AppSec orchestration and correlation has increasingly become a hot topic in the industry, with many benefits and challenges Next Generation DAST • We are starting to see developer-driven DAST testing expand, extending the use of DAST beyond the hands of AppSec/QA and fully within the Dev CI/CD automation pipelines Machine Learning and AI are key to the next evolution of automation Companies who use automation are twice as likely to implement security testing, in addition, there are numerous use cases for machine learning advancements Cloud-Native AppSec • With the broad IT industry trend towards the cloud, a modern software stack includes many cloud-native elements of the architecture. • As a result, the demarcation between AppSec and InfraSec is becoming blurred API security needs are growing ever larger • APIs are the most rapidly growing attack surface, but still aren´t widely understood and are often overlooked by developers and AppSec managers AppSec Is evolving from Shift-Left to Shift Everywhere • Test early is now test everywhere and often! • There is no one-size fits all, but finding the right tools for right job, at the right time. • It´s all about defense in depth.
  • 14. Stakeholder Priorities Henk Visscher Chief Information Security Officer (CISO) Anika Bendali DevOps Manager (DevOps) . Julia Zanberch Application Security Manager (AppSec) Troy Michanna Product Owner (DevLead) Protect the organization’s brand, information, applications, and infrastructure. Cost optimization for security and risk. Manager with a technical background, responsible for developer tooling and overall CI/CD pipeline lights on operation Identify, track, and reduce application security risks across the applications catalog. Release schedules and deadlines; ensures applications are secure before releasing to production.
  • 17. Why Fortify ? AppSec on demand Application Security-as-a-Service with security testing and vulnerability management gets you started with minimal skilled resources. High-quality AppSec With Fortify, you don’t need to trade quality of results for speed in order to scale up your DevSecOps processes. Industry-leading research Our research supports 1,224 vulnerability categories across 30+ languages and over 1 million APIs to improve threat detection. Protect your software Software resilience from a partner you can trust Detect risk Focus on whats matters with accurate, through results. Evolve your AppSec A holistic, scalable platform that supports your needs Benefits
  • 18. What we do – Enable Secure Code Development Find and fix security vulnerabilities with fast and accurate results, whether the application is built in-house, by a third party, or using open- source libraries. Automatically identify and tune out false positives with machine learning. Fix known issues with minimal developer friction. Flexibility in testing application security on- premises, hosted, or delivered as a SaaS managed service. Cloud SDK’s to support cloud DevOps integration ad testing cloud microservices Fortify offers end-to-end application security solutions, including integration with the developer (IDE) as well as the DevOps tool chain (CI/CD). Fortify is named #1 for Enterprise by Gartner (Critical Capabilities report), including its machine learning capabilities. Fortify customers benefit from a holistic, inclusive, and extensible platform that uses a single taxonomy and provides building blocks to mature your software security assurance efforts.
  • 19. aka “Check the Box” aka “Stage Gate” aka “Shift Left” aka ”Speed vs Cost” ERA OF COMPLIANCE 2001 - 2008 ERA OF THREAT MANAGEMENT 2008 - 2014 ERA OF DX TRANSFORM 2014 - 2020 ERA OF GROWTH 2021+ COMPLY DE-RISK ENABLE RESILIENT 2020 COVID DRIVING DX 2008 + MAJOR CYBERATTACKS 2001 SOX AppSec’s Journey Toward Cyber Resilience Then, now, and in the future
  • 21. Fortify Product Offerings Flexible offering for Modern Development  Static Code Analyzer: Analyzes source code for security vulnerabilities to enable Static Application Security Testing (SAST).  Software Composition Analysis (SCA): Scans open-source components for vulnerabilities, either using Debricked (SaaS) or through our partnership with Sonatype (on-premises).  WebInspect: Analyzes applications in their running state and simulates attacks to find vulnerabilities to enable Dynamic Application Security Testing (DAST).  Software Security Center (SSC): Holistic application security platform included with on- premises or hosted solutions to centralize the visibility of application security risks  Fortify on Demand (FoD): AppSec as a managed service that includes SAST, DAST, SCA, and MAST capabilities and managed by CyberRes security analysts.  Fortify Hosted: SaaS-based offering deployed in the cloud with managed infrastructure deployment and support. Solutions that Align with DevSecOps Success Integration Automation Speed Backed by the Market-Leading Software Security Research Team 1,244 Vulnerability Categories | 30 Programming Languages | 1M+ Individual APIs
  • 22. Enterprise-level security at each stage of development Strong integration with industry-leading tools Fortify Embodies DevSecOps
  • 23. Fortify Portfolio Software Resilience for Modern Development
  • 25. The world’s leading enterprises entrust their AppSec needs to Fortify 9 out of 10 of the largest information technology companies 5 out of 5 of the largest telecommunication companies 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors Federal Strongest AppSec solution provider in Federal space (FedRAMP Certified) "Micro Focus Fortify really addresses the needs of the developers. It makes sense to them.“ - Damien Suggs, AppSec Director “This is a partnership to drive AppSec modernization with Fortify on Demand to deliver actionable, data driven results.” - Rajan Gupta, VP, Product Security
  • 26. Fortify Has a Continued Leadership Position in the Market Fortify Key Competitive Differentiation Maturity at Scale Fortify is a good fit for enterprises with complex application projects and AST users with experience and advanced requirements. Shift-Left Security Fortify Security Assistant is a real-time security checker that operates in the IDE. It is not a replacement for a comprehensive SAST scan, but can provide a lightweight automatic check for developer security mistakes as the developer codes. Fewer False Positives The Fortify Audit Assistant feature has been extended to allow teams the flexibility to either manually review artificial intelligence (AI) predictions on issues or to opt in to “automatic predictions,” which support completely in-band automated triaging of This contributes to reducing false positives. Enterprise DAST Micro Focus provides DAST that is able to address many of the challenges with modern applications, such as scanning client-side vulnerabilities or support for 2FA, among other things. Leader in Application Security Testing 1 2 3 4
  • 27. But don’t take our word for it…
  • 29. Application Security Testing Market Size and Growth Market Drivers • Increasing investment in AppSec aligned with risk of breaches. • Emergence of DevSecOps: Security becoming a critical component of DevOps, on-premises or in the cloud. • Open Source: Significant % of production application has OSS code, leading to software supply chain risks. • Developer-Lead: Developers are both users and a source for insider threats, which requires zero trust in the SDLC. • Shift Left: Faster time to vuln identification and fix, driven by DevOps and the cost impact of remediation if done during production. Source: Forrester Analytics: Application Security Solutions Forecast, 2017 to 2023 (Global) F = Forecast 2018 (F) 2023 (F) Market Size Forecast 2017 to 2023 (Global) $3.3B $7.1B Static Application Security Testing (SAST)* Dynamic Application Security Testing (DAST)* Software Composition Analysis (SCA)* Interactive Application Security Testing (IAST)* Security Scanning Tools Web Application Firewall (WAF) Bot Management Runtime Application Self-protection (RASP) Runtime Protection Tools *Fortify’s currently served market segments
  • 31. Strengthen Your Cyber Resilience CyberRes at a Glance Protect. Protect across your identities, applications, and data. Detect. Detect, respond, and recover from advanced threats. Evolve. Evolve your security posture at the speed of change. Data Privacy and Protection Identity and Access Management Application Security Security Operations Identities Data Applications
  • 32. Summary • Important Points • Congratulations • Before You Leave • Thank You
  • 33. Top 4 Points for Learners to Remember 1 2 3 Application Security is a growing market Every customer is a potential prospects for Application Security needs Fortify is a leader in the Application Security market 4 Fortify offers a Full Spectrum solution for SCA, SAST, DAST and MAST
  • 34. What’s next? Congratulations! You completed the course. But this is not the end … Stay tuned for Application Security Solutions & Capabilities Training, L210 Download any course attachments for future study!
  • 35. Thank You. www.cyberres.com 35 For customer facing material, visit Sales Enablement Central: https://se.microfocus.com/en-us/cyberres Make sure to fill out your survey after the course!
  • 36. 36 Before You Leave . . . 1 Exit from full screen mode (if used). 2 Close the window containing the presentation. 3 Close any intermediate screens. 4 When you return to the course page in SABA, it should say “Completed.” 5 Close the browser.