Uploaded byYoisRoberthTapiadeLa
PPTX, PDF236 views

Fortify-Application_Security_Foundation_Training.pptx

This document provides an overview of application security challenges and trends. It discusses how attacks have moved to target applications directly rather than just infrastructure. It also notes that security is often an afterthought for developers focused on speed and that maturity varies. Key trends include shifting security left in the development process, addressing open source risks, and leveraging tools like machine learning. Stakeholders have different priorities around protecting the organization versus meeting deadlines. Primary use cases involve finding and fixing vulnerabilities throughout the development lifecycle. The Fortify platform aims to provide application security that scales with development needs.

Embed presentation

Download to read offline
Application Security Foundation Training, L200 You can: Download the presentation. View slide notes.
Introduction to the Sales Enablement Curriculum Where does this Session fit within the learning path? 100 L100 CyberRes Business Overview L110 CyberRes Partner Ecosystem L140 CyberRes Discovery L160 CyberRes Competitive Overview L170 CyberRes Enterprise Licensing L200 Identity & Access Management Foundation L200 Data Privacy and Protection Foundation L200 Security Operations Foundation L200 Application Security Foundation L200 Application Security Foundation
1 Market Observations Customer Challenges Key Trends, Primary Use Cases, and Stakeholders Priority Fortify Portfolio Overview and Business Value Customer Success Market Insights – Competition 2 3 4 5 6 About This Course Things You’ll Learn
Market Observations
Market Observations v There is an ever-increasing shortage of skilled security staff, which dilutes security best practices. Organizations worldwide are facing sophisticated ransomware, deeply embedded vulnerabilities, and attacks on the digital supply chain. The COVID-19 pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise.
Financial Impacts of Security Breaches Average total cost and frequency of data breaches by initial attack vector Source: Cost of a data breach report 2021 by Ponemon Institute and IBM
Top Security and Risk Management Trends for 2022 New responses to sophisticated threats Digital Supply Chain Risk Cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021 Attack Surface Expansion Risks associated with the use of cyber- physical systems and IoT, open-source code, cloud applications, and more have made organizations’ exposed surfaces outside of a set of controllable assets Identity Threat Detection and Response Organizations have spent considerable effort improving user authentication, which increases the attack surface. Credential misuse is now a primary attack vector. The evolution and reframing of the security practice Distributing Decisions The CISO role has moved from a technical subject matter expert to that of an executive risk manager,” said Firstbrook. CISOs must reconceptualize their responsibility matrix to empower Boards of Directors, CEOs and other business leaders to make their own informed risk decisions.” Beyond Awareness Human error continues to be a factor in many data breaches, demonstrating that traditional approaches to security awareness training are ineffective. Progressive organizations are investing in holistic security behavior and culture programs (SBCPs), rather than outdated compliance-centric security awareness campaigns. The consolidation of security products Vendor Consolidation Security technology convergence is accelerating, driven by the need to reduce complexity, reduce administration overhead and increase effectiveness. This consolidation will lower total cost of ownership and improve operational efficiency in the long term, leading to better overall security. Cybersecurity Mesh The security product consolidation trend is driving integration of security architecture components. However, there is still a need to define consistent security policies, enable workflows and exchange data between consolidated solutions. A cybersecurity mesh architecture (CSMA) helps provide a common, integrated security structure and posture to secure all assets, whether they’re on-premises, in data centers or in the cloud. https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for- 2022
Application Security Challenges
Attackers Move from Infrastructure Level to App Level Application layer attacks are perceived as normal traffic and pass-through network, perimeter, data, and endpoint security systems. Application security • Not mature; lack of developer training • Growing attack surface: more applications, more connected to the Internet • Accelerating releases reduces time available for security Application Security Security Functionality Identity & Access Management Network & Perimeter Avoiding bypassing Application level Infrastructure level Controlled access * Security functionality testing is different from application security testing. Infrastructure security • Highly mature • Substantial investments in place • Systems are more secure out-of-the-box than ever
Security Is Often Left Out Why? • Need for Speed Developers have to deliver functional code fast – anything else is friction. • Digital Transformation 82% of CIOs say they have implemented new technologies, IT strategies, and/or methodologies due to the COVID-19 pandemic*. • More Volume Because of the volume of apps being pushed into production, security is not the focus of DevOps. * IDG 2021 State of the CIO Report
Customers Need Help! Training Developers around Security Testing • Engage developers early in the testing process • Make it easy for developers to initiate security scans on the code • Prioritize security alerts to drive productivity of developers People Third-Party and Open-Source Vulnerabilities • As much as 90% of applications use open- source software and libraries while they are available under GNU general public license. Inherited Vulnerabilities • Blindly using code previously written by someone else is a huge risk. You cannot know what security measures had been taken; the code might contain many weaknesses and omissions. • By reusing old code or legacy applications, without adequate security testing or validating the health of the project can lead to vulnerabilities getting embedded in the new application . This is known as technical debt. • Open-source modules might have security defects or known vulnerabilities, which could lead to software supply chain attacks. Process Technology Maturing DevSecOps Many customers are still in their early phases of adopting an integrated approach. • They lack an understanding of the impact of not remediating vulnerabilities early in the development cycle. • Involve developers to shift security left in the development cycle. • Break Silo’s through a centralized reporting and monitoring solution for found vulnerabilities
AppSec Trends, Stakeholders Priorities, and Primary Use Cases
Application Security Key Trends 2022 Shift left Cloud Transformation AppSec Maturity OpenSource Risk Securing the Software Supply Chain Supply chains have many blind spots or cracks that attackers can take advantage of, resulting in increased severity and frequency of attacks. AppSec Orchestration and Correlation • AppSec orchestration and correlation has increasingly become a hot topic in the industry, with many benefits and challenges Next Generation DAST • We are starting to see developer-driven DAST testing expand, extending the use of DAST beyond the hands of AppSec/QA and fully within the Dev CI/CD automation pipelines Machine Learning and AI are key to the next evolution of automation Companies who use automation are twice as likely to implement security testing, in addition, there are numerous use cases for machine learning advancements Cloud-Native AppSec • With the broad IT industry trend towards the cloud, a modern software stack includes many cloud-native elements of the architecture. • As a result, the demarcation between AppSec and InfraSec is becoming blurred API security needs are growing ever larger • APIs are the most rapidly growing attack surface, but still aren´t widely understood and are often overlooked by developers and AppSec managers AppSec Is evolving from Shift-Left to Shift Everywhere • Test early is now test everywhere and often! • There is no one-size fits all, but finding the right tools for right job, at the right time. • It´s all about defense in depth.
Stakeholder Priorities Henk Visscher Chief Information Security Officer (CISO) Anika Bendali DevOps Manager (DevOps) . Julia Zanberch Application Security Manager (AppSec) Troy Michanna Product Owner (DevLead) Protect the organization’s brand, information, applications, and infrastructure. Cost optimization for security and risk. Manager with a technical background, responsible for developer tooling and overall CI/CD pipeline lights on operation Identify, track, and reduce application security risks across the applications catalog. Release schedules and deadlines; ensures applications are secure before releasing to production.
Primary Use Cases
Fortify Business Value
Why Fortify ? AppSec on demand Application Security-as-a-Service with security testing and vulnerability management gets you started with minimal skilled resources. High-quality AppSec With Fortify, you don’t need to trade quality of results for speed in order to scale up your DevSecOps processes. Industry-leading research Our research supports 1,224 vulnerability categories across 30+ languages and over 1 million APIs to improve threat detection. Protect your software Software resilience from a partner you can trust Detect risk Focus on whats matters with accurate, through results. Evolve your AppSec A holistic, scalable platform that supports your needs Benefits
What we do – Enable Secure Code Development Find and fix security vulnerabilities with fast and accurate results, whether the application is built in-house, by a third party, or using open- source libraries. Automatically identify and tune out false positives with machine learning. Fix known issues with minimal developer friction. Flexibility in testing application security on- premises, hosted, or delivered as a SaaS managed service. Cloud SDK’s to support cloud DevOps integration ad testing cloud microservices Fortify offers end-to-end application security solutions, including integration with the developer (IDE) as well as the DevOps tool chain (CI/CD). Fortify is named #1 for Enterprise by Gartner (Critical Capabilities report), including its machine learning capabilities. Fortify customers benefit from a holistic, inclusive, and extensible platform that uses a single taxonomy and provides building blocks to mature your software security assurance efforts.
aka “Check the Box” aka “Stage Gate” aka “Shift Left” aka ”Speed vs Cost” ERA OF COMPLIANCE 2001 - 2008 ERA OF THREAT MANAGEMENT 2008 - 2014 ERA OF DX TRANSFORM 2014 - 2020 ERA OF GROWTH 2021+ COMPLY DE-RISK ENABLE RESILIENT 2020 COVID DRIVING DX 2008 + MAJOR CYBERATTACKS 2001 SOX AppSec’s Journey Toward Cyber Resilience Then, now, and in the future
Fortify Portfolio Overview
Fortify Product Offerings Flexible offering for Modern Development  Static Code Analyzer: Analyzes source code for security vulnerabilities to enable Static Application Security Testing (SAST).  Software Composition Analysis (SCA): Scans open-source components for vulnerabilities, either using Debricked (SaaS) or through our partnership with Sonatype (on-premises).  WebInspect: Analyzes applications in their running state and simulates attacks to find vulnerabilities to enable Dynamic Application Security Testing (DAST).  Software Security Center (SSC): Holistic application security platform included with on- premises or hosted solutions to centralize the visibility of application security risks  Fortify on Demand (FoD): AppSec as a managed service that includes SAST, DAST, SCA, and MAST capabilities and managed by CyberRes security analysts.  Fortify Hosted: SaaS-based offering deployed in the cloud with managed infrastructure deployment and support. Solutions that Align with DevSecOps Success Integration Automation Speed Backed by the Market-Leading Software Security Research Team 1,244 Vulnerability Categories | 30 Programming Languages | 1M+ Individual APIs
Enterprise-level security at each stage of development Strong integration with industry-leading tools Fortify Embodies DevSecOps
Fortify Portfolio Software Resilience for Modern Development
Customer Success
The world’s leading enterprises entrust their AppSec needs to Fortify 9 out of 10 of the largest information technology companies 5 out of 5 of the largest telecommunication companies 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors Federal Strongest AppSec solution provider in Federal space (FedRAMP Certified) "Micro Focus Fortify really addresses the needs of the developers. It makes sense to them.“ - Damien Suggs, AppSec Director “This is a partnership to drive AppSec modernization with Fortify on Demand to deliver actionable, data driven results.” - Rajan Gupta, VP, Product Security
Fortify Has a Continued Leadership Position in the Market Fortify Key Competitive Differentiation Maturity at Scale Fortify is a good fit for enterprises with complex application projects and AST users with experience and advanced requirements. Shift-Left Security Fortify Security Assistant is a real-time security checker that operates in the IDE. It is not a replacement for a comprehensive SAST scan, but can provide a lightweight automatic check for developer security mistakes as the developer codes. Fewer False Positives The Fortify Audit Assistant feature has been extended to allow teams the flexibility to either manually review artificial intelligence (AI) predictions on issues or to opt in to “automatic predictions,” which support completely in-band automated triaging of This contributes to reducing false positives. Enterprise DAST Micro Focus provides DAST that is able to address many of the challenges with modern applications, such as scanning client-side vulnerabilities or support for 2FA, among other things. Leader in Application Security Testing 1 2 3 4
But don’t take our word for it…
Market Insights
Application Security Testing Market Size and Growth Market Drivers • Increasing investment in AppSec aligned with risk of breaches. • Emergence of DevSecOps: Security becoming a critical component of DevOps, on-premises or in the cloud. • Open Source: Significant % of production application has OSS code, leading to software supply chain risks. • Developer-Lead: Developers are both users and a source for insider threats, which requires zero trust in the SDLC. • Shift Left: Faster time to vuln identification and fix, driven by DevOps and the cost impact of remediation if done during production. Source: Forrester Analytics: Application Security Solutions Forecast, 2017 to 2023 (Global) F = Forecast 2018 (F) 2023 (F) Market Size Forecast 2017 to 2023 (Global) $3.3B $7.1B Static Application Security Testing (SAST)* Dynamic Application Security Testing (DAST)* Software Composition Analysis (SCA)* Interactive Application Security Testing (IAST)* Security Scanning Tools Web Application Firewall (WAF) Bot Management Runtime Application Self-protection (RASP) Runtime Protection Tools *Fortify’s currently served market segments
Key Competitors SCA DAST SAST Invicti BlackDuck Coverity
Strengthen Your Cyber Resilience CyberRes at a Glance Protect. Protect across your identities, applications, and data. Detect. Detect, respond, and recover from advanced threats. Evolve. Evolve your security posture at the speed of change. Data Privacy and Protection Identity and Access Management Application Security Security Operations Identities Data Applications
Summary • Important Points • Congratulations • Before You Leave • Thank You
Top 4 Points for Learners to Remember 1 2 3 Application Security is a growing market Every customer is a potential prospects for Application Security needs Fortify is a leader in the Application Security market 4 Fortify offers a Full Spectrum solution for SCA, SAST, DAST and MAST
What’s next? Congratulations! You completed the course. But this is not the end … Stay tuned for Application Security Solutions & Capabilities Training, L210 Download any course attachments for future study!
Thank You. www.cyberres.com 35 For customer facing material, visit Sales Enablement Central: https://se.microfocus.com/en-us/cyberres Make sure to fill out your survey after the course!
36 Before You Leave . . . 1 Exit from full screen mode (if used). 2 Close the window containing the presentation. 3 Close any intermediate screens. 4 When you return to the course page in SABA, it should say “Completed.” 5 Close the browser.

More Related Content

PPTX
Fortinet Corporate Overview Deck.pptx
byArianeSpano
 
PDF
CISSP Exam Practice Questions Domain 1 to 4.pdf
byinfosec train
 
PPTX
Cybersecurity Priorities and Roadmap: Recommendations to DHS
byJohn Gilligan
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
PDF
Combined MITRE Presentation.pdf
byMukeshKr19
 
PPTX
Secure SDLC Framework
byRishi Kant
 
PDF
Industrial Security.pdf
byAhmedRKhan
 
Fortinet Corporate Overview Deck.pptx
byArianeSpano
 
CISSP Exam Practice Questions Domain 1 to 4.pdf
byinfosec train
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
byJohn Gilligan
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
Combined MITRE Presentation.pdf
byMukeshKr19
 
Secure SDLC Framework
byRishi Kant
 
Industrial Security.pdf
byAhmedRKhan
 

What's hot

PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
PPTX
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
byDigit Oktavianto
 
PPTX
Understanding the Cyber Security Vendor Landscape
bySounil Yu
 
PDF
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
PPTX
mobile application security
by-jyothish kumar sirigidi
 
PPTX
Cyber Defense Matrix: Reloaded
bySounil Yu
 
PPTX
Zscaler ThreatLabz dissects the latest SSL security attacks
byZscaler
 
PPTX
IoT - Attacks and Solutions
byUlf Mattsson
 
PDF
Building a Security Operations Center (SOC).pdf
byTapOffice
 
PPTX
cyber security
byabithajayavel
 
PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
PPTX
Endpoint Security Pres.pptx
byNBBNOC
 
PPT
Networking and penetration testing
byMohit Belwal
 
PDF
Microsoft Zero Trust
byDavid J Rosenthal
 
PPT
Introduction To OWASP
byMarco Morana
 
PPTX
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
byJim Gilsinn
 
PDF
Cloud security
byBikashPokharel3
 
PPTX
Penetration testing reporting and methodology
byRashad Aliyev
 
PPTX
SOC Cyber Security
bySteppa Cyber Security
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
byDigit Oktavianto
 
Understanding the Cyber Security Vendor Landscape
bySounil Yu
 
PaloAlto Enterprise Security Solution
byPrime Infoserv
 
mobile application security
by-jyothish kumar sirigidi
 
Cyber Defense Matrix: Reloaded
bySounil Yu
 
Zscaler ThreatLabz dissects the latest SSL security attacks
byZscaler
 
IoT - Attacks and Solutions
byUlf Mattsson
 
Building a Security Operations Center (SOC).pdf
byTapOffice
 
cyber security
byabithajayavel
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
byEdureka!
 
Endpoint Security Pres.pptx
byNBBNOC
 
Networking and penetration testing
byMohit Belwal
 
Microsoft Zero Trust
byDavid J Rosenthal
 
Introduction To OWASP
byMarco Morana
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
byJim Gilsinn
 
Cloud security
byBikashPokharel3
 
Penetration testing reporting and methodology
byRashad Aliyev
 
SOC Cyber Security
bySteppa Cyber Security
 

Similar to Fortify-Application_Security_Foundation_Training.pptx

PDF
How to Improve Software Security in 2026.pdf
byflufftailshop
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
PDF
How to Improve Software Security in 2026
bykalichargn70th171
 
PDF
The Future of Software Security Assurance
byRafal Los
 
PPTX
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
PDF
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
byDraup3
 
PDF
The Evolution of Cybersecurity in Software Development for 2025
byScalaCode
 
PDF
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
PPTX
Aligning Application Security to Compliance
bySecurity Innovation
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PDF
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
byDenim Group
 
PPTX
Turning security into code by Jeff Williams
byDevSecCon
 
PPTX
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
PPTX
Digital Product Security
bySoftServe
 
PPTX
DevSecOps without DevOps is Just Security
byKevin Fealey
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
PPTX
The New Security Practitioner
byAdrian Sanabria
 
PDF
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
byVMware Tanzu
 
PDF
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
How to Improve Software Security in 2026.pdf
byflufftailshop
 
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
bylior mazor
 
How to Improve Software Security in 2026
bykalichargn70th171
 
The Future of Software Security Assurance
byRafal Los
 
Forget cyber, it's all about AppSec
byAdrien de Beaupre
 
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
byDraup3
 
The Evolution of Cybersecurity in Software Development for 2025
byScalaCode
 
Cyber Risk Management in 2017: Challenges & Recommendations
byUlf Mattsson
 
Aligning Application Security to Compliance
bySecurity Innovation
 
AppSec in an Agile World
byDavid Lindner
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
byDenim Group
 
Turning security into code by Jeff Williams
byDevSecCon
 
Cloud, DevOps and the New Security Practitioner
byAdrian Sanabria
 
Digital Product Security
bySoftServe
 
DevSecOps without DevOps is Just Security
byKevin Fealey
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
The New Security Practitioner
byAdrian Sanabria
 
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
byVMware Tanzu
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 

Recently uploaded

PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
apidays New York 2025 | AI in Application Security
byapidays
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
final.pdf
byomarbishtawi04
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 

Fortify-Application_Security_Foundation_Training.pptx

  • 1.
    Application Security Foundation Training,L200 You can: Download the presentation. View slide notes.
  • 2.
    Introduction to theSales Enablement Curriculum Where does this Session fit within the learning path? 100 L100 CyberRes Business Overview L110 CyberRes Partner Ecosystem L140 CyberRes Discovery L160 CyberRes Competitive Overview L170 CyberRes Enterprise Licensing L200 Identity & Access Management Foundation L200 Data Privacy and Protection Foundation L200 Security Operations Foundation L200 Application Security Foundation L200 Application Security Foundation
  • 3.
    1 Market Observations CustomerChallenges Key Trends, Primary Use Cases, and Stakeholders Priority Fortify Portfolio Overview and Business Value Customer Success Market Insights – Competition 2 3 4 5 6 About This Course Things You’ll Learn
  • 4.
  • 5.
    Market Observations v There isan ever-increasing shortage of skilled security staff, which dilutes security best practices. Organizations worldwide are facing sophisticated ransomware, deeply embedded vulnerabilities, and attacks on the digital supply chain. The COVID-19 pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise.
  • 6.
    Financial Impacts ofSecurity Breaches Average total cost and frequency of data breaches by initial attack vector Source: Cost of a data breach report 2021 by Ponemon Institute and IBM
  • 7.
    Top Security andRisk Management Trends for 2022 New responses to sophisticated threats Digital Supply Chain Risk Cybercriminals have discovered that attacks on the digital supply chain can provide a high return on investment. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021 Attack Surface Expansion Risks associated with the use of cyber- physical systems and IoT, open-source code, cloud applications, and more have made organizations’ exposed surfaces outside of a set of controllable assets Identity Threat Detection and Response Organizations have spent considerable effort improving user authentication, which increases the attack surface. Credential misuse is now a primary attack vector. The evolution and reframing of the security practice Distributing Decisions The CISO role has moved from a technical subject matter expert to that of an executive risk manager,” said Firstbrook. CISOs must reconceptualize their responsibility matrix to empower Boards of Directors, CEOs and other business leaders to make their own informed risk decisions.” Beyond Awareness Human error continues to be a factor in many data breaches, demonstrating that traditional approaches to security awareness training are ineffective. Progressive organizations are investing in holistic security behavior and culture programs (SBCPs), rather than outdated compliance-centric security awareness campaigns. The consolidation of security products Vendor Consolidation Security technology convergence is accelerating, driven by the need to reduce complexity, reduce administration overhead and increase effectiveness. This consolidation will lower total cost of ownership and improve operational efficiency in the long term, leading to better overall security. Cybersecurity Mesh The security product consolidation trend is driving integration of security architecture components. However, there is still a need to define consistent security policies, enable workflows and exchange data between consolidated solutions. A cybersecurity mesh architecture (CSMA) helps provide a common, integrated security structure and posture to secure all assets, whether they’re on-premises, in data centers or in the cloud. https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for- 2022
  • 8.
  • 9.
    Attackers Move fromInfrastructure Level to App Level Application layer attacks are perceived as normal traffic and pass-through network, perimeter, data, and endpoint security systems. Application security • Not mature; lack of developer training • Growing attack surface: more applications, more connected to the Internet • Accelerating releases reduces time available for security Application Security Security Functionality Identity & Access Management Network & Perimeter Avoiding bypassing Application level Infrastructure level Controlled access * Security functionality testing is different from application security testing. Infrastructure security • Highly mature • Substantial investments in place • Systems are more secure out-of-the-box than ever
  • 10.
    Security Is OftenLeft Out Why? • Need for Speed Developers have to deliver functional code fast – anything else is friction. • Digital Transformation 82% of CIOs say they have implemented new technologies, IT strategies, and/or methodologies due to the COVID-19 pandemic*. • More Volume Because of the volume of apps being pushed into production, security is not the focus of DevOps. * IDG 2021 State of the CIO Report
  • 11.
    Customers Need Help! TrainingDevelopers around Security Testing • Engage developers early in the testing process • Make it easy for developers to initiate security scans on the code • Prioritize security alerts to drive productivity of developers People Third-Party and Open-Source Vulnerabilities • As much as 90% of applications use open- source software and libraries while they are available under GNU general public license. Inherited Vulnerabilities • Blindly using code previously written by someone else is a huge risk. You cannot know what security measures had been taken; the code might contain many weaknesses and omissions. • By reusing old code or legacy applications, without adequate security testing or validating the health of the project can lead to vulnerabilities getting embedded in the new application . This is known as technical debt. • Open-source modules might have security defects or known vulnerabilities, which could lead to software supply chain attacks. Process Technology Maturing DevSecOps Many customers are still in their early phases of adopting an integrated approach. • They lack an understanding of the impact of not remediating vulnerabilities early in the development cycle. • Involve developers to shift security left in the development cycle. • Break Silo’s through a centralized reporting and monitoring solution for found vulnerabilities
  • 12.
  • 13.
    Application Security KeyTrends 2022 Shift left Cloud Transformation AppSec Maturity OpenSource Risk Securing the Software Supply Chain Supply chains have many blind spots or cracks that attackers can take advantage of, resulting in increased severity and frequency of attacks. AppSec Orchestration and Correlation • AppSec orchestration and correlation has increasingly become a hot topic in the industry, with many benefits and challenges Next Generation DAST • We are starting to see developer-driven DAST testing expand, extending the use of DAST beyond the hands of AppSec/QA and fully within the Dev CI/CD automation pipelines Machine Learning and AI are key to the next evolution of automation Companies who use automation are twice as likely to implement security testing, in addition, there are numerous use cases for machine learning advancements Cloud-Native AppSec • With the broad IT industry trend towards the cloud, a modern software stack includes many cloud-native elements of the architecture. • As a result, the demarcation between AppSec and InfraSec is becoming blurred API security needs are growing ever larger • APIs are the most rapidly growing attack surface, but still aren´t widely understood and are often overlooked by developers and AppSec managers AppSec Is evolving from Shift-Left to Shift Everywhere • Test early is now test everywhere and often! • There is no one-size fits all, but finding the right tools for right job, at the right time. • It´s all about defense in depth.
  • 14.
    Stakeholder Priorities Henk Visscher ChiefInformation Security Officer (CISO) Anika Bendali DevOps Manager (DevOps) . Julia Zanberch Application Security Manager (AppSec) Troy Michanna Product Owner (DevLead) Protect the organization’s brand, information, applications, and infrastructure. Cost optimization for security and risk. Manager with a technical background, responsible for developer tooling and overall CI/CD pipeline lights on operation Identify, track, and reduce application security risks across the applications catalog. Release schedules and deadlines; ensures applications are secure before releasing to production.
  • 15.
  • 16.
  • 17.
    Why Fortify ? AppSecon demand Application Security-as-a-Service with security testing and vulnerability management gets you started with minimal skilled resources. High-quality AppSec With Fortify, you don’t need to trade quality of results for speed in order to scale up your DevSecOps processes. Industry-leading research Our research supports 1,224 vulnerability categories across 30+ languages and over 1 million APIs to improve threat detection. Protect your software Software resilience from a partner you can trust Detect risk Focus on whats matters with accurate, through results. Evolve your AppSec A holistic, scalable platform that supports your needs Benefits
  • 18.
    What we do– Enable Secure Code Development Find and fix security vulnerabilities with fast and accurate results, whether the application is built in-house, by a third party, or using open- source libraries. Automatically identify and tune out false positives with machine learning. Fix known issues with minimal developer friction. Flexibility in testing application security on- premises, hosted, or delivered as a SaaS managed service. Cloud SDK’s to support cloud DevOps integration ad testing cloud microservices Fortify offers end-to-end application security solutions, including integration with the developer (IDE) as well as the DevOps tool chain (CI/CD). Fortify is named #1 for Enterprise by Gartner (Critical Capabilities report), including its machine learning capabilities. Fortify customers benefit from a holistic, inclusive, and extensible platform that uses a single taxonomy and provides building blocks to mature your software security assurance efforts.
  • 19.
    aka “Check theBox” aka “Stage Gate” aka “Shift Left” aka ”Speed vs Cost” ERA OF COMPLIANCE 2001 - 2008 ERA OF THREAT MANAGEMENT 2008 - 2014 ERA OF DX TRANSFORM 2014 - 2020 ERA OF GROWTH 2021+ COMPLY DE-RISK ENABLE RESILIENT 2020 COVID DRIVING DX 2008 + MAJOR CYBERATTACKS 2001 SOX AppSec’s Journey Toward Cyber Resilience Then, now, and in the future
  • 20.
  • 21.
    Fortify Product Offerings Flexibleoffering for Modern Development  Static Code Analyzer: Analyzes source code for security vulnerabilities to enable Static Application Security Testing (SAST).  Software Composition Analysis (SCA): Scans open-source components for vulnerabilities, either using Debricked (SaaS) or through our partnership with Sonatype (on-premises).  WebInspect: Analyzes applications in their running state and simulates attacks to find vulnerabilities to enable Dynamic Application Security Testing (DAST).  Software Security Center (SSC): Holistic application security platform included with on- premises or hosted solutions to centralize the visibility of application security risks  Fortify on Demand (FoD): AppSec as a managed service that includes SAST, DAST, SCA, and MAST capabilities and managed by CyberRes security analysts.  Fortify Hosted: SaaS-based offering deployed in the cloud with managed infrastructure deployment and support. Solutions that Align with DevSecOps Success Integration Automation Speed Backed by the Market-Leading Software Security Research Team 1,244 Vulnerability Categories | 30 Programming Languages | 1M+ Individual APIs
  • 22.
    Enterprise-level security ateach stage of development Strong integration with industry-leading tools Fortify Embodies DevSecOps
  • 23.
  • 24.
  • 25.
    The world’s leadingenterprises entrust their AppSec needs to Fortify 9 out of 10 of the largest information technology companies 5 out of 5 of the largest telecommunication companies 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors Federal Strongest AppSec solution provider in Federal space (FedRAMP Certified) "Micro Focus Fortify really addresses the needs of the developers. It makes sense to them.“ - Damien Suggs, AppSec Director “This is a partnership to drive AppSec modernization with Fortify on Demand to deliver actionable, data driven results.” - Rajan Gupta, VP, Product Security
  • 26.
    Fortify Has aContinued Leadership Position in the Market Fortify Key Competitive Differentiation Maturity at Scale Fortify is a good fit for enterprises with complex application projects and AST users with experience and advanced requirements. Shift-Left Security Fortify Security Assistant is a real-time security checker that operates in the IDE. It is not a replacement for a comprehensive SAST scan, but can provide a lightweight automatic check for developer security mistakes as the developer codes. Fewer False Positives The Fortify Audit Assistant feature has been extended to allow teams the flexibility to either manually review artificial intelligence (AI) predictions on issues or to opt in to “automatic predictions,” which support completely in-band automated triaging of This contributes to reducing false positives. Enterprise DAST Micro Focus provides DAST that is able to address many of the challenges with modern applications, such as scanning client-side vulnerabilities or support for 2FA, among other things. Leader in Application Security Testing 1 2 3 4
  • 27.
    But don’t takeour word for it…
  • 28.
  • 29.
    Application Security TestingMarket Size and Growth Market Drivers • Increasing investment in AppSec aligned with risk of breaches. • Emergence of DevSecOps: Security becoming a critical component of DevOps, on-premises or in the cloud. • Open Source: Significant % of production application has OSS code, leading to software supply chain risks. • Developer-Lead: Developers are both users and a source for insider threats, which requires zero trust in the SDLC. • Shift Left: Faster time to vuln identification and fix, driven by DevOps and the cost impact of remediation if done during production. Source: Forrester Analytics: Application Security Solutions Forecast, 2017 to 2023 (Global) F = Forecast 2018 (F) 2023 (F) Market Size Forecast 2017 to 2023 (Global) $3.3B $7.1B Static Application Security Testing (SAST)* Dynamic Application Security Testing (DAST)* Software Composition Analysis (SCA)* Interactive Application Security Testing (IAST)* Security Scanning Tools Web Application Firewall (WAF) Bot Management Runtime Application Self-protection (RASP) Runtime Protection Tools *Fortify’s currently served market segments
  • 30.
  • 31.
    Strengthen Your CyberResilience CyberRes at a Glance Protect. Protect across your identities, applications, and data. Detect. Detect, respond, and recover from advanced threats. Evolve. Evolve your security posture at the speed of change. Data Privacy and Protection Identity and Access Management Application Security Security Operations Identities Data Applications
  • 32.
    Summary • Important Points •Congratulations • Before You Leave • Thank You
  • 33.
    Top 4 Pointsfor Learners to Remember 1 2 3 Application Security is a growing market Every customer is a potential prospects for Application Security needs Fortify is a leader in the Application Security market 4 Fortify offers a Full Spectrum solution for SCA, SAST, DAST and MAST
  • 34.
    What’s next? Congratulations! You completedthe course. But this is not the end … Stay tuned for Application Security Solutions & Capabilities Training, L210 Download any course attachments for future study!
  • 35.
    Thank You. www.cyberres.com 35 For customerfacing material, visit Sales Enablement Central: https://se.microfocus.com/en-us/cyberres Make sure to fill out your survey after the course!
  • 36.
    36 Before You Leave. . . 1 Exit from full screen mode (if used). 2 Close the window containing the presentation. 3 Close any intermediate screens. 4 When you return to the course page in SABA, it should say “Completed.” 5 Close the browser.