SlideShare a Scribd company logo

How to Integrate AppSec Testing into your DevOps Program

Denim Group
Denim Group

During this live webinar, IBM & Denim Group join forces to demonstrate how Application Security Testing can be integrated with DevOps methodologies to identify and remediate high-risk vulnerabilities quickly, with minimal overhead. Specifically, we’ll discuss how you can integrate Dynamic Application Security Testing (DAST) using IBM AppScan Enterprise REST API into a DevOps CI/CD pipeline, which helps you to automatically identify high-risk vulnerabilities within web applications and web services. We’ll also show how using Denim Group’s ThreadFix offering with AppScan Enterprise allows for seamless integration with typical DevOps tool-sets, in order to further reduce the overhead associated with AppSec testing within the SDLC.

Technology
1 of 34
Download to read offline
© 2017 IBM & Denim Group – All Rights Reserved How to Integrate AppSec Testing into Your DevOps Program Dan Cornell, Denim Group Michael Smith, IBM Security Alexei Pivkine, IBM Security
© 2017 IBM & Denim Group – All Rights Reserved Agenda • AppSec & DevOps • Turning Concepts Into Reality • Demo • Q&A Session
© 2017 IBM & Denim Group – All Rights Reserved Application Security and DevOps
© 2017 IBM & Denim Group – All Rights Reserved DevOps Is Here
© 2017 IBM & Denim Group – All Rights Reserved Some Security Teams Will Adapt (& Others Will Not) 4
© 2017 IBM & Denim Group – All Rights Reserved Use This Transition to Your Advantage 5
© 2017 IBM & Denim Group – All Rights Reserved Move Security to the Left and Obtain Buy-In 6
© 2017 IBM & Denim Group – All Rights Reserved Better Security Insight, More Often 7
© 2017 IBM & Denim Group – All Rights Reserved What Do Application Security Auditors Want? • Reduce Risk Exposure • Introduce Fewer Vulnerabilities • Find Vulnerabilities Early • Fix Vulnerabilities Quickly 8
© 2017 IBM & Denim Group – All Rights Reserved What Do DevOps Teams Want? 9
© 2017 IBM & Denim Group – All Rights Reserved How Do We Make This a Reality? 10
© 2017 IBM & Denim Group – All Rights Reserved Application Security Testing in CI/CD Pipelines 11
© 2017 IBM & Denim Group – All Rights Reserved Testing Tradeoffs 12 Coverage vs. Speed Depth vs. Ease of understanding False negatives vs. False positives
© 2017 IBM & Denim Group – All Rights Reserved Focus for CI/CD Testing • Tune to find important vulnerabilities • Focus on high-risk issues (high-severity & easy to exploit) • Tune to avoid false positives • False positives erode the trust of development teams • Even at the risk of false negatives • Tune to run quickly • Focus on areas of the application that were changed • Pair this with a multi-layered scan approach • Run a broader security scan outside of a CI/CD pipeline on a recurring basis (e.g. nightly, weekly), to catch any important issues that might have been missed • Similar to regression tests in functional testing
© 2017 IBM & Denim Group – All Rights Reserved Decision-Making Factors 14 Should we fail the build or block the release?
© 2017 IBM & Denim Group – All Rights Reserved Reporting & Remediation • Leverage existing tools, such as defect tracking systems (e.g. JIRA) • Provide developers with interactive issue information • Establish remediation SLAs & follow-up on issues that are overdue • Avoid using these… 15
© 2017 IBM & Denim Group – All Rights Reserved Turning concepts into reality
© 2017 IBM & Denim Group – All Rights Reserved IBM Security AppScan Enterprise overview • Highly-scalable Dynamic Analysis Security Testing (DAST) for web apps & web services • Find highest-risk application security issues quickly & easily! • Seamless integration into DevOps pipeline, via proven DAST automation capabilities 17
© 2017 IBM & Denim Group – All Rights Reserved • Works over HTTP(S) like a “hacker-in-a-box” • Leverages existing functional tests in order to focus on the changes and enable good coverage and fast scanning • Provides a comprehensive set of REST APIs to fully automate DAST scans and enable product integrations 18 IBM AppScan Enterprise overview
© 2017 IBM & Denim Group – All Rights Reserved ResultsTestExplore Steps of a DAST Scan Configure Create a scan: Small set of pre-defined templates based on… Application risk Test Policies, etc. 19 Spider through the application Manual Explore Automatic explore Scan time will depend on size of the test policy and web pages/services to be scanned. AppScan captures HTTP traffic generated by functional tests via a custom proxy and then uses that traffic as training data for security scan. Manual explore enables quick & focused scans. Automatic explore allows for broad & comprehensive scans. AppScan Enterprise provides a web UI & a comprehensive set of REST API and enables flexible reporting and remediation options.
© 2017 IBM & Denim Group – All Rights Reserved DAST in the SDLC • Goals of bringing DAST into the SDLC are very different from traditional DAST analysis that’s performed by security team. • Key focus is on catching the highest-priority issues and getting them fixed quickly and with minimal overhead. • AppScan Enterprise DAST within the SDLC is complementary to anything and everything the security team is already doing with DAST.
© 2017 IBM & Denim Group – All Rights Reserved DAST Automation • DAST scans can be fully automated and provide good scan coverage and result sets at the same time. • IBM AppScan Enterprise scans can be created and configured either manually or fully automated. The more automated other functional testing and the overall process already is, the more automated DAST security scans can be. • Layered scans are usually the best way to balance coverage/findings, frequency of scans and ease of use. • Quick frequent scans look for critical easy-to-find issues, running nightly or even multiple times a day. • They are combined with less frequent deeper scans, perhaps even with some manual validation. These types of scans can happen once a week, once a sprint, at QA time, etc.
© 2017 IBM & Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using 22
© 2017 IBM & Denim Group – All Rights Reserved ThreadFix Overview 23
© 2017 IBM & Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 24
© 2017 IBM & Denim Group – All Rights Reserved Application Portfolio Tracking 25
© 2017 IBM & Denim Group – All Rights Reserved Prioritize application risk decisions based on data 26
© 2017 IBM & Denim Group – All Rights Reserved Vulnerability Prioritization 27
© 2017 IBM & Denim Group – All Rights Reserved Translate vulnerabilities to developers in tools they are already using 28
© 2017 IBM & Denim Group – All Rights Reserved Defect Tracker Integration 29
© 2017 IBM & Denim Group – All Rights Reserved AppScan Enterprise ThreadFix Demo
© 2017 IBM & Denim Group – All Rights Reserved Where Does CI/CD Testing Fit? • A comprehensive application security program is more than CI/CD testing • CI/CD testing: Find & fix high-risk, easy-to-find vulnerabilities quickly • Full programs include: • Multi-layered automated testing – dynamic & static • Manual assessments and code review • Threat modeling
© 2017 IBM & Denim Group – All Rights Reserved Additional Resources • IBMer Eitan Worcel’s DevOps blog: https://www.linkedin.com/pulse/application- security-devops-3-key-success-factors-eitan-worcel • ThreadFix overview: https://www.threadfix.it/ • DAST in the SDLC blog: https://securityintelligence.com/application-security-testing- resurgence-of-dast-for-sdlc-integration-and-scan-automation/ • Effective Application Security Testing in DevOps Pipelines: https://www.denimgroup.com/resources/blog/2016/12/effective-application-security- testing-in-devops-pipelines/ • Alexei Pivkine (IBM Application Security): apivkine@ca.ibm.com • Dan Cornell (Denim Group): dan@denimgroup.com
© 2017 IBM & Denim Group – All Rights Reserved Q&A Session

Recommended

Security and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps EnterpriseSecurity and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps Enterprise
Claudia Ring
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
Rogue Wave Software
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 

Recommended

Security and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps EnterpriseSecurity and DevOps - Managing Security in a DevOps Enterprise
Security and DevOps - Managing Security in a DevOps Enterprise
Claudia Ring
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
Rogue Wave Software
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
Tom Stiehm
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
To Scale Test Automation for DevOps, Avoid These Anti-Patterns
To Scale Test Automation for DevOps, Avoid These Anti-PatternsTo Scale Test Automation for DevOps, Avoid These Anti-Patterns
To Scale Test Automation for DevOps, Avoid These Anti-Patterns
DevOps.com
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
Tom Stiehm
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
Plan a successful enterprise Linux migration
Plan a successful enterprise Linux migrationPlan a successful enterprise Linux migration
Plan a successful enterprise Linux migration
Rogue Wave Software
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Security as Code
Security as CodeSecurity as Code
Security as Code
Deborah Schalm
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
SBWebinars
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
Tom Stiehm
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 

More Related Content

What's hot

Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
Tom Stiehm
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
To Scale Test Automation for DevOps, Avoid These Anti-Patterns
To Scale Test Automation for DevOps, Avoid These Anti-PatternsTo Scale Test Automation for DevOps, Avoid These Anti-Patterns
To Scale Test Automation for DevOps, Avoid These Anti-Patterns
DevOps.com
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
Tom Stiehm
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
Jules Pierre-Louis
 
Plan a successful enterprise Linux migration
Plan a successful enterprise Linux migrationPlan a successful enterprise Linux migration
Plan a successful enterprise Linux migration
Rogue Wave Software
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Security as Code
Security as CodeSecurity as Code
Security as Code
Deborah Schalm
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
SBWebinars
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
Tom Stiehm
 

What's hot (20)

Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
To Scale Test Automation for DevOps, Avoid These Anti-Patterns
To Scale Test Automation for DevOps, Avoid These Anti-PatternsTo Scale Test Automation for DevOps, Avoid These Anti-Patterns
To Scale Test Automation for DevOps, Avoid These Anti-Patterns
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Diving Deeper into DevOps Deployments
Diving Deeper into DevOps DeploymentsDiving Deeper into DevOps Deployments
Diving Deeper into DevOps Deployments
 
Plan a successful enterprise Linux migration
Plan a successful enterprise Linux migrationPlan a successful enterprise Linux migration
Plan a successful enterprise Linux migration
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
SAP Concur’s Cloud Journey
SAP Concur’s Cloud JourneySAP Concur’s Cloud Journey
SAP Concur’s Cloud Journey
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanent
 

Similar to How to Integrate AppSec Testing into your DevOps Program

Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
ThreadFix 2.5 Webinar
ThreadFix 2.5 WebinarThreadFix 2.5 Webinar
ThreadFix 2.5 Webinar
Denim Group
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
Amazon Web Services
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
Amazon Web Services
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Gartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid CloudGartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid Cloud
Rosalind Radcliffe
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 

Similar to How to Integrate AppSec Testing into your DevOps Program (20)

Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
ThreadFix 2.5 Webinar
ThreadFix 2.5 WebinarThreadFix 2.5 Webinar
ThreadFix 2.5 Webinar
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Gartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid CloudGartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid Cloud
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 

More from Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 

More from Denim Group (14)

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

How to Integrate AppSec Testing into your DevOps Program

  • 1. © 2017 IBM & Denim Group – All Rights Reserved How to Integrate AppSec Testing into Your DevOps Program Dan Cornell, Denim Group Michael Smith, IBM Security Alexei Pivkine, IBM Security
  • 2. © 2017 IBM & Denim Group – All Rights Reserved Agenda • AppSec & DevOps • Turning Concepts Into Reality • Demo • Q&A Session
  • 3. © 2017 IBM & Denim Group – All Rights Reserved Application Security and DevOps
  • 4. © 2017 IBM & Denim Group – All Rights Reserved DevOps Is Here
  • 5. © 2017 IBM & Denim Group – All Rights Reserved Some Security Teams Will Adapt (& Others Will Not) 4
  • 6. © 2017 IBM & Denim Group – All Rights Reserved Use This Transition to Your Advantage 5
  • 7. © 2017 IBM & Denim Group – All Rights Reserved Move Security to the Left and Obtain Buy-In 6
  • 8. © 2017 IBM & Denim Group – All Rights Reserved Better Security Insight, More Often 7
  • 9. © 2017 IBM & Denim Group – All Rights Reserved What Do Application Security Auditors Want? • Reduce Risk Exposure • Introduce Fewer Vulnerabilities • Find Vulnerabilities Early • Fix Vulnerabilities Quickly 8
  • 10. © 2017 IBM & Denim Group – All Rights Reserved What Do DevOps Teams Want? 9
  • 11. © 2017 IBM & Denim Group – All Rights Reserved How Do We Make This a Reality? 10
  • 12. © 2017 IBM & Denim Group – All Rights Reserved Application Security Testing in CI/CD Pipelines 11
  • 13. © 2017 IBM & Denim Group – All Rights Reserved Testing Tradeoffs 12 Coverage vs. Speed Depth vs. Ease of understanding False negatives vs. False positives
  • 14. © 2017 IBM & Denim Group – All Rights Reserved Focus for CI/CD Testing • Tune to find important vulnerabilities • Focus on high-risk issues (high-severity & easy to exploit) • Tune to avoid false positives • False positives erode the trust of development teams • Even at the risk of false negatives • Tune to run quickly • Focus on areas of the application that were changed • Pair this with a multi-layered scan approach • Run a broader security scan outside of a CI/CD pipeline on a recurring basis (e.g. nightly, weekly), to catch any important issues that might have been missed • Similar to regression tests in functional testing
  • 15. © 2017 IBM & Denim Group – All Rights Reserved Decision-Making Factors 14 Should we fail the build or block the release?
  • 16. © 2017 IBM & Denim Group – All Rights Reserved Reporting & Remediation • Leverage existing tools, such as defect tracking systems (e.g. JIRA) • Provide developers with interactive issue information • Establish remediation SLAs & follow-up on issues that are overdue • Avoid using these… 15
  • 17. © 2017 IBM & Denim Group – All Rights Reserved Turning concepts into reality
  • 18. © 2017 IBM & Denim Group – All Rights Reserved IBM Security AppScan Enterprise overview • Highly-scalable Dynamic Analysis Security Testing (DAST) for web apps & web services • Find highest-risk application security issues quickly & easily! • Seamless integration into DevOps pipeline, via proven DAST automation capabilities 17
  • 19. © 2017 IBM & Denim Group – All Rights Reserved • Works over HTTP(S) like a “hacker-in-a-box” • Leverages existing functional tests in order to focus on the changes and enable good coverage and fast scanning • Provides a comprehensive set of REST APIs to fully automate DAST scans and enable product integrations 18 IBM AppScan Enterprise overview
  • 20. © 2017 IBM & Denim Group – All Rights Reserved ResultsTestExplore Steps of a DAST Scan Configure Create a scan: Small set of pre-defined templates based on… Application risk Test Policies, etc. 19 Spider through the application Manual Explore Automatic explore Scan time will depend on size of the test policy and web pages/services to be scanned. AppScan captures HTTP traffic generated by functional tests via a custom proxy and then uses that traffic as training data for security scan. Manual explore enables quick & focused scans. Automatic explore allows for broad & comprehensive scans. AppScan Enterprise provides a web UI & a comprehensive set of REST API and enables flexible reporting and remediation options.
  • 21. © 2017 IBM & Denim Group – All Rights Reserved DAST in the SDLC • Goals of bringing DAST into the SDLC are very different from traditional DAST analysis that’s performed by security team. • Key focus is on catching the highest-priority issues and getting them fixed quickly and with minimal overhead. • AppScan Enterprise DAST within the SDLC is complementary to anything and everything the security team is already doing with DAST.
  • 22. © 2017 IBM & Denim Group – All Rights Reserved DAST Automation • DAST scans can be fully automated and provide good scan coverage and result sets at the same time. • IBM AppScan Enterprise scans can be created and configured either manually or fully automated. The more automated other functional testing and the overall process already is, the more automated DAST security scans can be. • Layered scans are usually the best way to balance coverage/findings, frequency of scans and ease of use. • Quick frequent scans look for critical easy-to-find issues, running nightly or even multiple times a day. • They are combined with less frequent deeper scans, perhaps even with some manual validation. These types of scans can happen once a week, once a sprint, at QA time, etc.
  • 23. © 2017 IBM & Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using 22
  • 24. © 2017 IBM & Denim Group – All Rights Reserved ThreadFix Overview 23
  • 25. © 2017 IBM & Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 24
  • 26. © 2017 IBM & Denim Group – All Rights Reserved Application Portfolio Tracking 25
  • 27. © 2017 IBM & Denim Group – All Rights Reserved Prioritize application risk decisions based on data 26
  • 28. © 2017 IBM & Denim Group – All Rights Reserved Vulnerability Prioritization 27
  • 29. © 2017 IBM & Denim Group – All Rights Reserved Translate vulnerabilities to developers in tools they are already using 28
  • 30. © 2017 IBM & Denim Group – All Rights Reserved Defect Tracker Integration 29
  • 31. © 2017 IBM & Denim Group – All Rights Reserved AppScan Enterprise ThreadFix Demo
  • 32. © 2017 IBM & Denim Group – All Rights Reserved Where Does CI/CD Testing Fit? • A comprehensive application security program is more than CI/CD testing • CI/CD testing: Find & fix high-risk, easy-to-find vulnerabilities quickly • Full programs include: • Multi-layered automated testing – dynamic & static • Manual assessments and code review • Threat modeling
  • 33. © 2017 IBM & Denim Group – All Rights Reserved Additional Resources • IBMer Eitan Worcel’s DevOps blog: https://www.linkedin.com/pulse/application- security-devops-3-key-success-factors-eitan-worcel • ThreadFix overview: https://www.threadfix.it/ • DAST in the SDLC blog: https://securityintelligence.com/application-security-testing- resurgence-of-dast-for-sdlc-integration-and-scan-automation/ • Effective Application Security Testing in DevOps Pipelines: https://www.denimgroup.com/resources/blog/2016/12/effective-application-security- testing-in-devops-pipelines/ • Alexei Pivkine (IBM Application Security): apivkine@ca.ibm.com • Dan Cornell (Denim Group): dan@denimgroup.com
  • 34. © 2017 IBM & Denim Group – All Rights Reserved Q&A Session