SlideShare a Scribd company logo

Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD

Synopsys Software Integrity Group
Synopsys Software Integrity Group

At the Synopsys Security Event - Israel, Ofer Mao, Director of Solutions Management reviews how to make application security testing work in a CI/CD envirronment. For more information, please visit us at www.synopsys.com/software

Software
1 of 24
Download to read offline
© 2017 Synopsys, Inc. 1 Making AppSec Testing Work in CI/CD! Ofer Maor, Director, Solutions Management @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com
© 2017 Synopsys, Inc. 2 Speaker • Solutions Mgmt @ Synopsys • Over 20 years in cyber security • Hacker at heart • Longtime OWASPer • Pioneer of IAST • DevSecOps/DevOpsSec fan! • Avid photographer Marina Bay Gardens, Singapore, February 2018
© 2017 Synopsys, Inc. 3 CI/CD, DevOps, DevSecOps—WHAT?!
© 2017 Synopsys, Inc. 4 CD extreme • Multiple production updates per day • Multiple CI streams • A/B UAT • Parallel testing and deployment • No place for outsiders Source: Wikipedia
© 2017 Synopsys, Inc. 5 CI/CD AST Needs • Speed • Integration • Ease of use • Relevance (accuracy) • Actionability
© 2017 Synopsys, Inc. 6 The *AST landscape
© 2017 Synopsys, Inc. 7 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Analyzes code to identify vulnerabilities • Most prevalent AST solution today • Challenges –Potential FPs –May require tuning and configuration –Hard for use for security professionals • Offered in various flavors: –Analysis of (uncompiled) source code –Analysis of code & build –Analysis of binary code –Managed Service / Tool / IDE Plugin cond2 *a = bfree(a)*a = bfree(a) cond2 b = 10a = malloc(10) cond1
© 2017 Synopsys, Inc. 8 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Speed Instant to Hours (by Flavor) • Integration IDE, Build, Binary • Ease of Use Varies. Can be Complex • Relevance Can be overwhelming • Actionability Right on. Points to Line of Code
© 2017 Synopsys, Inc. 9 SAST Flavors • IDE “Spellchecker” Lightweight, Instant • In-IDE Incremental Pre-checkin, Minutes • Integration/Build CI, Minutes to Hours • Binary Analysis Post Build, Hours • Managed Service External, Days
© 2017 Synopsys, Inc. 10 DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box) • Sends HTTP tests to test running application • Longest used AST technology • Challenges –Accuracy of results –Not suited for dev – no code guidance –Performance (long testing times) • Offered in various delivery forms: –On Premise –Cloud –Managed Services –Included in Professional Services ??? ?? Tests ?????
© 2017 Synopsys, Inc. 11 • Speed Hours to Days • Integration Not Really… • Ease of Use Requires some security skills • Relevance Focus on Front end (but some FPs) • Actionability Difficult. DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box)
© 2017 Synopsys, Inc. 12 IAST – Interactive Application Security Testing AKA: Runtime Code Analysis • Runtime code analysis through instrumentation • Youngest AST technology • Challenges –Deployment of agents on tested servers –Requires integration into dev/devops environments –Coverage influences by what’s executed • Comes with various “interpretations” –Inline/Passive IAST (Based on existing traffic) –Active IAST (Including HTTP Inducer) –DAST Add-on Only –RASP Add-on Database Back End Front End HTTP/s DATA WS SQL DATA ODBC IAST
© 2017 Synopsys, Inc. 13 • Speed Instant to Hours (by Flavor) • Integration Test Automation • Ease of Use Easy (once deployed) • Relevance Very relevant. Actual executed LoC •Actionability Right on. Points to Line of Code IAST – Interactive Application Security Testing AKA: Runtime Code Analysis
© 2017 Synopsys, Inc. 14 IAST Flavors • Inline/Passive Lightweight, Instant Integrates with Existing Tests • Active Minutes (Incremental) – Hours Requires dedicated testing
© 2017 Synopsys, Inc. 15 SCA – Software Composition Analysis AKA: Open Source Library Scanning • Searches known open source (and closed source) components in applications • Rapidly growing testing segment • Challenges –Additional technology on top of other *AST –Very broad scope • Offered in different flavors –Binary Analysis for Supply Chain and 3rd Parties –Source Analysis for home grown security and licensing –On-premise / Cloud options
© 2017 Synopsys, Inc. 16 • Speed Minutes to Hours • Integration IDE, Build, Binary • Ease of Use Fairly Easy • Relevance Hard to determine actual impact • Actionability Not always straight forward SCA – Software Composition Analysis AKA: Open Source Library Scanning
© 2017 Synopsys, Inc. 17 The Right Mix – How to Make it Work!
© 2017 Synopsys, Inc. 18 Key Principles •If you can’t beat them, join them! •Automation, automation, automation •Alt-Ctrl, Shift-Left (but not just…) •Multiple technologies, multiple flavors, multiple times! •Parallel processes at parallel speeds •You’re going to have to live with some risk
© 2017 Synopsys, Inc. 19 Making it All Work! •Use instant/passive solutions as much as possible –In-IDE “spell-checker” static analysis –Inline IAST •Define practical policies for hard and soft gates –Hard gates: stop the process –Soft gates: put in motion a correction process •Use layers of testing at different stages
© 2017 Synopsys, Inc. 20 IDE “spell- checker” Incremental IDE SAST Inline IASTIn-IDE SCA Verification DAST Active IAST Full scan SAST Full scan SCA RASP/WAF
© 2017 Synopsys, Inc. 21 Fast vs. Slow •Rely heavily on integrated/fast technologies •Key criteria - “does not get in the way” •Define practical blocking criteria - be realistic •All the rest - in the backlog
© 2017 Synopsys, Inc. 22 Accept A/B testing •Gradual A/B testing is replacing test environments •Manage A/B testing exposure as part of risk management •Use it! A/B testing gives you the best test environment •Create the right “Retro” gates by risk • High: block propagation and roll back • Medium: block propagation until fix is delivered (but don’t roll back) • Low: continue propagation but with a fix following right up
© 2017 Synopsys, Inc. 23 Summary •Software security testing is complex, even more so in CI/CD •Unfortunately, there’s no “one ring to rule them all” •You have to build your *AST workflow and pipeline • Work closely with R&D and DevOps • Use multiple tools and multiple technologies • Work in parallel tracks at parallel speeds • Manage your risk!
© 2017 Synopsys, Inc. 24 Thank you! Questions? @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com Water Mill, Napa Valley, May 2018

Recommended

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 

Recommended

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
Black Duck by Synopsys
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Application Security in a DevOps World
Application Security in a DevOps WorldApplication Security in a DevOps World
Application Security in a DevOps World
CA Technologies
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Deborah Schalm
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
DevSecCon
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
Centextech
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
DevSecCon
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 

More Related Content

What's hot

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Application Security in a DevOps World
Application Security in a DevOps WorldApplication Security in a DevOps World
Application Security in a DevOps World
CA Technologies
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Black Duck by Synopsys
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Deborah Schalm
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
DevSecCon
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
Centextech
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 

What's hot (19)

Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Application Security in a DevOps World
Application Security in a DevOps WorldApplication Security in a DevOps World
Application Security in a DevOps World
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
Open Source Insight: Container Tech, Data Centre Security & 2018's Biggest Se...
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
DevSecOps Everything You Need To Know
DevSecOps Everything You Need To KnowDevSecOps Everything You Need To Know
DevSecOps Everything You Need To Know
 
DevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructuresDevSecOps - Building continuous security into it and app infrastructures
DevSecOps - Building continuous security into it and app infrastructures
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 

Similar to Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD

Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
DevSecCon
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
Lewis Ardern
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
Amazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
Amazon Web Services
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
DevOps.com
 
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-BerlinDevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
Sreeni Pamidala
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
 
SAPUI5/OpenUI5 - Continuous Integration
SAPUI5/OpenUI5 - Continuous IntegrationSAPUI5/OpenUI5 - Continuous Integration
SAPUI5/OpenUI5 - Continuous Integration
Peter Muessig
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
Arthur528009
 
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
Senturus
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
Gene Gotimer
 
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
Amazon Web Services
 

Similar to Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD (20)

Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer Maor
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-BerlinDevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
SAPUI5/OpenUI5 - Continuous Integration
SAPUI5/OpenUI5 - Continuous IntegrationSAPUI5/OpenUI5 - Continuous Integration
SAPUI5/OpenUI5 - Continuous Integration
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
 
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
New Reporting Experience in IBM Cognos Analytics: Demos of our Favorite New F...
 
A Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software DeliveryA Better, Faster Pipeline for Software Delivery
A Better, Faster Pipeline for Software Delivery
 
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
FSV308-Culture Shift How to Move a Global Financial Services Organization to ...
 

More from Synopsys Software Integrity Group

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
Synopsys Software Integrity Group
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
Synopsys Software Integrity Group
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
Synopsys Software Integrity Group
 

More from Synopsys Software Integrity Group (20)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 

Recently uploaded

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 

Recently uploaded (20)

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 

Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD

  • 1. © 2017 Synopsys, Inc. 1 Making AppSec Testing Work in CI/CD! Ofer Maor, Director, Solutions Management @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com
  • 2. © 2017 Synopsys, Inc. 2 Speaker • Solutions Mgmt @ Synopsys • Over 20 years in cyber security • Hacker at heart • Longtime OWASPer • Pioneer of IAST • DevSecOps/DevOpsSec fan! • Avid photographer Marina Bay Gardens, Singapore, February 2018
  • 3. © 2017 Synopsys, Inc. 3 CI/CD, DevOps, DevSecOps—WHAT?!
  • 4. © 2017 Synopsys, Inc. 4 CD extreme • Multiple production updates per day • Multiple CI streams • A/B UAT • Parallel testing and deployment • No place for outsiders Source: Wikipedia
  • 5. © 2017 Synopsys, Inc. 5 CI/CD AST Needs • Speed • Integration • Ease of use • Relevance (accuracy) • Actionability
  • 6. © 2017 Synopsys, Inc. 6 The *AST landscape
  • 7. © 2017 Synopsys, Inc. 7 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Analyzes code to identify vulnerabilities • Most prevalent AST solution today • Challenges –Potential FPs –May require tuning and configuration –Hard for use for security professionals • Offered in various flavors: –Analysis of (uncompiled) source code –Analysis of code & build –Analysis of binary code –Managed Service / Tool / IDE Plugin cond2 *a = bfree(a)*a = bfree(a) cond2 b = 10a = malloc(10) cond1
  • 8. © 2017 Synopsys, Inc. 8 SAST – Static Application Security Testing AKA: Static Code Analysis for Security • Speed Instant to Hours (by Flavor) • Integration IDE, Build, Binary • Ease of Use Varies. Can be Complex • Relevance Can be overwhelming • Actionability Right on. Points to Line of Code
  • 9. © 2017 Synopsys, Inc. 9 SAST Flavors • IDE “Spellchecker” Lightweight, Instant • In-IDE Incremental Pre-checkin, Minutes • Integration/Build CI, Minutes to Hours • Binary Analysis Post Build, Hours • Managed Service External, Days
  • 10. © 2017 Synopsys, Inc. 10 DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box) • Sends HTTP tests to test running application • Longest used AST technology • Challenges –Accuracy of results –Not suited for dev – no code guidance –Performance (long testing times) • Offered in various delivery forms: –On Premise –Cloud –Managed Services –Included in Professional Services ??? ?? Tests ?????
  • 11. © 2017 Synopsys, Inc. 11 • Speed Hours to Days • Integration Not Really… • Ease of Use Requires some security skills • Relevance Focus on Front end (but some FPs) • Actionability Difficult. DAST – Dynamic Application Security Testing AKA: Web Application Scanner (Black Box)
  • 12. © 2017 Synopsys, Inc. 12 IAST – Interactive Application Security Testing AKA: Runtime Code Analysis • Runtime code analysis through instrumentation • Youngest AST technology • Challenges –Deployment of agents on tested servers –Requires integration into dev/devops environments –Coverage influences by what’s executed • Comes with various “interpretations” –Inline/Passive IAST (Based on existing traffic) –Active IAST (Including HTTP Inducer) –DAST Add-on Only –RASP Add-on Database Back End Front End HTTP/s DATA WS SQL DATA ODBC IAST
  • 13. © 2017 Synopsys, Inc. 13 • Speed Instant to Hours (by Flavor) • Integration Test Automation • Ease of Use Easy (once deployed) • Relevance Very relevant. Actual executed LoC •Actionability Right on. Points to Line of Code IAST – Interactive Application Security Testing AKA: Runtime Code Analysis
  • 14. © 2017 Synopsys, Inc. 14 IAST Flavors • Inline/Passive Lightweight, Instant Integrates with Existing Tests • Active Minutes (Incremental) – Hours Requires dedicated testing
  • 15. © 2017 Synopsys, Inc. 15 SCA – Software Composition Analysis AKA: Open Source Library Scanning • Searches known open source (and closed source) components in applications • Rapidly growing testing segment • Challenges –Additional technology on top of other *AST –Very broad scope • Offered in different flavors –Binary Analysis for Supply Chain and 3rd Parties –Source Analysis for home grown security and licensing –On-premise / Cloud options
  • 16. © 2017 Synopsys, Inc. 16 • Speed Minutes to Hours • Integration IDE, Build, Binary • Ease of Use Fairly Easy • Relevance Hard to determine actual impact • Actionability Not always straight forward SCA – Software Composition Analysis AKA: Open Source Library Scanning
  • 17. © 2017 Synopsys, Inc. 17 The Right Mix – How to Make it Work!
  • 18. © 2017 Synopsys, Inc. 18 Key Principles •If you can’t beat them, join them! •Automation, automation, automation •Alt-Ctrl, Shift-Left (but not just…) •Multiple technologies, multiple flavors, multiple times! •Parallel processes at parallel speeds •You’re going to have to live with some risk
  • 19. © 2017 Synopsys, Inc. 19 Making it All Work! •Use instant/passive solutions as much as possible –In-IDE “spell-checker” static analysis –Inline IAST •Define practical policies for hard and soft gates –Hard gates: stop the process –Soft gates: put in motion a correction process •Use layers of testing at different stages
  • 20. © 2017 Synopsys, Inc. 20 IDE “spell- checker” Incremental IDE SAST Inline IASTIn-IDE SCA Verification DAST Active IAST Full scan SAST Full scan SCA RASP/WAF
  • 21. © 2017 Synopsys, Inc. 21 Fast vs. Slow •Rely heavily on integrated/fast technologies •Key criteria - “does not get in the way” •Define practical blocking criteria - be realistic •All the rest - in the backlog
  • 22. © 2017 Synopsys, Inc. 22 Accept A/B testing •Gradual A/B testing is replacing test environments •Manage A/B testing exposure as part of risk management •Use it! A/B testing gives you the best test environment •Create the right “Retro” gates by risk • High: block propagation and roll back • Medium: block propagation until fix is delivered (but don’t roll back) • Low: continue propagation but with a fix following right up
  • 23. © 2017 Synopsys, Inc. 23 Summary •Software security testing is complex, even more so in CI/CD •Unfortunately, there’s no “one ring to rule them all” •You have to build your *AST workflow and pipeline • Work closely with R&D and DevOps • Use multiple tools and multiple technologies • Work in parallel tracks at parallel speeds • Manage your risk!
  • 24. © 2017 Synopsys, Inc. 24 Thank you! Questions? @OferMaor linkedin.com/in/ofermaor Ofer @ synopsys.com Water Mill, Napa Valley, May 2018