Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

Optimizing Security Velocity in Your
DevSecOps Pipeline at Scale
Tools Tips Tactics
THE 2021 WEBINAR SERIES
February 18, 2021 | 2 pm - 3 pm, EST
Brian Reed
Chief Mobility Ofﬁcer
Dan Cornell
Co-Founder & CTO

© Copyright 2021 Now Secure, Inc. All Rights Reserved. Proprietary Information. Do not distribute.
Agenda
2
Introductions
State of App Security
Powering Secure Pipelines
Mastering Volume & Velocity
Reference Resources
Open Q&A
Meet the Experts
Brian Reed
Dan Cornell
Co-Founder & CTO

Mission:
Save the World from Unsafe Mobile Apps
Automated Mobile AppSec Testing Software
Expert Pen Testing & Training Services
Mobile-First & Mobile-Only, 10+ Years in Mobile Forensics & Security
Standards-driven OWASP, NIAP, CVSS, Industry Regulations
Sponsor of OWASP Mobile Project, MASVS, Top 10
Contributors to Frida & Radare
2X Mobile App Sec Testing (MAST) Leader by IDC
DevSecOps Transformational Leader by Gartner
3

About Denim Group & ThreadFix
Leading provider of application security assessments,
penetration testing and remediation services.
• Blue Chip Fortune 500 customer base
• Trusted change agent for Secure DevOps
PRODUCT & SERVICES
• ThreadFix (Product)
• Management Assessment Program
• Security Advisory Services
RECOGNITION
• 2020 ISPG Global Excellence Award
• 2019 Cyber Defense Magazine (CDM) InfoSec Awards

• Waterfall
• Agile
• DevOps
• DevSecOps
5
Poll 1: Which best characterizes your SDLC?

6
Poll 2: How many scans are you running per week?
• 25 - 100
• 250+
• 1000+
• 2500+

Applications Run the Word
7

Applications Run the Word
8
But... delivering apps securely at scale challenges all organizations!

Security & Vulnerability Mgmt Stats
9
92%
of Web Apps have Exploitable
Security Flaws
44%
of Vulnerabilities
Remediated in 90 days
Abandoned Web Applications: Achilles' Heel of FT 500 Companies, High-Tech Bridge Security Research | 2018 DevOps Community Survey | 2019 Verizon Data Breach Investigation Report
2019 Veracode State of Software Security
Nearly Half of
all Developers
say they don't have enough time
to spend on security, even though
they are aware of its importance.
56 Days
Across All Applications
72 Days
For all Internally Built Applications

Mobile Security Stats
10
69%
of all digital trafﬁc & time
spent is on mobile vs. web
Sources: AppAnnie, March, 2020; Comscore, January & November 2020 Gartner,
Avoid Mobile App Security Pitfalls, Zumerle, 27Jul2020 Adobe Analytics Holiday Predictions
November 2020 Momentum Cyber Cybersecurity Market Review Q3-2020 NowSecure
Privacy Benchmark, 2019; NowSecure Security Benchmark 2019
85%
of Mobile Apps
have security risks
70%
of Mobile Apps leak
personal data to
violate GDPR/CCPA
9%
of orgs automate over
75% of test cases
14%
of orgs can release
software daily
30%
Reduction in breach
costs by companies w/
automated security

Challenges in Delivering Secure Apps @ Scale
Outpaces human ability to
process; Requires automation
Requires better collaboration
across Dev + QA+ Sec + Ops
Leaves gaps and slows the
business;
Requires integration
Slows the mobile pipeline,
more security bugs in the wild;
Requires mobile best-of-breed
Business pressures to innovate
and release faster
Fragmented tools
and processes
Rapidly growing number of apps,
test cycles, bugs, releases, data
feeds and stakeholders
Mobile Security often lags
Web Security

The Typical Software Pipeline
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
12

Driving Efﬁcient Pipelines, Data Volume & Flow
Funnel it all into a uniﬁed process
without having to invent a new
PC Apps
Web Apps
Mobile Apps
Dev
QA
Security

Security in the Pipeline
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
14
Static Source Scans
Cloud Security testing
Dynamic Testing
Manual Pen Testing
SCA Repo Scans APISec Testing
Mobile
Web
Network
IDE Plug-ins WAF Data
IAST

Mobile AppSec Testing Challenges in Pipeline
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
15
Static Source only
tests 20% of actual
attack surface
Static Source high
false positives
Hard to automate
Dynamic & APISec to
get other 80% coverage
2 week manual pen
tests don’t scale
High rate of security
bugs escape into
production
Late stage testing
delays releases

Mobile AppSec Testing in Pipeline
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
16
Test mobile binary to
eliminate source language
dependencies
Directly measure app
behavior for high accuracy
Test live running apps on
real devices, not emulators
Apply standards-driven
checks & analysis [eg
OWASP MASVS, NIAP, CVSS]
Check for Apple & Google
app store blockers
Automated Mobile
AppSec Testing for
Continuous Security

NowSecure Powers Your Mobile AppSec Toolchain
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
17
+200 Standards-based
checks for sensitive data,
app store blockers &
regulatory compliance
Dev repair guides &
sample code to ﬁx fast
Direct CI/CD, Ticketing,
Vuln Mgmt, GRC &
toolchain integrations
Run autonomously no new
tools for dev, no workﬂow
changes
High accuracy, no false
positives
Autonomously
Test CI/CD Builds
& Generate Security
Tickets
Fast On-Demand
Testing for All
Stakeholders

Vulnerability Management Challenges in Pipelines
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
18
Different types of analysis provide different types
of insight
Vulnerability and weakness data enter at different
stages of the pipeline
Vulnerabilities must be
routed to the correct
team(s) for
remediation
Data volume: High for
applications, massive
across the portfolio
False positives have to be culled and vulnerabilities
have to be contextualized and prioritized

Vulnerability Management in Pipeline
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
19
Create a uniﬁed process
with tools to collect,
process and route data
Integrate across tools in
CI/CD pipeline
Create automated vuln
merge & mapping process
Enable agentless
SAST+DAST correlation
Ensure continuous
accreditation
Automated
Vulnerability
Management
Mobile
Web
Web Svcs
Web Client
IoT Apps
DAST
SAST
IAST
SCA
Pen Test

ThreadFix Remediation Cycle

Running an Efficient, Scalable Pipeline Together
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
21
Automated Mobile
AppSec Testing for
Continuous Security
Automated
Vulnerability
Management
Leverage existing
workflows
Better developer
communication
Faster feedback loops
More vulnerabilities fixed
faster

Best Portfolio Coverage: Breadth and Depth
Mobile
Apps
Web
Apps
Web
Services
IOT
Apps
Web Client
Apps
SAST
NowSecure
DAST
IAST
Pen Testing
SCA
ThreadFix powered by Denim Group

Delivering Value and Security at DevOps Speed
● Continuous
● Automated
● Fast
● Efﬁcient
● Scalable
● Cost effective
R
e
q
u
i
r
e
m
e
n
t
s
&
D
e
s
i
g
n
C
o
d
e
C
o
m
m
i
t
B
u
i
l
d
T
e
s
t
S
t
a
g
e
D
e
p
l
o
y
Velocity
Scale ROI
23
SECURITY AUTOMATION

THE CLIENT
Education
THE CHALLENGE
• The company had a large portfolio of 2,000 applications, and application
security testing processes were manual and nonstandardized.
THE SOLUTION
• Process Standardization
• ThreadFix to standardized how static and dynamic tests were run and
consolidate the results into a single repository of record.
• Workflow Integration
• Once the vulnerability identification process was standardized and
streamlined, this allowed them to integrate workflows with the JIRA
system in use by development teams.
ThreadFix Case Study
+500%
Throughput for testing
workflows
100%
Improved testing process
able to handle very large
portfolio of apps
-44%
Time to fix vulnerabilities

Free Resources from ThreadFix
25
Application Asset Management with ThreadFix (webinar)
https://threadfix.it/resources/application-asset-management-with-threadfix/
Applied ThreadFix: Application Portfolio Tracking (associated blog post)
https://threadfix.it/resources/applied-threadfix-application-portfolio-tracking/
Applied ThreadFix: Seeding Your Application Portfolio with OWASP Amass (associated blog post)
https://threadfix.it/resources/applied-threadfix-seeding-your-application-portfolio-with-owasp-amass/
Using Collaboration to Make Application Vulnerability Management a Team Sport (webinar)
https://threadfix.it/resources/using-collaboration-to-make-application-vulnerability-management-a-team-sport/
Applied ThreadFix: Effective Security Team Collaboration (associated blog post)
https://threadfix.it/resources/applied-threadfix-effective-security-team-collaboration/
Applied ThreadFix: Security Teams Collaborating with Development Teams (associated blog post)
https://threadfix.it/resources/applied-threadfix-security-teams-collaborating-with-development-teams/

NowSecure Case Study
“Dev said they wanted 10 minutes or
less, accurate results, no false positives,
and complete automation. By meeting
these requirements with NowSecure,
we now have visibility and are fully
automated into every build. It will
automatically stop a build if a high-risk
vuln presents.”
Director App Security
Fortune 100 Financial Services Company
“We’ve benefited from productivity
improvements gained from automated
testing. Being able to trigger tests when
we promote code has saved us
meaningful time. Our company was able
to increase its release frequency from
quarterly to monthly for a 3x
improvement.”
Heather Brinkhaus, Senior Business Analyst,
Customer Apps, Caribou Coffee
“We practice security by design to
enable and empower devs with
different security tools at their
fingertips. We have created an
abstraction layer for all security
elements leveraging tools and
standards like NowSecure, OWASP
MASVS and NIST controls
embedded in our DevSecOps
pipeline. Builds complete, tests run
automatically, issues are surfaced
directly to the developer.”
Nick Christi, Manager of App &
Product Security, Allstate

Free Resources from NowSecure
https://www.cybrary.it/course/mobile-app-security/
https://bit.ly/3lfcQJG
https://bit.ly/3jfd1mx
https://bit.ly/3gmnoTv
https://bit.ly/32oHmIx
27

GIVEAWAY TIME!
28

Q&A
29
Ask the Experts
Brian Reed
Dan Cornell
Co-Founder & CTO

Thank You!
30
Brian Reed
Dan Cornell
Co-Founder & CTO
Meet the Experts

Parking lot

[Webinar] Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Businesses are driving development teams to build, test and deliver app innovations faster
and faster, while attackers continue to grow in sophistication and complexity. Join Brian
Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of
ThreadFix in this best practices session to learn how to drive efficiencies in team and
pipeline performance at scale.
Note I pulled this deck together as thought leadership piece not direct product promotion.
We can choose to add specific product slides, demo screenshots, etc if we feel its needed
when we talk next.
Abstract and Notes [to be removed]

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

More Related Content

What's hot

Similar to Optimizing Security Velocity in Your DevSecOps Pipeline at Scale

More from Denim Group

Recently uploaded

Optimizing Security Velocity in Your DevSecOps Pipeline at Scale