Application Security Testing for a DevOps Mindset
0 likes279 views
The document discusses integrating application security testing within DevOps workflows to enhance security insights and reduce vulnerabilities early in the development process. It emphasizes the importance of collaboration between security and DevOps teams, alongside the use of tools like Threadfix for managing security vulnerabilities and automating assessments. A case study in the financial services sector demonstrates the successful implementation of these strategies to improve security within CI/CD pipelines.
Application Security Testing for a DevOps Mindset
- 1. Application Security Testing for the DevOps Mindset October 2018
- 3. Some Security Teams Will Adapt, Others Will Not 3
- 7. Use This Transition to Your Advantage 7
- 8. Use This Transition to Your Advantage 8
- 9. Move Security to the Left and Get Buy-In 9
- 10. Better Security Insight, More Often 10
- 11. So What Does Application Security Want? 11 • Reduce Risk Exposure • Introduce Fewer Vulnerabilities • Find Vulnerabilities Early • Fix Vulnerabilities Quickly
- 12. And What Do DevOps Teams Want? 12
- 13. How Do We Make This a Reality? 13
- 14. Application Security Testing in CI/CD Pipelines 14
- 15. Security People Love Policies 15
- 16. Effective Application Security Testing 16 • Reduce Noise • Run Fast
- 19. Reporting Recommendations 19 Hint: Not With These…
- 20. © confidential 20 ThreadFix Application Security Platform ThreadFix helps enterprises manage application security vulnerabilities Scanner Integration Vulnerability Correlation Faster Vulnerability Rem edition ThreadFix Workflow SAST, DAST, IAST Scanner Tools Manual Assessments 3rd Party Manual Assessments AppSec False Positive Assessments Reporting & Analytics Defect Trackers IDEs GAC Threadfix scanner integrations • ThreadFix creates a single comprehensive view of the security status of all applications within an organization • Provides a comprehensive view of software security for an organization by aggregating vulnerability test results, scanning tools, manual penetration and code review • Integrates security into development workflow • Provides automation for application security assessment • Helps prioritize vulnerabilities and enable higher level risk decision • ThreadFix infrastructure integrates security and DevOps environments • The platform allows organizations to embed security into organizations’ Continuous Integration / Continuous Delivery (CI/CD) pipelines
- 21. ThreadFix Integrates Security into DevOps Development Defect Tracker CI/CD SAST DAST IAST Risk Management & Compliance World Code/Apps to Test CI/CD Security Policy Defects Code Repositor y GRC Capabilities of Integration § Create a consolidated view of applications and vulnerabilities § Prioritize vulnerabilities to enable decision making § Streamline remediation by translating vulnerability data for developers in the tools they already use Metrics Penetration Testing Vulnerability Testing 3rd Party Reviews Security Application Vulnerabilities Orchestration & Automation Risk&Compliance
- 22. © confidential 22 Case Study: Secure DevOps with ThreadFix in Financial Services Vulnerability consolidation and reporting using Jira Integrates AppSec in to CI/CD pipelines Earlier knowledge of security issues and increased fix rate ThreadFix platform used to both manage results from DevOps CI/CD pipeline application security testing as well as more comprehensive application security testing efforts, providing a single centralized view of all application security testing activities
- 23. Applying In Your Organization 23 Next week you should: • Pick a DevOps team and take the development manager to lunch – talk about their tools and processes In the first three months following this presentation you should: • Enumerate the DevOps teams in your organization and the applications they are building • Craft a couple of policies that are appropriate for different types of applications in your environment • Integrate application security testing into one CI/CD pipeline Within six months you should: • Have a schedule to get application security testing spread across your portfolio
- 24. Thank you for your time