SlideShare a Scribd company logo

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com, profile picture
DevOps.com

The document discusses the increasing importance of cybersecurity in the context of accelerated digital transformation and the challenges organizations face in integrating security testing within CI/CD pipelines. It introduces 'Seeker', an Interactive Application Security Testing (IAST) tool designed to automate security assessments, improve vulnerability detection, and facilitate seamless integration into development workflows. Seeker aims to enhance application security through real-time testing, verification of vulnerabilities, and ongoing developer education, making it suitable for organizations at various stages of their security journey.

Technology
1 of 28
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
© 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
© 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
© 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
© 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
© 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
© 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
© 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
© 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
© 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
© 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
© 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
© 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
© 2019 Synopsys, Inc.15 Introducing Seeker IAST
© 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
© 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
© 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
© 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
© 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
© 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
© 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
© 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
© 2019 Synopsys, Inc.24 Seeker In Action Demonstration
© 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
© 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
© 2019 Synopsys, Inc.27 Q & A
Thank You Follow us on twitter : @zubaira, @kimm_yeo

More Related Content

What's hot (20)

PPTX
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PPTX
DEVSECOPS.pptx
MohammadSaif904342
 
PDF
The State of DevSecOps
DevOps Indonesia
 
PDF
DevOps Powerpoint Presentation Slides
SlideTeam
 
PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PDF
The What, Why, and How of DevSecOps
Cprime
 
PPT
DevSecOps Singapore introduction
Stefan Streichsbier
 
PDF
DevOps, Common use cases, Architectures, Best Practices
Shiva Narayanaswamy
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PPTX
CI/CD Overview
An Nguyen
 
PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
PPTX
DevOps to DevSecOps Journey..
Siddharth Joshi
 
PDF
Shift Left Security - The What, Why and How
DevOps.com
 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PPTX
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
PPTX
Threat Modeling In 2021
Adam Shostack
 
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Security testing fundamentals
Cygnet Infotech
 
DEVSECOPS.pptx
MohammadSaif904342
 
The State of DevSecOps
DevOps Indonesia
 
DevOps Powerpoint Presentation Slides
SlideTeam
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
The What, Why, and How of DevSecOps
Cprime
 
DevSecOps Singapore introduction
Stefan Streichsbier
 
DevOps, Common use cases, Architectures, Best Practices
Shiva Narayanaswamy
 
DevSecOps in Baby Steps
Priyanka Aash
 
CI/CD Overview
An Nguyen
 
DevSecOps Implementation Journey
DevOps Indonesia
 
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Shift Left Security - The What, Why and How
DevOps.com
 
Introduction to DevSecOps
abhimanyubhogwan
 
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Threat Modeling In 2021
Adam Shostack
 

Similar to Bridging the Security Testing Gap in Your CI/CD Pipeline (20)

PDF
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
PDF
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
PDF
Ast in CI/CD by Ofer Maor
DevSecCon
 
PDF
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
PDF
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
PDF
Datasheet app vulnerability_assess
Birodh Rijal
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PPTX
IAST Tools POC Report for interactive testing
HareeshNani5
 
PDF
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PPTX
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
PDF
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
PDF
Secure software chapman
AdaCore
 
PDF
The Future of DevSecOps
Stefan Streichsbier
 
PDF
Embedded world 2017
ChantalWauters
 
PPTX
How to Get the Most Out of Security Tools
Security Innovation
 
PDF
Web Application Security Testing (1).pptx.pdf
apurvar399
 
PDF
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
PDF
Procuring an Application Security Testing Partner
HCLSoftware
 
PDF
Analyst Resources for Chief Information Security Officers (CISOs)
Synopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Ast in CI/CD by Ofer Maor
DevSecCon
 
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Datasheet app vulnerability_assess
Birodh Rijal
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
IAST Tools POC Report for interactive testing
HareeshNani5
 
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
Secure software chapman
AdaCore
 
The Future of DevSecOps
Stefan Streichsbier
 
Embedded world 2017
ChantalWauters
 
How to Get the Most Out of Security Tools
Security Innovation
 
Web Application Security Testing (1).pptx.pdf
apurvar399
 
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
HCLSoftware
 
Analyst Resources for Chief Information Security Officers (CISOs)
Synopsys Software Integrity Group
 
Ad

More from DevOps.com (20)

PDF
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PDF
Don't Panic! Effective Incident Response
DevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
DevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
How to Build a Healthy On-Call Culture
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Ad

Recently uploaded (20)

PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 

Bridging the Security Testing Gap in Your CI/CD Pipeline

  • 1. © 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
  • 2. © 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
  • 3. © 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
  • 4. © 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
  • 5. © 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
  • 6. © 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
  • 7. © 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 8. © 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
  • 9. © 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 10. © 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
  • 11. © 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
  • 12. © 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
  • 13. © 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
  • 14. © 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
  • 15. © 2019 Synopsys, Inc.15 Introducing Seeker IAST
  • 16. © 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
  • 17. © 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
  • 18. © 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
  • 19. © 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
  • 20. © 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
  • 21. © 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
  • 22. © 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
  • 23. © 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
  • 24. © 2019 Synopsys, Inc.24 Seeker In Action Demonstration
  • 25. © 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
  • 26. © 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
  • 27. © 2019 Synopsys, Inc.27 Q & A
  • 28. Thank You Follow us on twitter : @zubaira, @kimm_yeo