Application Security
Foundation Training, L200
You can:
Download the presentation.
View slide notes.

Introduction to the Sales Enablement Curriculum
Where does this Session fit within the learning path?
100
L100
CyberRes
Business Overview
L110
CyberRes Partner
Ecosystem
L140
CyberRes
Discovery
L160
CyberRes
Competitive
Overview
L170
CyberRes
Enterprise
Licensing
L200
Identity & Access
Management
Foundation
L200
Data Privacy and
Protection
Foundation
L200
Security Operations
Foundation
L200
Application Security
Foundation
L200
Application Security
Foundation

1 Market Observations
Customer Challenges
Key Trends, Primary Use Cases, and Stakeholders Priority
Fortify Portfolio Overview and Business Value
Customer Success
Market Insights – Competition
2
3
4
5
6
About This Course
Things You’ll Learn

Market Observations

Market Observations
v
There is an ever-increasing shortage of skilled security staff, which dilutes security
best practices.
Organizations worldwide are facing sophisticated ransomware, deeply embedded
vulnerabilities, and attacks on the digital supply chain.
The COVID-19 pandemic accelerated hybrid work and the shift to the cloud,
challenging CISOs to secure an increasingly distributed enterprise.

Financial Impacts of Security Breaches
Average total cost and frequency of data breaches by initial attack vector
Source: Cost of a data breach report 2021 by Ponemon Institute and IBM

Top Security and Risk Management Trends for 2022
New responses to
sophisticated threats
Digital Supply Chain Risk
Cybercriminals have discovered that attacks on
the digital supply chain can provide a high
return on investment. Gartner predicts that by
2025, 45% of organizations worldwide will have
experienced attacks on their software supply
chains, a three-fold increase from 2021
Attack Surface Expansion
Risks associated with the use of cyber-
physical systems and IoT, open-source
code, cloud applications, and more have
made organizations’ exposed surfaces
outside of a set of controllable assets
Identity Threat Detection and Response
Organizations have spent considerable
effort improving user authentication, which
increases the attack surface. Credential
misuse is now a primary attack vector.
The evolution and reframing
of the security practice
Distributing Decisions
The CISO role has moved from a
technical subject matter expert to that of
an executive risk manager,” said
Firstbrook. CISOs must reconceptualize
their responsibility matrix to empower
Boards of Directors, CEOs and other
business leaders to make their own
informed risk decisions.”
Beyond Awareness
Human error continues to be a factor in
many data breaches, demonstrating that
traditional approaches to security
awareness training are ineffective.
Progressive organizations are investing in
holistic security behavior and culture
programs (SBCPs), rather than outdated
compliance-centric security awareness
campaigns.
The consolidation of
security products
Vendor Consolidation
Security technology convergence is accelerating, driven
by the need to reduce complexity, reduce administration
overhead and increase effectiveness. This consolidation
will lower total cost of ownership and improve
operational efficiency in the long term, leading to better
overall security.
Cybersecurity Mesh
The security product consolidation trend is driving
integration of security architecture components.
However, there is still a need to define consistent
security policies, enable workflows and exchange data
between consolidated solutions. A cybersecurity mesh
architecture (CSMA) helps provide a common,
integrated security structure and posture to secure all
assets, whether they’re on-premises, in data centers or in
the cloud.
https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for-
2022

Application Security Challenges

Attackers Move from Infrastructure Level to App Level
Application layer attacks are perceived as normal traffic and pass-through network, perimeter,
data, and endpoint security systems.
Application security
• Not mature; lack of developer training
• Growing attack surface: more applications,
more connected to the Internet
• Accelerating releases reduces time available for
security
Application
Security
Security
Functionality
Identity & Access
Management
Network &
Perimeter
Avoiding
bypassing
Application level
Infrastructure level
Controlled
access
* Security functionality testing is
different from application security
testing.
Infrastructure security
• Highly mature
• Substantial investments in place
• Systems are more secure out-of-the-box than
ever

Security Is Often Left Out
Why?
• Need for Speed
Developers have to deliver functional code fast –
anything else is friction.
• Digital Transformation
82% of CIOs say they have implemented new
technologies, IT strategies, and/or methodologies due
to the COVID-19 pandemic*.
• More Volume
Because of the volume of apps being pushed into
production, security is not the focus of DevOps.
* IDG 2021 State of the CIO Report

Customers Need Help!
Training Developers around Security Testing
• Engage developers early in the testing
process
• Make it easy for developers to initiate
security scans on the code
• Prioritize security alerts to drive productivity
of developers
People
Third-Party and Open-Source Vulnerabilities
• As much as 90% of applications use open-
source software and libraries while they are
available under GNU general public license.
Inherited Vulnerabilities
• Blindly using code previously written by
someone else is a huge risk. You cannot know
what security measures had been taken; the
code might contain many weaknesses and
omissions.
• By reusing old code or legacy applications,
without adequate security testing or
validating the health of the project can lead
to vulnerabilities getting embedded in the
new application . This is known as technical
debt.
• Open-source modules might have security
defects or known vulnerabilities, which could
lead to software supply chain attacks.
Process Technology
Maturing DevSecOps
Many customers are still in their early phases of
adopting an integrated approach.
• They lack an understanding of the impact of
not remediating vulnerabilities early in the
development cycle.
• Involve developers to shift security left in the
development cycle.
• Break Silo’s through a centralized reporting
and monitoring solution for found
vulnerabilities

AppSec Trends, Stakeholders
Priorities, and Primary Use Cases

Application Security Key Trends 2022
Shift left Cloud Transformation AppSec Maturity OpenSource Risk
Securing the Software Supply
Chain
Supply chains have many blind spots or
cracks that attackers can take advantage of,
resulting in increased severity and frequency
of attacks.
AppSec Orchestration and
Correlation
• AppSec orchestration and correlation has
increasingly become a hot topic in the
industry, with many benefits and
challenges
Next Generation DAST
• We are starting to see developer-driven
DAST testing expand, extending the use of
DAST beyond the hands of AppSec/QA
and fully within the Dev CI/CD automation
pipelines
Machine Learning and AI are key
to the next evolution of
automation
Companies who use automation are twice as
likely to implement security testing, in
addition, there are numerous use cases for
machine learning advancements
Cloud-Native AppSec
• With the broad IT industry trend towards
the cloud, a modern software stack
includes many cloud-native elements of
the architecture.
• As a result, the demarcation between
AppSec and InfraSec is becoming blurred
API security needs are growing
ever larger
• APIs are the most rapidly growing attack
surface, but still aren´t widely understood
and are often overlooked by developers
and AppSec managers
AppSec Is evolving from Shift-Left
to Shift Everywhere
• Test early is now test everywhere and
often!
• There is no one-size fits all, but finding the
right tools for right job, at the right time.
• It´s all about defense in depth.

Stakeholder Priorities
Henk Visscher
Chief Information Security Officer (CISO)
Anika Bendali
DevOps Manager (DevOps)
.
Julia Zanberch
Application Security Manager (AppSec)
Troy Michanna
Product Owner (DevLead)
Protect the organization’s
brand, information,
applications, and infrastructure.
Cost optimization for security
and risk.
Manager with a technical
background, responsible for
developer tooling and overall
CI/CD pipeline lights on
operation
Identify, track, and reduce
application security risks
across the applications
catalog.
Release schedules and deadlines;
ensures applications are secure
before releasing to production.

Primary Use Cases

Fortify Business Value

Why Fortify ?
AppSec on demand
Application Security-as-a-Service with security testing and
vulnerability management gets you started with minimal skilled
resources.
High-quality AppSec
With Fortify, you don’t need to trade quality of results for speed in
order to scale up your DevSecOps processes.
Industry-leading research
Our research supports 1,224 vulnerability categories across 30+
languages and over 1 million APIs to improve threat detection.
Protect your software
Software resilience from a
partner you can trust
Detect risk
Focus on whats matters with
accurate, through results.
Evolve your AppSec
A holistic, scalable platform
that supports your needs
Benefits

What we do – Enable Secure Code Development
Find and fix security vulnerabilities with fast
and accurate results, whether the application is
built in-house, by a third party, or using open-
source libraries.
Automatically identify and tune out false
positives with machine learning. Fix known
issues with minimal developer friction.
Flexibility in testing application security on-
premises, hosted, or delivered as a SaaS
managed service. Cloud SDK’s to support cloud
DevOps integration ad testing cloud
microservices
Fortify offers end-to-end application security
solutions, including integration with the
developer (IDE) as well as the DevOps tool
chain (CI/CD).
Fortify is named #1 for Enterprise by
Gartner (Critical Capabilities report), including
its machine learning capabilities.
Fortify customers benefit from a holistic,
inclusive, and extensible platform that uses a
single taxonomy and provides building blocks
to mature your software security assurance
efforts.

aka “Check the Box” aka “Stage Gate” aka “Shift Left” aka ”Speed vs Cost”
ERA OF
COMPLIANCE
2001 - 2008
ERA OF THREAT
MANAGEMENT
2008 - 2014
ERA OF DX
TRANSFORM
2014 - 2020
ERA OF GROWTH
2021+
COMPLY DE-RISK ENABLE RESILIENT
2020
COVID DRIVING DX
2008 +
MAJOR CYBERATTACKS
2001
SOX
AppSec’s Journey Toward Cyber Resilience
Then, now, and in the future

Fortify Portfolio Overview

Fortify Product Offerings
Flexible offering for Modern Development
 Static Code Analyzer: Analyzes source code for security vulnerabilities to enable Static
Application Security Testing (SAST).
 Software Composition Analysis (SCA): Scans open-source components for
vulnerabilities, either using Debricked (SaaS) or through our partnership with Sonatype
(on-premises).
 WebInspect: Analyzes applications in their running state and simulates attacks to find
vulnerabilities to enable Dynamic Application Security Testing (DAST).
 Software Security Center (SSC): Holistic application security platform included with on-
premises or hosted solutions to centralize the visibility of application security risks
 Fortify on Demand (FoD): AppSec as a managed service that includes SAST, DAST, SCA,
and MAST capabilities and managed by CyberRes security analysts.
 Fortify Hosted: SaaS-based offering deployed in the cloud with managed infrastructure
deployment and support.
Solutions that Align with DevSecOps Success Integration Automation Speed
Backed by the Market-Leading Software Security Research Team
1,244 Vulnerability Categories | 30 Programming Languages | 1M+ Individual APIs

Enterprise-level security at each stage of development Strong integration with industry-leading tools
Fortify Embodies DevSecOps

Fortify Portfolio
Software Resilience for Modern Development

Customer Success

The world’s leading enterprises entrust their AppSec
needs to Fortify
9 out of 10
of the largest information technology
companies
5 out of 5
of the largest telecommunication
companies
9 out of 10
of the largest banks
4 out of 5
of the largest pharmaceutical companies
3 out of 3
of the largest independent software
vendors
Federal
Strongest AppSec solution provider in
Federal space (FedRAMP Certified)
"Micro Focus Fortify really addresses the needs of
the developers. It makes sense to them.“
- Damien Suggs, AppSec Director
“This is a partnership to drive AppSec
modernization with Fortify on Demand to deliver
actionable, data driven results.”
- Rajan Gupta, VP, Product Security

Fortify Has a Continued Leadership Position in the
Market
Fortify Key Competitive Differentiation
Maturity at Scale
Fortify is a good fit for enterprises with complex application projects and AST users with
experience and advanced requirements.
Shift-Left Security
Fortify Security Assistant is a real-time security checker that operates in the IDE. It is not
a replacement for a comprehensive SAST scan, but can provide a lightweight automatic
check for developer security mistakes as the developer codes.
Fewer False Positives
The Fortify Audit Assistant feature has been extended to allow teams the flexibility to
either manually review artificial intelligence (AI) predictions on issues or to opt in to
“automatic predictions,” which support completely in-band automated triaging of
This contributes to reducing false positives.
Enterprise DAST
Micro Focus provides DAST that is able to address many of the challenges with modern
applications, such as scanning client-side vulnerabilities or support for 2FA, among other
things.
Leader in Application Security Testing
1
2
3
4

But don’t take our word for it…

Market Insights

Application Security Testing Market Size and Growth
Market Drivers
• Increasing investment in AppSec aligned with
risk of breaches.
• Emergence of DevSecOps: Security becoming a
critical component of DevOps, on-premises or in
the cloud.
• Open Source: Significant % of production
application has OSS code, leading to software
supply chain risks.
• Developer-Lead: Developers are both users and
a source for insider threats, which requires zero
trust in the SDLC.
• Shift Left: Faster time to vuln identification and
fix, driven by DevOps and the cost impact of
remediation if done during production.
Source: Forrester Analytics: Application Security Solutions Forecast, 2017 to 2023 (Global)
F = Forecast
2018 (F) 2023 (F)
Market Size Forecast 2017 to 2023 (Global)
$3.3B
$7.1B
Static Application Security Testing (SAST)*
Dynamic Application Security Testing (DAST)*
Software Composition Analysis (SCA)*
Interactive Application Security Testing (IAST)*
Security Scanning Tools
Web Application Firewall (WAF)
Bot Management
Runtime Application
Self-protection (RASP)
Runtime Protection Tools
*Fortify’s currently served market segments

Key Competitors
SCA DAST
SAST
Invicti
BlackDuck
Coverity

Strengthen Your Cyber Resilience
CyberRes at a Glance
Protect.
Protect across your identities,
applications, and data.
Detect.
Detect, respond, and recover from
advanced threats.
Evolve.
Evolve your security posture at
the speed of change.
Data
Privacy and
Protection
Identity
and Access
Management
Application
Security
Security
Operations
Identities Data Applications

Summary
• Important Points
• Congratulations
• Before You Leave
• Thank You

Top 4 Points for Learners to Remember
1 2
3
Application Security is a growing
market
Every customer is a potential
prospects for Application
Security needs
Fortify is a leader in the
Application Security market
4
Fortify offers a Full Spectrum
solution for SCA, SAST, DAST and
MAST

What’s next?
Congratulations!
You completed the course.
But this is not the end …
Stay tuned for
Application Security
Solutions & Capabilities Training, L210 Download any course attachments
for future study!

Thank You.
www.cyberres.com
35
For customer facing material, visit
Sales Enablement Central:
https://se.microfocus.com/en-us/cyberres
Make sure to fill out your survey after the course!

36
Before You Leave . . .
1
Exit from full screen mode (if used).
2
Close the window containing the
presentation.
3
Close any intermediate screens.
4
When you return to the course page in
SABA, it should say “Completed.”
5
Close the browser.