Application Security
Testing for the
DevOps Mindset
October 2018

DevOps Is Coming!
2

Some Security Teams Will Adapt, Others Will Not
3

Security Advantages: Auditability
4

Security Advantages: Automation
5

Security Advantages: Collaboration
6

Use This Transition to Your Advantage
7

Use This Transition to Your Advantage
8

Move Security to the Left and Get Buy-In
9

Better Security Insight, More Often
10

So What Does Application Security Want?
11
• Reduce Risk Exposure
• Introduce Fewer Vulnerabilities
• Find Vulnerabilities Early
• Fix Vulnerabilities Quickly

And What Do DevOps Teams Want?
12

How Do We Make This a Reality?
13

Application Security Testing in CI/CD Pipelines
14

Security People Love Policies
15

Effective Application Security Testing
16
• Reduce Noise
• Run Fast

Testing Tradeoffs
17

Decision-Making Factors
18

Reporting Recommendations
19
Hint: Not With These…

© confidential 20
ThreadFix Application Security Platform
ThreadFix helps enterprises manage application security vulnerabilities
Scanner
Integration
Vulnerability
Correlation
Faster
Vulnerability
Rem edition
ThreadFix Workflow
SAST, DAST,
IAST Scanner
Tools
Manual
Assessments
3rd Party Manual
Assessments
AppSec False Positive
Assessments
Reporting
& Analytics
Defect
Trackers
IDEs
GAC
Threadfix scanner
integrations
• ThreadFix creates a single
comprehensive view of the
security status of all applications
within an organization
• Provides a comprehensive view of
software security for an
organization by aggregating
vulnerability test results, scanning
tools, manual penetration and
code review
• Integrates security into
development workflow
• Provides automation for
application security assessment
• Helps prioritize vulnerabilities and
enable higher level risk decision
• ThreadFix infrastructure integrates
security and DevOps
environments
• The platform allows organizations
to embed security into
organizations’ Continuous
Integration / Continuous Delivery
(CI/CD) pipelines

ThreadFix Integrates Security into DevOps
Development
Defect
Tracker
CI/CD
SAST
DAST
IAST
Risk Management &
Compliance World
Code/Apps to Test
CI/CD Security
Policy
Defects
Code
Repositor
y
GRC
Capabilities of Integration
§ Create a consolidated view of applications and
vulnerabilities
§ Prioritize vulnerabilities to enable decision
making
§ Streamline remediation by translating
vulnerability data for developers in the tools they
already use
Metrics
Penetration Testing
Vulnerability Testing
3rd Party Reviews
Security
Application
Vulnerabilities
Orchestration & Automation
Risk&Compliance

© confidential 22
Case Study: Secure DevOps with ThreadFix in Financial Services
Vulnerability consolidation and
reporting using Jira
Integrates AppSec in
to CI/CD pipelines
Earlier knowledge of security
issues and increased fix rate
ThreadFix platform used to both manage results from DevOps CI/CD pipeline application security
testing as well as more comprehensive application security testing efforts, providing a single centralized
view of all application security testing activities

Applying In Your Organization
23
Next week you should:
• Pick a DevOps team and take the development manager to lunch – talk about their
tools and processes
In the first three months following this presentation you should:
• Enumerate the DevOps teams in your organization and the applications they are
building
• Craft a couple of policies that are appropriate for different types of applications in your
environment
• Integrate application security testing into one CI/CD pipeline
Within six months you should:
• Have a schedule to get application security testing spread across your portfolio

Thank you
for your time