SlideShare a Scribd company logo

SecDevOps: Development Tools for Security Pros

Denim Group
Denim Group

Security teams deal in penetration tests and vulnerabilities, and development teams deal in software defects, scrums and sprints. For the security professional, a failure to understand the way that development teams work and the tools that they use means that security vulnerabilities they identify will be hard to get remediated. This becomes an even greater issue as organizations try to roll out DevOps practices to gain greater efficiencies and responsiveness. This presentation walks through the tools and processes that development teams use to manage their workload, accomplish their goals, and track their success and lays out ways that security teams can better interface with developers to more successfully influence their priorities. The major tools discussed include defect trackers, integrated development environments (IDEs), continuous integration (CI) systems and metric tracking and demonstrations are given using open source examples of each. The presentation concludes with examples of healthy interaction patterns for security and development teams as well as interactions that lead to less healthy and less productive relationships.

Technology
1 of 46
Download to read offline
© 2015 Denim Group – All Rights Reserved SecDevOps: Development Tools for Security Pros This  presentation  contains  information  about  DHS-­funded  research: Topic  Number:  H-­SB013.1-­002  -­ Hybrid  Analysis  Mapping  (HAM)   Proposal  Number:  HSHQDC-­13-­R-­00009-­H-­SB013.1-­002-­0003-­I
© 2015 Denim Group – All Rights Reserved My  Background • Dan  Cornell,  founder  and  CTO  of   Denim  Group • Software  developer  by  background   (Java,  .NET,  etc) • OWASP  San  Antonio 2
© 2015 Denim Group – All Rights Reserved Denim  Group  Background • Secure  software  services  and  products  company • Builds  secure  software • Helps  organizations  assess  and  mitigate  risk  of  in-­house  developed  and  third  party   software • Provides  classroom  training  and  e-­Learning  so  clients  can  build  software  securely • Software-­centric  view  of  application  security • Application  security  experts  are  practicing  developers • Development  pedigree  translates  to  rapport  with  development  managers       • Business  impact:  shorter  time-­to-­fix   application  vulnerabilities   • Culture  of  application  security  innovation  and  contribution • Develops  open  source  tools  to  help  clients  mature  their  software  security  programs • Remediation  Resource  Center,  ThreadFix • OWASP  national  leaders  &  regular  speakers  at  RSA,  SANS,  OWASP,  ISSA,  CSI • World  class  alliance  partners  accelerate  innovation  to  solve  client  problems 3
© 2015 Denim Group – All Rights Reserved An  InfoSec  Perspective  on  Developers “If  these  developers  would  just  stop  writing  such  sh*tty code,  all  our  lives   would  be  a  lot  better” -­Some  Security  Curmudgeon,  BSides Austin,  2011
© 2015 Denim Group – All Rights Reserved The  Curmudgeon
© 2015 Denim Group – All Rights Reserved Don’t  Be  a  Jerk;;  Perhaps  Try  Some  Empathy
© 2015 Denim Group – All Rights Reserved Developers  And  Overzealous  InfoSec  Folks 7
© 2015 Denim Group – All Rights Reserved Get  Your  Mind  Right “My  true  religion  is  Kindness” -­Kindness,  Clarity  and  Insight,  1984 “I  feel  that  the  essence  of  spiritual  practice   is  your  attitude  toward  others” -­Catherine  Ingram  interview,  1988 8
© 2015 Denim Group – All Rights Reserved Get  Your  Mind  Right • What  are  the  true risks  to  your  business? • Physical,  financial,  strategic • Not  just  information  assets • How  well  are  developers’  activities  aligned  with  the  business • Features,  functions,  timelines 9
© 2015 Denim Group – All Rights Reserved Empathy  and  Compassion “I  believe  all  suffering  is  caused   by  ignorance” -­Nobel  acceptance  speech,   1989 “Compassion  and  tolerance  are   not  a  sign  of  weakness,  but  a   sign  of  strength” -­Words  of  Wisdom,  2001 10
© 2015 Denim Group – All Rights Reserved Empathy  and  Compassion • What  are  your  developers  actually  doing? • Why  are  they  doing  it? • How  can  you  support  them  and advance  your  goals? 11
© 2015 Denim Group – All Rights Reserved If  His  Holiness  the  Dalai  Lama  Isn’t  Tough  Enough
© 2015 Denim Group – All Rights Reserved Understand  Developer  Tools • Workload  tracking  (Defect  trackers,  change  management) • Coding  (IDE) • Automation  and  orchestration  (Continuous  integration) • Testing  (Unit  tests,  acceptance  tests) • Metrics 13
© 2015 Denim Group – All Rights Reserved 14 ThreadFix Accelerate  Software  Remediation ThreadFix   is  a  software  vulnerability   aggregation   and   management   system  that  helps  organizations   aggregate   vulnerability   data,  generate   virtual  patches,  and  interact  with   software  defect  tracking  systems.
© 2015 Denim Group – All Rights Reserved • Open  source  vulnerability  management  and  aggregation  platform: • Allows  software  security  teams  to  reduce  the  time  to  remediate  software  vulnerabilities • Enables  managers  to  speak  intelligently  about  the  status  /  trends  of  software  security  within  their  organization.   • Features/Benefits: • Imports  dynamic,  static  and  manual  testing  results  into  a  centralized  platform • Removes  duplicate  findings  across  testing  platforms  to  provide  a  prioritized  list  of  security  faults • Eases  communication  across  development,  security  and  QA  teams • Exports  prioritized  list  into  defect  tracker  of  choice  to  streamline  software  remediation  efforts   • Auto  generates  web  application  firewall  rules  to  protect  data  during  vulnerability  remediation • Empowers  managers  with  vulnerability  trending  reports  to  pinpoint  issues  and  illustrate  application  security  progress • Benchmark  security  practice  improvement  against  industry  standards   • Freely  available  under  the  Mozilla  Public  License  (MPL)  2.0 • Download  available  at:  www.denimgroup.com/threadfix 15
© 2015 Denim Group – All Rights Reserved What  Can  We  Do  With  ThreadFix? • Create  a  consolidated  view  of  your  applications  and  vulnerabilities • Prioritize  application  risk  decisions  based  on  data • Translate  vulnerabilities  to  developers  in  the  tools  they  are  already   using 16
© 2015 Denim Group – All Rights Reserved Application  Portfolio  Tracking • Track  multiple  “Teams” • Arbitrary  distinction  – geography,  line  of  business,  common  tools  and  practices • Track  multiple  “Applications”  per  “Team” • Unit  of  scanning  or  testing • Track  Application  metadata • Criticality,  hosted  URL,  source  code  location • Reporting  can  be  done  at  the  organization,  Team  or  Application  level 17
© 2015 Denim Group – All Rights Reserved Demo:  Application  Portfolio  Tracking 18
© 2015 Denim Group – All Rights Reserved Fill  ThreadFix Up  With  Vulnerability  Data • Manual  file  upload • REST  API • https://github.com/denimgroup/threadfix/wiki/Threadfix-­REST-­Interface • Command  Line  Interface  (CLI) • https://github.com/denimgroup/threadfix/wiki/Command-­Line-­Interface • JAR  can  also  be  used  as  a  Java  REST  client  library • Jenkins  plugin • Contributed  from  the  ThreadFix community  (yeah!) • https://github.com/automationdomination/threadfix-­plugin 19
© 2015 Denim Group – All Rights Reserved What  Does  ThreadFix Do  With  Scan  Results • Diff  against  previous  scans  with  same  technology • What  vulnerabilities  are  new? • What  vulnerabilities  went  away? • What  vulnerabilities  resurfaced? • Findings  marked  as  false  positive  are  remembered  across  scans • Hopefully  saving  analyst  time • Normalize  and  merge  with  other  scanners’  findings • SAST  to  SAST • DAST  to  DAST • SAST  to  DAST  via  Hybrid  Analysis  Mapping  (HAM) 20
© 2015 Denim Group – All Rights Reserved Demo:  Vulnerability  Merge 21
© 2015 Denim Group – All Rights Reserved Hybrid  Analysis  Mapping  (HAM) • Initial  research  funded  by  the  US  Department  of  Homeland  Security   (DHS)  Science  and  Technology  (S&T)  Directorate  via  a  Phase  1  and   (now)  Phase  2  Small  Business  Innovation  Research  (SBIR)  contract • Acronyms! • Initial  goal:  SAST  to  DAST  merging • Results:  That,  plus  other  stuff 22
© 2015 Denim Group – All Rights Reserved Demo:  Merging  Static  and  Dynamic  Scanner  Results 23
© 2015 Denim Group – All Rights Reserved Demo:  De-­Duplicate  Dynamic  RESTful Scanner  Results 24
© 2015 Denim Group – All Rights Reserved Translate  vulnerabilities   to  developers  in  the   tools  they  are  already   using 25
© 2015 Denim Group – All Rights Reserved How  Do  Developers  Manage  Their  Workload? Hint:  Not  With  These…
© 2015 Denim Group – All Rights Reserved How  Do  Developers  Manage  Their  Workload? Actually  With  These
© 2015 Denim Group – All Rights Reserved Mapping  Vulnerabilities  to  Defects • 1:1  mapping  is  (usually)  a  horrible  idea – 500  XSS turned  into  500  defects? – If  it  takes  longer  to  administer  the  bug  than  it  does  to  fix  the  code… • Cluster  like  vulnerabilities – Using  the  same  libraries  /  functions – Cut-­and-­paste  remediation  code – Be  careful  about  context-­specific  encoding • Combine  by  severity – Especially  if  they  are  cause  for  an  out-­of-­cycle  release • Which  developer  “owns”  the  code? 28
© 2015 Denim Group – All Rights Reserved Defect  Tracker  Integration • Bundle  multiple  vulnerabilities  into  a  defect • Using  standard  filtering  criteria • ThreadFix periodically  updates  defect  status  from  the  tracker 29
© 2015 Denim Group – All Rights Reserved Demo:  Defect  Tracker  Integration 30
© 2015 Denim Group – All Rights Reserved Where  Do  Developers  Actually  Spend  Their  Time?
© 2015 Denim Group – All Rights Reserved Where  Do  Developers  Actually  Spend  Their  Time?
© 2015 Denim Group – All Rights Reserved IDE  Plug  Ins • Import  vulnerability  data  to  integrated  development  environments   (IDEs) • Static  (SAST)  scanners • Easy • Dynamic  (DAST)  scanners • Possible  using  Hybrid  Analysis  Mapping  (HAM) 33
© 2015 Denim Group – All Rights Reserved Map  Dynamic  Scan  Results  to  LoC in  IDE 34
© 2015 Denim Group – All Rights Reserved How  Do  Developers  Know  Their  Software  Works?
© 2015 Denim Group – All Rights Reserved How  Do  Developers  Know  Their  Software  Works?
© 2015 Denim Group – All Rights Reserved Get  Security  Testing  Included  In  Builds • Developers  and  QA  are  already  running  tools  (hopefully) • Embrace  what  they  are  doing  and  expand  to  include  security • Why? • Reduce  Mean  Time  To  Identify  (MTTI) • Difference  between  when  vulnerability  is  introduced  and  when  it  is  found • Reduce  Mean  Time  To  Fix  (MTTF) • Easier  to  fix  vulnerabilities  in  code  that  is  top-­of-­mind
© 2015 Denim Group – All Rights Reserved ThreadFix Jenkins  Plugin https://wiki.jenkins-­ci.org/display/JENKINS/ThreadFix+Plugin
© 2015 Denim Group – All Rights Reserved Taking  Advantage  of  Selenium  Tests • Use  them  to  seed  dynamic  scanning • Improve  your  crawl,  get  better  coverage • Great  opportunity  to  interact  with  development  teams https://community.rapid7.com/community/appspider/blog/2015/07/07/fix-­security-­ defects-­earlier-­with-­appspider-­and-­selenium-­integration http://www.continuumsecurity.net/bdd-­intro.html
© 2015 Denim Group – All Rights Reserved SecDevOps with  ThreadFix What  does  your  pipeline  look  like? http://www.slideshare.net/mtesauro/mtesauro-­keynote-­appseceu http://www.slideshare.net/denimgroup/rsa2015-­blending-­ theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally https://blog.samsungsami.io/development/security/2015/06/16/getting-­security-­up-­to-­ speed.html
© 2015 Denim Group – All Rights Reserved What  Metrics  Do  Developers  Track? • Usually  focused  on  Quality • Defect  density:  defects  per  kilo-­line-­of-­code  (KLoC) • Make  the  security  backlog  show  up  alongside  the  actual backlog
© 2015 Denim Group – All Rights Reserved SonarQube Integration • Pull  security  vulnerabilities  into  the  backlog  being  tracked  in   SonarQube • Can  be  used: • Via  ThreadFix server • Analyzing  local  files  (no  need  for  ThreadFix server  installation) • Essentially  a  universal  security  tool  plugin  for  SonarQube
© 2015 Denim Group – All Rights Reserved SonarQube Integration
© 2015 Denim Group – All Rights Reserved So  What? • Don’t  be  a  jerk;;  empathize • Also  remember  that  you’re  outnumbered  and  probably  outgunned • Be  like  the  Dalai  Lama  (or  a  Green  Beret) • Get  to  know  developers,  their  tools,  and  their  processes • Look  for  opportunities  to  influence  the  conversation • How  can  you  use  these  tools  to  further  security  goals: • Frame  what  you  want  (“fix  vulnerabilities”  “write  secure  code”)  in  their  terms • Check  with  your  security  vendors  – do  they  integrate  with  developer  tools?
© 2015 Denim Group – All Rights Reserved Important  Links • Main  ThreadFix website:  www.threadfix.org • General  information,  downloads • ThreadFix GitHub site:  www.github.com/denimgroup/threadfix • Code,  issue  tracking • ThreadFix GitHub wiki:  https://github.com/denimgroup/threadfix/wiki • Project  documentation • ThreadFix Google  Group:   https://groups.google.com/forum/?fromgroups#!forum/threadfix • Community  support,  general  discussion 45
© 2015 Denim Group – All Rights Reserved Questions  /  Contact  Information Dan  Cornell Principal  and  CTO dan@denimgroup.com Twitter  @danielcornell (844)  572-­4400 www.denimgroup.com www.threadfix.org

Recommended

Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 

Recommended

Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 

More Related Content

What's hot

The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software RemediationDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 

What's hot (20)

The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 

Viewers also liked

SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Denim Group
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updatedDenim Group
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defenseajitdhumale
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorAchim D. Brucker
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFixDenim Group
 
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)ZeroTurnaround
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metricsDavid Karlsen
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon
 
Solaris (Branded) Zone Internals
Solaris (Branded) Zone InternalsSolaris (Branded) Zone Internals
Solaris (Branded) Zone InternalsKatsunori FUJIWARA
 

Viewers also liked (20)

SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
 
What a locked down law firm looks like updated
What a locked down law firm looks like updatedWhat a locked down law firm looks like updated
What a locked down law firm looks like updated
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defense
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation Fails
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix
 
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)
DevOps vs Traditional IT Ops (DevOps Days ignite talk by Oliver White)
 
Significance of metrics
Significance of metricsSignificance of metrics
Significance of metrics
 
Dependency check
Dependency checkDependency check
Dependency check
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
Resume
ResumeResume
Resume
 
Solaris (Branded) Zone Internals
Solaris (Branded) Zone InternalsSolaris (Branded) Zone Internals
Solaris (Branded) Zone Internals
 

Similar to SecDevOps: Development Tools for Security Pros

Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseDenim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'WHSZachJones
 
Linking Upstream and Downstream Agile
Linking Upstream and Downstream AgileLinking Upstream and Downstream Agile
Linking Upstream and Downstream AgileCollabNet
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
The savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_laThe savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_laISSA LA
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT SystemsDenim Group
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 

Similar to SecDevOps: Development Tools for Security Pros (20)

Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
 
Linking Upstream and Downstream Agile
Linking Upstream and Downstream AgileLinking Upstream and Downstream Agile
Linking Upstream and Downstream Agile
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
The savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_laThe savvy security leader final dg ppt issa_la
The savvy security leader final dg ppt issa_la
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsDenim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

SecDevOps: Development Tools for Security Pros

  • 1. © 2015 Denim Group – All Rights Reserved SecDevOps: Development Tools for Security Pros This  presentation  contains  information  about  DHS-­funded  research: Topic  Number:  H-­SB013.1-­002  -­ Hybrid  Analysis  Mapping  (HAM)   Proposal  Number:  HSHQDC-­13-­R-­00009-­H-­SB013.1-­002-­0003-­I
  • 2. © 2015 Denim Group – All Rights Reserved My  Background • Dan  Cornell,  founder  and  CTO  of   Denim  Group • Software  developer  by  background   (Java,  .NET,  etc) • OWASP  San  Antonio 2
  • 3. © 2015 Denim Group – All Rights Reserved Denim  Group  Background • Secure  software  services  and  products  company • Builds  secure  software • Helps  organizations  assess  and  mitigate  risk  of  in-­house  developed  and  third  party   software • Provides  classroom  training  and  e-­Learning  so  clients  can  build  software  securely • Software-­centric  view  of  application  security • Application  security  experts  are  practicing  developers • Development  pedigree  translates  to  rapport  with  development  managers       • Business  impact:  shorter  time-­to-­fix   application  vulnerabilities   • Culture  of  application  security  innovation  and  contribution • Develops  open  source  tools  to  help  clients  mature  their  software  security  programs • Remediation  Resource  Center,  ThreadFix • OWASP  national  leaders  &  regular  speakers  at  RSA,  SANS,  OWASP,  ISSA,  CSI • World  class  alliance  partners  accelerate  innovation  to  solve  client  problems 3
  • 4. © 2015 Denim Group – All Rights Reserved An  InfoSec  Perspective  on  Developers “If  these  developers  would  just  stop  writing  such  sh*tty code,  all  our  lives   would  be  a  lot  better” -­Some  Security  Curmudgeon,  BSides Austin,  2011
  • 5. © 2015 Denim Group – All Rights Reserved The  Curmudgeon
  • 6. © 2015 Denim Group – All Rights Reserved Don’t  Be  a  Jerk;;  Perhaps  Try  Some  Empathy
  • 7. © 2015 Denim Group – All Rights Reserved Developers  And  Overzealous  InfoSec  Folks 7
  • 8. © 2015 Denim Group – All Rights Reserved Get  Your  Mind  Right “My  true  religion  is  Kindness” -­Kindness,  Clarity  and  Insight,  1984 “I  feel  that  the  essence  of  spiritual  practice   is  your  attitude  toward  others” -­Catherine  Ingram  interview,  1988 8
  • 9. © 2015 Denim Group – All Rights Reserved Get  Your  Mind  Right • What  are  the  true risks  to  your  business? • Physical,  financial,  strategic • Not  just  information  assets • How  well  are  developers’  activities  aligned  with  the  business • Features,  functions,  timelines 9
  • 10. © 2015 Denim Group – All Rights Reserved Empathy  and  Compassion “I  believe  all  suffering  is  caused   by  ignorance” -­Nobel  acceptance  speech,   1989 “Compassion  and  tolerance  are   not  a  sign  of  weakness,  but  a   sign  of  strength” -­Words  of  Wisdom,  2001 10
  • 11. © 2015 Denim Group – All Rights Reserved Empathy  and  Compassion • What  are  your  developers  actually  doing? • Why  are  they  doing  it? • How  can  you  support  them  and advance  your  goals? 11
  • 12. © 2015 Denim Group – All Rights Reserved If  His  Holiness  the  Dalai  Lama  Isn’t  Tough  Enough
  • 13. © 2015 Denim Group – All Rights Reserved Understand  Developer  Tools • Workload  tracking  (Defect  trackers,  change  management) • Coding  (IDE) • Automation  and  orchestration  (Continuous  integration) • Testing  (Unit  tests,  acceptance  tests) • Metrics 13
  • 14. © 2015 Denim Group – All Rights Reserved 14 ThreadFix Accelerate  Software  Remediation ThreadFix   is  a  software  vulnerability   aggregation   and   management   system  that  helps  organizations   aggregate   vulnerability   data,  generate   virtual  patches,  and  interact  with   software  defect  tracking  systems.
  • 15. © 2015 Denim Group – All Rights Reserved • Open  source  vulnerability  management  and  aggregation  platform: • Allows  software  security  teams  to  reduce  the  time  to  remediate  software  vulnerabilities • Enables  managers  to  speak  intelligently  about  the  status  /  trends  of  software  security  within  their  organization.   • Features/Benefits: • Imports  dynamic,  static  and  manual  testing  results  into  a  centralized  platform • Removes  duplicate  findings  across  testing  platforms  to  provide  a  prioritized  list  of  security  faults • Eases  communication  across  development,  security  and  QA  teams • Exports  prioritized  list  into  defect  tracker  of  choice  to  streamline  software  remediation  efforts   • Auto  generates  web  application  firewall  rules  to  protect  data  during  vulnerability  remediation • Empowers  managers  with  vulnerability  trending  reports  to  pinpoint  issues  and  illustrate  application  security  progress • Benchmark  security  practice  improvement  against  industry  standards   • Freely  available  under  the  Mozilla  Public  License  (MPL)  2.0 • Download  available  at:  www.denimgroup.com/threadfix 15
  • 16. © 2015 Denim Group – All Rights Reserved What  Can  We  Do  With  ThreadFix? • Create  a  consolidated  view  of  your  applications  and  vulnerabilities • Prioritize  application  risk  decisions  based  on  data • Translate  vulnerabilities  to  developers  in  the  tools  they  are  already   using 16
  • 17. © 2015 Denim Group – All Rights Reserved Application  Portfolio  Tracking • Track  multiple  “Teams” • Arbitrary  distinction  – geography,  line  of  business,  common  tools  and  practices • Track  multiple  “Applications”  per  “Team” • Unit  of  scanning  or  testing • Track  Application  metadata • Criticality,  hosted  URL,  source  code  location • Reporting  can  be  done  at  the  organization,  Team  or  Application  level 17
  • 18. © 2015 Denim Group – All Rights Reserved Demo:  Application  Portfolio  Tracking 18
  • 19. © 2015 Denim Group – All Rights Reserved Fill  ThreadFix Up  With  Vulnerability  Data • Manual  file  upload • REST  API • https://github.com/denimgroup/threadfix/wiki/Threadfix-­REST-­Interface • Command  Line  Interface  (CLI) • https://github.com/denimgroup/threadfix/wiki/Command-­Line-­Interface • JAR  can  also  be  used  as  a  Java  REST  client  library • Jenkins  plugin • Contributed  from  the  ThreadFix community  (yeah!) • https://github.com/automationdomination/threadfix-­plugin 19
  • 20. © 2015 Denim Group – All Rights Reserved What  Does  ThreadFix Do  With  Scan  Results • Diff  against  previous  scans  with  same  technology • What  vulnerabilities  are  new? • What  vulnerabilities  went  away? • What  vulnerabilities  resurfaced? • Findings  marked  as  false  positive  are  remembered  across  scans • Hopefully  saving  analyst  time • Normalize  and  merge  with  other  scanners’  findings • SAST  to  SAST • DAST  to  DAST • SAST  to  DAST  via  Hybrid  Analysis  Mapping  (HAM) 20
  • 21. © 2015 Denim Group – All Rights Reserved Demo:  Vulnerability  Merge 21
  • 22. © 2015 Denim Group – All Rights Reserved Hybrid  Analysis  Mapping  (HAM) • Initial  research  funded  by  the  US  Department  of  Homeland  Security   (DHS)  Science  and  Technology  (S&T)  Directorate  via  a  Phase  1  and   (now)  Phase  2  Small  Business  Innovation  Research  (SBIR)  contract • Acronyms! • Initial  goal:  SAST  to  DAST  merging • Results:  That,  plus  other  stuff 22
  • 23. © 2015 Denim Group – All Rights Reserved Demo:  Merging  Static  and  Dynamic  Scanner  Results 23
  • 24. © 2015 Denim Group – All Rights Reserved Demo:  De-­Duplicate  Dynamic  RESTful Scanner  Results 24
  • 25. © 2015 Denim Group – All Rights Reserved Translate  vulnerabilities   to  developers  in  the   tools  they  are  already   using 25
  • 26. © 2015 Denim Group – All Rights Reserved How  Do  Developers  Manage  Their  Workload? Hint:  Not  With  These…
  • 27. © 2015 Denim Group – All Rights Reserved How  Do  Developers  Manage  Their  Workload? Actually  With  These
  • 28. © 2015 Denim Group – All Rights Reserved Mapping  Vulnerabilities  to  Defects • 1:1  mapping  is  (usually)  a  horrible  idea – 500  XSS turned  into  500  defects? – If  it  takes  longer  to  administer  the  bug  than  it  does  to  fix  the  code… • Cluster  like  vulnerabilities – Using  the  same  libraries  /  functions – Cut-­and-­paste  remediation  code – Be  careful  about  context-­specific  encoding • Combine  by  severity – Especially  if  they  are  cause  for  an  out-­of-­cycle  release • Which  developer  “owns”  the  code? 28
  • 29. © 2015 Denim Group – All Rights Reserved Defect  Tracker  Integration • Bundle  multiple  vulnerabilities  into  a  defect • Using  standard  filtering  criteria • ThreadFix periodically  updates  defect  status  from  the  tracker 29
  • 30. © 2015 Denim Group – All Rights Reserved Demo:  Defect  Tracker  Integration 30
  • 31. © 2015 Denim Group – All Rights Reserved Where  Do  Developers  Actually  Spend  Their  Time?
  • 32. © 2015 Denim Group – All Rights Reserved Where  Do  Developers  Actually  Spend  Their  Time?
  • 33. © 2015 Denim Group – All Rights Reserved IDE  Plug  Ins • Import  vulnerability  data  to  integrated  development  environments   (IDEs) • Static  (SAST)  scanners • Easy • Dynamic  (DAST)  scanners • Possible  using  Hybrid  Analysis  Mapping  (HAM) 33
  • 34. © 2015 Denim Group – All Rights Reserved Map  Dynamic  Scan  Results  to  LoC in  IDE 34
  • 35. © 2015 Denim Group – All Rights Reserved How  Do  Developers  Know  Their  Software  Works?
  • 36. © 2015 Denim Group – All Rights Reserved How  Do  Developers  Know  Their  Software  Works?
  • 37. © 2015 Denim Group – All Rights Reserved Get  Security  Testing  Included  In  Builds • Developers  and  QA  are  already  running  tools  (hopefully) • Embrace  what  they  are  doing  and  expand  to  include  security • Why? • Reduce  Mean  Time  To  Identify  (MTTI) • Difference  between  when  vulnerability  is  introduced  and  when  it  is  found • Reduce  Mean  Time  To  Fix  (MTTF) • Easier  to  fix  vulnerabilities  in  code  that  is  top-­of-­mind
  • 38. © 2015 Denim Group – All Rights Reserved ThreadFix Jenkins  Plugin https://wiki.jenkins-­ci.org/display/JENKINS/ThreadFix+Plugin
  • 39. © 2015 Denim Group – All Rights Reserved Taking  Advantage  of  Selenium  Tests • Use  them  to  seed  dynamic  scanning • Improve  your  crawl,  get  better  coverage • Great  opportunity  to  interact  with  development  teams https://community.rapid7.com/community/appspider/blog/2015/07/07/fix-­security-­ defects-­earlier-­with-­appspider-­and-­selenium-­integration http://www.continuumsecurity.net/bdd-­intro.html
  • 40. © 2015 Denim Group – All Rights Reserved SecDevOps with  ThreadFix What  does  your  pipeline  look  like? http://www.slideshare.net/mtesauro/mtesauro-­keynote-­appseceu http://www.slideshare.net/denimgroup/rsa2015-­blending-­ theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally https://blog.samsungsami.io/development/security/2015/06/16/getting-­security-­up-­to-­ speed.html
  • 41. © 2015 Denim Group – All Rights Reserved What  Metrics  Do  Developers  Track? • Usually  focused  on  Quality • Defect  density:  defects  per  kilo-­line-­of-­code  (KLoC) • Make  the  security  backlog  show  up  alongside  the  actual backlog
  • 42. © 2015 Denim Group – All Rights Reserved SonarQube Integration • Pull  security  vulnerabilities  into  the  backlog  being  tracked  in   SonarQube • Can  be  used: • Via  ThreadFix server • Analyzing  local  files  (no  need  for  ThreadFix server  installation) • Essentially  a  universal  security  tool  plugin  for  SonarQube
  • 43. © 2015 Denim Group – All Rights Reserved SonarQube Integration
  • 44. © 2015 Denim Group – All Rights Reserved So  What? • Don’t  be  a  jerk;;  empathize • Also  remember  that  you’re  outnumbered  and  probably  outgunned • Be  like  the  Dalai  Lama  (or  a  Green  Beret) • Get  to  know  developers,  their  tools,  and  their  processes • Look  for  opportunities  to  influence  the  conversation • How  can  you  use  these  tools  to  further  security  goals: • Frame  what  you  want  (“fix  vulnerabilities”  “write  secure  code”)  in  their  terms • Check  with  your  security  vendors  – do  they  integrate  with  developer  tools?
  • 45. © 2015 Denim Group – All Rights Reserved Important  Links • Main  ThreadFix website:  www.threadfix.org • General  information,  downloads • ThreadFix GitHub site:  www.github.com/denimgroup/threadfix • Code,  issue  tracking • ThreadFix GitHub wiki:  https://github.com/denimgroup/threadfix/wiki • Project  documentation • ThreadFix Google  Group:   https://groups.google.com/forum/?fromgroups#!forum/threadfix • Community  support,  general  discussion 45
  • 46. © 2015 Denim Group – All Rights Reserved Questions  /  Contact  Information Dan  Cornell Principal  and  CTO dan@denimgroup.com Twitter  @danielcornell (844)  572-­4400 www.denimgroup.com www.threadfix.org