appsec at high speed and scale - micro focus€¦ · appsec at high speed and scale scott johnson,...

#MicroFocusCyberSummit

AppSec at High Speed and Scale

Scott Johnson, Fortify GM

Agility, Integration & Automation

This document contains forward looking statements regarding future operations, product

development, product capabilities and availability dates. This information is subject to

substantial uncertainties and is subject to change at any time without prior notification.

Statements contained in this document concerning these matters only reflect Micro Focus's

predictions and / or expectations as of the date of this document and actual results and future

plans of Micro Focus may differ significantly as a result of, among other things, changes in

product strategy resulting from technological, internal corporate, market and other changes.

This is not a commitment to deliver any material, code or functionality and should not be relied

upon in making purchasing decisions.

2

Forward Looking Statements: Legal DisclaimerThis document contains forward looking statements

AppSec trends

Today’s trend is tomorrow’s challenge

Meeting the challenge, accelerating for tomorrow

Roadmap

3

Agenda

AppSec Trends

Tsunami of Apps

5

1000 applications and counting…

Speed vs Depth

6

“I want 5 minute scans with no false positives.”

Developer User Story

7

We have seen the AppSec team AND IT IS YOU! (the developer)

More Code, More Problems …

More code…

9

More code,more vulns …

10

More vulns …

11

More vulns,more risk …

12

More risk, more pressure!

13

Solutions and Examples

You need an AppSecpressure relief valve!

15

Innovation/Roadmap Themes

16

Integration Automation Agility

On-premise / On Demand

Fortify Ecosystem

Software Security Research

Static Analysis – SCA

Scan and Assess Source Code

Dynamic Analysis – WebInspect

Web Application Vuln Scanning

Runtime Analysis – App Defender

Application Protection & Monitoring

Fortify Integration Fortify Ecosystem

17

JS Sandbox Project

Jenkins Plugin

Bug Tracker Tools

Swagger supported RestAPIs

SSC Parser Sample

Fortify Integration

18

https://fortify.github.io/

Bamboo Plugin

Fortify Integration

19

https://marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview

VSTS Extension

https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe-security-fortify-vsts

Fortify IntegrationSnyk Integration

20

Fortify AutomationAudit Assistant

21

Auto-train

Auto-predict

Auto-tag

Unauditedresults enter

SSC

Auditedissues arrivein SSC

Audit assistantderives anonymousissue metrics andsecurely sends to

scan analytics Classifiers reportverified

vulnerabilitieswith up to

98% accuracy

Fortify AutomationCentralized Translation & Scanning

22

Light weight utility for Devs

No need to install SCA on build server

Payload automatically transferred to controller

Smart control queueing & monitoring

Automated scan results submission

Benefits Cross language support

Removes dependency issues

Reduced infrastructure costs

Centrally managed

Designed for Enterprise Dev enablement

Slack Enabled FoD!

Release updates

Applications changes

Reports and scan status

23

Fortify Automation

Fortify AgilitySecurity Assistant for Visual Studio

24

Swift Language Support

SCA 18.10 has support for:

Swift 4

Xcode 9, 9.1, 9.2

Latest Obj-C

SCA 18.11 has support for:

Swift 4.1.x

Xcode 9.3, 9.4

Latest Obj-C

Fortify Agility

25

Support within 3 to 6 weeks of Apple updates!

Fortify Roadmap

Q118 Q218

28

Fortify RoadmapFortify- SCA / SSC / WebInspect / Fortify on Demand

This is a rolling (up to three year) Roadmap and is subject to change without notice

TargetedAvailable

Application issue templates

“Your Scans” page view

Nexgen Open Source integration with Sonatype

Tools update: IntelliJ audit

Delivery optimization

FoD 18.1

Audit assistant prediction automation (analytics built-in)

Languages updates: ECMA 2016/2017, Swift 4/4.1,Xcode 9.x, Python 3.x, Xamarin, Scala- Play

SSC scalability and token management

SSC UX refresh and branding

Tools update: Security Assistant for Visual Studio, Bamboo plugin

Headless dynamic architecture

Dynamic setup simplification and dockerized deployment

On-Premise 18.1

Nexgen dynamic scanning automation

Tools update: Security Assistant for Visual Studio, Bamboo plugin

Dashboarding & analytics

Delivery optimization

Dynamic automation

Performance & scalability

Faster remediation

Improved new user UX

Improved open source analysis (JS support)

FoD Upcoming

Dynamic automation (WI + nexgen platform)

Performance & scalability

Integrations (API v4, DevOps toolchain)

False positive reduction

Dashboarding & analytics

Static automation

FoD Future

‒ High level themesOn-Premise Upcoming

Continued focus on customer driven innovation features for:

Integration / Automation / Agility

Examples include: Plugin consolidation, Angular, Java 11, Python- Django, Swift 5, Go, Ruby on Rails, centralized scanning and dependency orchestration, dynamic shift left

Licensing simplification

On-Premise Future

FoD 18.2

SSC Audit page redesign, SSC scalability

Centralized scanning phase 1

Languages updates: TypeScript, Swift 4.2/Xcode 10, Python 2 update, Obj-C, .NET MSBuild, SCA logging enhancements, C/C++

New Jenkins plugin with pipelines and build fail support

Dynamic headless tech preview

WI Firefox update, extended crawling support w/Angular 4+, REST API improvements, sensor management

Thanks!

#MicroFocusCyberSummit

#MicroFocusCyberSummit