using automatic and manual tests for static, dynamic, and ...€¦ · using automatic and manual...

#MicroFocusCyberSummit

Using Automatic and Manual Tests for Static, Dynamic, and Mobile with Fortify on Demand

Rick Smith

Product Manager

Identifying the cost

Identifying the tool

A quick case study

2

Agenda

Thinking about the cost

3

Challenge becomes identifying the cost:

Opportunity

Time

Risk

Reputation

Features

Productivity

Relationships

Sanity!

Cliché Alert: Nothing in Life is Free

Procuring secure software

Certifying new releases

Securing legacy applications

Demonstrating ComplianceLegacy Software In-house Development

Application Security Today is Complex

5

Monitoring / Protecting Production Software

Open SourceOutsourced Commercial

6

It isn’t getting easier

2010

Release Frequency

Number of Applications

2020+

App App

2015

Software @ DevOps Speed

Identifying the Right Tool

Enterprise DevSecOps

8

To a Hammer, Everything is a NailDo you need a hammer?

Choosing the Right Tool

The Right Fit

Open Source Analysis

Real-time Static

Continuous Monitoring

Dynamic

Static

Mobile

Easily upload source from the IDE, and audit there as well

Static Made Simple

Fortify on Demand

Developers (IDE)

Step 1: Develop & check-in code

Step 4: Automated

Audit

Step 3: Start Static Assessment

Source control repository

Step 2: Scheduled or triggered check-out & build

Continuousintegration server

Fortify SCA Fortify Scan Analytics

FoD security expert

(Optional) Step 5: Manual Audit

Vulnerability Management

Vulnerabilities

Vulnerabilities

Defect management

Step 6: Triage, assign & fix vulnerabilities

Bill of materialsKnown vulnerabilitiesLicense risk

Open Source Analysis

Audited static results at DevOps speed

Static – Full Build Integration

Our infrastructure & expertiseYour applications

Fast dynamic, augmented with human testing

Dynamic Results at Scale – Speed and Depth

Automated results in 1 minute

Full device stack testing

Mobile – Blazing Fast + Thorough

Are your libraries introducing risk?

Open Source Component Analysis

Real-time Static Analysis

Instant feedback within the IDE

Continuous Monitoring

18

Focusing on the OWASP Top 10 with fast & lightweight scanning

Putting it all together

19

Balancing the Pace of Development

Flexibility is critical

Automate where possible

Leverage integrations

Build security in as quality

Balancing the Pace of Development

Case Study: Fortify on Demand

22

Case Study: Fortify on Demand

23

Continuous lightweight static

Weekly static

Dynamic after deploy

Continuous monitoring in prodDefects to OctaneConstant feedback

Question & Answer

Thank You.

#MicroFocusCyberSummit