using automatic and manual tests for static, dynamic, and ...€¦ · using automatic and manual...
TRANSCRIPT
#MicroFocusCyberSummit
Using Automatic and Manual Tests for Static, Dynamic, and Mobile with Fortify on Demand
Rick Smith
Product Manager
Identifying the cost
Identifying the tool
A quick case study
2
Agenda
Thinking about the cost
3
Challenge becomes identifying the cost:
Opportunity
Time
Risk
Reputation
Features
Productivity
Relationships
Sanity!
Cliché Alert: Nothing in Life is Free
Procuring secure software
Certifying new releases
Securing legacy applications
Demonstrating ComplianceLegacy Software In-house Development
Application Security Today is Complex
5
Monitoring / Protecting Production Software
Open SourceOutsourced Commercial
6
It isn’t getting easier
2010
Release Frequency
Number of Applications
2020+
App App
2015
Software @ DevOps Speed
Identifying the Right Tool
Enterprise DevSecOps
8
To a Hammer, Everything is a NailDo you need a hammer?
Choosing the Right Tool
The Right Fit
Open Source Analysis
Real-time Static
Continuous Monitoring
Dynamic
Static
Mobile
Easily upload source from the IDE, and audit there as well
Static Made Simple
Fortify on Demand
Developers (IDE)
Step 1: Develop & check-in code
Step 4: Automated
Audit
Step 3: Start Static Assessment
Source control repository
Step 2: Scheduled or triggered check-out & build
Continuousintegration server
Fortify SCA Fortify Scan Analytics
FoD security expert
(Optional) Step 5: Manual Audit
Vulnerability Management
Vulnerabilities
Vulnerabilities
Defect management
Step 6: Triage, assign & fix vulnerabilities
Bill of materialsKnown vulnerabilitiesLicense risk
Open Source Analysis
Audited static results at DevOps speed
Static – Full Build Integration
Our infrastructure & expertiseYour applications
Fast dynamic, augmented with human testing
Dynamic Results at Scale – Speed and Depth
Automated results in 1 minute
Full device stack testing
Mobile – Blazing Fast + Thorough
Are your libraries introducing risk?
Open Source Component Analysis
Real-time Static Analysis
Instant feedback within the IDE
Continuous Monitoring
18
Focusing on the OWASP Top 10 with fast & lightweight scanning
Putting it all together
19
Balancing the Pace of Development
Flexibility is critical
Automate where possible
Leverage integrations
Build security in as quality
Balancing the Pace of Development
Case Study: Fortify on Demand
22
Case Study: Fortify on Demand
23
Continuous lightweight static
Weekly static
Dynamic after deploy
Continuous monitoring in prodDefects to OctaneConstant feedback
Question & Answer
Thank You.
#MicroFocusCyberSummit