SlideShare ist ein Scribd-Unternehmen logo

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com
DevOps.com

Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can: Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities. Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence. Fully automate secure app delivery and deployment, without the need for extra security scans or processes. Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
© 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
© 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
© 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
© 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
© 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
© 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
© 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
© 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
© 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
© 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
© 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
© 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
© 2019 Synopsys, Inc.15 Introducing Seeker IAST
© 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
© 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
© 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
© 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
© 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
© 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
© 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
© 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
© 2019 Synopsys, Inc.24 Seeker In Action Demonstration
© 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
© 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
© 2019 Synopsys, Inc.27 Q & A
Thank You Follow us on twitter : @zubaira, @kimm_yeo

Empfohlen

DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 

Empfohlen

DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Api observability
Api observability Api observability
Api observability Luca Mattia Ferrari
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Observability driven development
Observability driven developmentObservability driven development
Observability driven developmentGeert van der Cruijsen
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning TalkJonathan Gregory
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealitySynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning TalkJonathan Gregory
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 

Was ist angesagt? (20)

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Api observability
Api observability Api observability
Api observability
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Observability driven development
Observability driven developmentObservability driven development
Observability driven development
 
Code Quality Lightning Talk
Code Quality Lightning TalkCode Quality Lightning Talk
Code Quality Lightning Talk
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 

Ähnlich wie Bridging the Security Testing Gap in Your CI/CD Pipeline

Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisCarlos Andrés García
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisVMware Tanzu
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsSynopsys Software Integrity Group
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentPanoptica
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 

Ähnlich wie Bridging the Security Testing Gap in Your CI/CD Pipeline (20)

Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 

Mehr von DevOps.com

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareDevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykDevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudDevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and PredictionsDevOps.com
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionDevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureDevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportDevOps.com
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogDevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDevOps.com
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid finalDevOps.com
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureDevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?DevOps.com
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsDevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...DevOps.com
 

Mehr von DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
 

Kürzlich hochgeladen

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Kürzlich hochgeladen (20)

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

Bridging the Security Testing Gap in Your CI/CD Pipeline

  • 1. © 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
  • 2. © 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
  • 3. © 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
  • 4. © 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
  • 5. © 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
  • 6. © 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
  • 7. © 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 8. © 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
  • 9. © 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 10. © 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
  • 11. © 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
  • 12. © 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
  • 13. © 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
  • 14. © 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
  • 15. © 2019 Synopsys, Inc.15 Introducing Seeker IAST
  • 16. © 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
  • 17. © 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
  • 18. © 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
  • 19. © 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
  • 20. © 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
  • 21. © 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
  • 22. © 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
  • 23. © 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
  • 24. © 2019 Synopsys, Inc.24 Seeker In Action Demonstration
  • 25. © 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
  • 26. © 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
  • 27. © 2019 Synopsys, Inc.27 Q & A
  • 28. Thank You Follow us on twitter : @zubaira, @kimm_yeo