SlideShare ist ein Scribd-Unternehmen logo

Fortify Continuous Delivery

Mainstay
Mainstay

Foritfy Continuous Delivery White Paper

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
Continuous Delivery of Business Value with Fortify Mainstay Customer Evidence Research WHITE PAPER
Continuous Delivery of Business Value with Fortify WHITE PAPER 22 MEETING THE SECURITY DEMANDS OF DIGITAL TRANSFORMATION Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity of software-driven “digital transformation” to stay relevant and competitive in their markets. Industrial icon GE, for instance, is developing software that harnesses data from sensors inside wind turbines to squeeze more electricity from existing wind farms.Automakers embed tens of millions of lines of code into their increasingly “smart” and “connected” vehicles.1 As software becomes core to every business — and as cloud-based software services surge in popularity — companies are developing and updating applications faster than ever before. Welcome to the new era of continuous software delivery. Continuous delivery means development teams are releasing software with new features and functionalities in increasingly shorter cycles, from every year or quarter to every month, week, or day. The approach is now woven into the DevOps environments of leading enterprises like Microsoft, Google and Facebook, which typically issue major software releases every week across their web sites, followed by daily bug fixes over the rest of the week. Forrester Research predicts that organizations will go from four application releases per year in 2010 to as many as 120 releases per year by 2020, a 30x increase.2 SECURITY TEAMS UNDER PRESSURE With the market moving to an agile, continuous delivery model, development and security teams within organizations are scrambling to keep up with the sheer number of applications and releases, which is putting pressure on a key part of the development lifecycle: software security assurance (SSA). Simply put, organizations cannot afford for security testing and remediation to slow the pace of software delivery. This challenge is complicated by several trends: • The proliferation of SaaS and mobile devices, which requires even more testing of applications for security flaws. • Many enterprises maintain hybrid environments with a mix of legacy and COTS applica- tions and varying release cycles, thus increasing the complexity of security programs. • Developers increasingly utilize downloaded code from open-source software (OSS) repositories such as Maven and GitHub, many of which are known to contain vulnerabilities. Organizations generally have been slow to respond to the challenge, in part because most of them are still using outmoded security testing tools and practices. These tools lack automated features that could enable organizations to tackle greater volumes of code and scans in less time. Often these tools cover only part of the security-testing process, a handful of specific languages, or limited deployment options, forcing organizations to switch between multiple tools during the development cycle, hurting productivity.3 A NEW ERA IN SOFTWARE SECURITY Continuous delivery of applications has become the new normal for soft- ware development organizations across every industry. Software development teams are now expected to deliver new releases and updates at a dizzying pace, putting tremendous pressure on software security teams to keep up. In this report, we detail how development organizations at leading companies are using software security solutions from Fortify to scan more applications faster, focus and streamline reme- diation efforts with better triaging, and integrate security assurance methods throughout the software development environment. No longer a production bottleneck, security teams can now support increasingly ambitious release schedules, ensuring faster time to market and freeing developers to focus on creating better software.
Continuous Delivery of Business Value with Fortify WHITE PAPER 3 In fact, industry analysts estimate that even though 90% of companies are engaged in application development —  and 99% agree it’s an opportunity to increase enterprise security — only 20% are doing anything about it. Gartner estimates that fewer than 20% of enterprise security architects have systematically incorporated information security into their DevOps initiatives. Fewer still have achieved the singular degree of security automation required to qualify as Secure DevOps. SHIFTING TO THE ‘LEFT’ Until recently, organizations have focused security testing and remediation efforts primarily on the later phases of the software development lifecycle. However, this is precisely when the cost of remediation is most expensive and time consuming. In addition, as tight product-launch deadlines shrink remediation windows, the probability increases that applications will be released into production with known or unknown vulnerabilities. Poor scalability of current toolsets also dictate relatively fewer scans, cutting into productivity as the number of applications and releases continues to grow. All of this represents a reactive approach to security assurance that increases the risk of project delays, compro- mises application security, and ultimately prevents organizations from scaling to meet the demands of continuous delivery. By contrast, leading organizations we researched are taking a more agile and proactive approach — one that emphasizes earlier, more frequent testing with feedback loops designed to produce progressively cleaner code. In effect, these organizations are shifting security testing operations to the “left,” thus reducing the number of vulnerabilities introduced during the coding phase, as shown below. According to a recent study, organizations that make this move end up spending 55% less time remediating security issues.5 THE EVOLUTION OF SOFTWARE SECURITY ASSURANCE Mainstay conducted initial research on the economic impact of Fortify’s appli- cation security solutions in 2010, a time when the biggest challenges facing IT and application security teams was simply finding software vulnerabilities, and finding them earlier enough to make remedi- ation easier.4 In 2013, Mainstay re-surveyed leading organizations and concluded they were still largely focused on finding and fixing as many vulnerabilities as possible, and many were choosing cloud services to extend these capabilities to third-party developers. Our latest survey found an evolving market for soft- ware security solutions, with organizations demanding greater speed and scalability to meet more ambitious release cadences. Beyond just finding every potential vulnerability, organiza- tions now want better triaging to quickly focus on and remediate flaws that pose the most serious risk to the business. Laggards Test Later and Less Frequently Leaders Deploy Software Security Throughout the Software Development Cycle • Reactive • Likelihood of discovering more vulnerabilities than available capacity to triage or remediate • Difficulty in remediating • High risk of application delays • Incompatible with frequent development releases Requirements Design Code Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Code Reviews Scope of Software Security Scans Need to “Shift Left” • Proactive • Vulnerabilities are discovered early • Easier to remediate • The number of iterations that occur across the SDLC improves time to production • The time required to fix an issue is less as you shift left, driving shorter time to production Requirements Design Code Reviews Static Code Analysis Dynamic Code Analysis Real-time Security Testing Software Security Requirements Analysis Threat Modeling Security Architecture Design Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Scope of Software Security Scans with Fortify “Shift Left” Creates the Environment to Support Frequent Releases as Well as Faster Delivery
Continuous Delivery of Business Value with Fortify WHITE PAPER 4 SURVEY OF SOFTWARE SECURITY OPERATIONS AT LEADING COMPANIES To understand how leading enterprises are coping with the demands of continuous software delivery, market analyst Mainstay conducted in-depth interviews with application security leaders from a diverse set of companies that adopted products and services from Fortify. Mainstay supplemented these interviews with an online survey to develop an even broader portrait of the challenges that software development and security departments face in today’s fast-paced environment. Among the companies participating in the software security survey were: • One of the world’s largest financial services holding companies. • Two of the world’s largest multinational oil and gas companies • Global peer-to-peer lending and online trading platform company • A provider of online investing services for institutions • One of the world’s largest banks with operations in over 50 countries The survey looked at five critical aspects in the software security assurance process and evaluated how the adoption of Fortify impacted each one: • Scan Setup. Ease and speed in setting up scans; how well security tools and processes are integrated with development environment • Scan Performance. Speed of scans and the number of vulnerabilities found • Triaging. How effectively vulnerabilities are prioritized and the number of false positives identified; ability to prioritize by criticality; impact of Fortify on Mean Time to Triage (MTTT) • Remediation. Number of vulnerabilities requiring fixing; remediation efficiency and speed; reduction in repeat vulnerabilities; impact of Fortify on Mean Time to Remediate (MTTR) • Scalability. Our study also looked at how organizations are deploying Fortify to flexibly scale their security processes to scan and remediate significantly more applications in less time. Metrics include the quantity of apps scanned, scan cycles performed, and developer issues avoided at the source during coding. The following sections discuss the results of the survey. • Ease • Speed • Readiness/integration with development environments • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality Setting Up Scans Performing Scans Triaging Remediating Process Scalability /integration opment nts • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality p Scans Performing Scans Triaging Remediating Process Scalability of lities • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality ng Scans Triaging Remediating Process Scalability • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding of false s identified ng by y ing Remediating Process Scalability of lities to fix fixing by critical lities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding ating Process Scalability WHY FORTIFY Of the companies surveyed, 54% said that Fortify was their first choice for application security software before later deciding to implement Fortify. Their top three reasons for choosing Fortify were: • Solution flexibility • Greater coverage of different programming languages and third-party code • Better ability to find and fix vulnerabilities
Continuous Delivery of Business Value with Fortify WHITE PAPER 5 KEY FINDING: FORTIFY PROVIDES FASTER, MORE EFFECTIVE SOFTWARE SECURITY ASSURANCE Faster Scan Setups In a continuous delivery environment, development teams must move quickly to plan and execute security scans. However, given the wide variety of programming languages and code components commonly found in a modern development environment, it can be a slow process to assemble the right security tools — and the right people and expertise — for the job. Before moving to Fortify, fewer than half of the organizations in our survey could accommodate the requirements of fast-release cycles (weekly). The Fortify platform provided coverage and integration across a broad range of development environments and languages, eliminating the need for multiple point tools and the experts necessary to operate them. On average, companies replaced about 10 tools with a single Fortify solution. This allowed organizations to streamline their software security environment, reduce complexity and improve operational efficiencies. Customers believed this offers the potential to lower the overall cost involved in software security licenses and maintenance. LESS TIME SCANNING, MORE TIME ENHANCING APPS Scanning within an integrated development environment (IDE) can take several hours and add 25% or more to development overhead. To speed the process, one Fortify customer created a centralized Hadoop repository where developers can upload code and run scans in minutes. As a result, developers avoid getting bogged down by administrative and security tasks and now have more time to focus on improving the software. The customer considers this to be a huge competitive advantage in an increasingly software- driven world. Fewer Security Tools Needed Before Fortify After Fortify $17.5K $5K $10K $15K $20K $2K 89% reduction FeeSavings 10Customers replaced 10 different point tools with Fortify, saving on integration and set-up efforts. 1 Number of Software Security Tools Faster Setups Allows More Frequent Releases Before Fortify After FortifySurvey Finding: Organizations were able to increase their ability to do weekly, monthly or quarterly releases with the same amount of resources. Percentage of companies that could support monthly or weekly release cadences 35% 100% Increasing adoption of agile environments is driving the demand for tighter process integration across the develop- ment lifecycle. Organizations that moved to the Fortify environment — which provides tools and plugins to simplify integration with existing development environments —  could create fast, automated processes for uploading code, running scans, and incorporating security checks into each phase of the development cycle. In fact, the survey found that the percentage of customers who could improve their release frequencies — from annual or quarterly to monthly, weekly, or even daily releases — increased significantly. Whereas only 35% of the respondents could do monthly or weekly releases before adopting Fortify, nearly all respondents said they could handle accelerate release schedules after adopting Fortify’s speed-enhancing rules engines, templates, and triaging technologies.
Continuous Delivery of Business Value with Fortify WHITE PAPER 6 More Efficient Scanning Most companies focus on combatting the top 10 common critical vulnerabilities that impact their organization (or application security landscape). For the companies surveyed in 2017, these included cross-site scripting (XSS), SQL injection, broken authentication, cross-site request forgery, and security misconfigurations. More than half of survey respondents reported that Fortify was particularly effective in finding these high-risk vulnerabilities early in the development lifecycle, when they can be remediated more easily and cheaply.6 Tools such as Fortify Security Assistant, for example, enabled developers to identify vulnerabilities in real time while they are writing code. Overall, companies using Fortify Static Code Analyzer found they could uncover tens of thousands of previously unidentified vulnerabilities. In addition, respondents said they could run the scans in a significantly shorter amount of time — from several days to just a few hours or even minutes — freeing developers to focus more time on what they do best: writing high-quality code and not waiting for scans. 6 Twice as Many True Vulnerabilities Found… Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of legitimate vulnera- bilities found with Fortify was double that of other software vendors. Number of True Vulnerabilities Found 2X …With Significantly Faster Scans Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that scanning with Fortify was 10–15 times faster than with other software vendors. Speed of Scans 10–15X WHAT TYPES OF VULNERABILITIES MATTER? In our survey, most customers were concerned not just with common vulnerabilities like cross-site scripting and SQL injections, but were also worried about data breaches and the consequences that ensued, which most rated as one of their top security concerns.
Continuous Delivery of Business Value with Fortify WHITE PAPER 7 Better Triaging, Fewer False Positives Survey participants were attracted to Fortify’s unique ability to dig through large sets of vulnerabilities, identify those vulnerabilities that are meaningful to the organization, and quickly separate false positives and low-risk issues from serious flaws, significantly reducing mean time to triage (MTT). Many of the companies augmented their triaging routines by factoring in the latest industry intelligence and trends, and by connecting static and dynamic analyses. Several companies regularly tapped experts from Fortify to design and execute these time-saving triaging protocols. One leading data-analytics company, for example, routinely uploads code to Fortify on Demand to scan, then conducts a joint review and triaging session with the technical account manager before starting remediation. Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of false positives were reduced by up to 95% with Fortify on Demand managed services offering. Reduction in False Positives 95% Fewer False Positives Improved Remediation Efforts Survey respondents repeatedly stressed the importance of finding vulnerabilities early in the development lifecycle, noting that it took nearly 100-times more effort to remediate security flaws if they’re found after software has gone into production versus during the coding process.Vulnerabilities found during quality assurance testing is less expensive to remediate but still takes about 10-times more effort and time to fix compared to the coding phase. On average organizations reported they could complete triaging and remediation tasks about 10-times faster with Fortify — from 20 days per application to just one to two days.Again, the time saved could be redirected to enhancing the software in ways that made it more appealing to end users. Before Fortify After Fortify Customers reported that, with Fortify, they are able to speed up the triaging and remediation process. 20 days per app to triage and remediate 1–2 days per app to triage and remediate 10x Faster Triaging and Remediation Faster Remediation FALSE POSITIVES CAN SLOW YOU DOWN A leading financial institution reported that scans for a large application could uncover as many as 50,000 vulnerabilities, of which 60% could consist of time-wasting false positives, flaws the organization did not deem important, or vulnerabilities that could be sorted into groups for more efficient remediation. Using Fortify’s software and managed services, the institution avoided false positives and leveraged insights that improved triaging and remediation, reducing workloads significantly. Noted one IT executive: “The only way to scale is by eliminating false positives.”
Continuous Delivery of Business Value with Fortify WHITE PAPER 8 KEY FINDING: FORTIFY’S SCALABILITY DRIVES CONTINUOUS DELIVERY As the number of applications continues to grow, organizations need to scale their software security programs to avoid delays in delivering releases and updates. Companies in the survey consistently identified a set of obstacles to achieving process scalability. These included: • Disparate point solutions • Manual processes/lack of automation • Poor identification of vulnerabilities • Large amount of false positives • Lack of access to security expertise When organizations combined Fortify solutions with its managed services offering, they could transform software security assurance into a fully scalable and repeatable process capable of managing the increasing operational demands of enterprise-level development organizations.8 What does true scalability look like? Before adopting Fortify, one customer in the survey could complete about 30–50 scans per quarter, covering about 25 applications. Since implementing Fortify, it can complete 300 scans covering 75 applications — a 30X increase in speed and capacity. Before Fortify After Fortify Customers reported that the number of false positives were reduced by up to 95% with Fortify and managed services support. 30–50 scans covering 25 apps 300 scans covering 75 apps 30X More Scanning, More Apps Before Fortify After Fortify Customers reported seeing a 40% reduction in repeat vulnerabilities, thus creating high-quality and secured applications. 40% Reduction in Vulnerabilities Fewer Repeat Vulnerabilities Before Fortify After Fortify Survey Finding: Fortify customers expect to double the number of applications scanned in the future. 2X X Scaling Up for the Future
Continuous Delivery of Business Value with Fortify WHITE PAPER 9 KEY FINDING: FORTIFY ENABLES FASTER TIME TO MARKET When organizations used Fortify to accelerate and improve the quality of their software security testing and remediation, they significantly reduced the length of their software development lifecycles, helping teams throughout the organization meet rapid-release deadlines. As illustrated below, before adopting Fortify, organizations faced longer testing timelines — the result of less- frequent and later-cycle scanning and remediation efforts. Respondents reported that late-cycle security “surprises” could easily threaten market launches. With Fortify, organizations can scan code, find and fix vulnerabilities in frequent iterations starting early in the lifecycle, and leverage advanced triaging techniques to shrink cycles even further.The result: A greater number of relevant vulnerabilities are uncovered and remediated earlier, and tail-end surprises are minimized. Furthermore, repeat vulnerabilities are progressively reduced because developers learn to code more securely, resulting in cleaner and more secure code in each future cycle. NumberofVulnerabilitiesFound Time Time Scalability and Time to Market Acceleration 30X More 2X More Vulnerabilities Found More Vulnerabilities Remediated 10X Faster 10–15X Faster Scans 95% Fewer False Positives Effort Peaks High Risk Rare Release Events “Waterfall Methodology” Smoother Effort Less Risk Frequent Release Events “Agile Methodology” Without Fortify With Fortify Faster Time to Market with Fortify KEY FINDING: FORTIFY IMPROVES MANAGEMENT OF EXTENDED DEVELOPMENT ECOSYSTEMS Managing Third-Party Developers Many organizations today supplement their in-house developers with third-party coding contractors. Operationalizing the software security process to include these external teams, however, can be a complex challenge for development organizations. Several of the companies we studied are using Fortify on Demand to extend security testing and quality control to third party developers. Some have created innovative “pay for performance” programs that enabled companies to adjust fees paid to outsourcing partners based on the “cleanliness” of the code delivered. The result: improved product quality and better value for the money spent on outside vendors.
Continuous Delivery of Business Value with Fortify WHITE PAPER 10 Simplify and reduce SSA set-up time Scan faster Find more vulnerabilities Triage and audit faster Reduce number of false positives Reduce remediation effort Avoid repeat vulnerabilties 10 point tools 1 to 3 weeks per app Thousands per app 1 to 2 weeks per app 1,000 to 50,000 per app 3 to 4 weeks Repeat vulnerabilities common Single end-to-end tool A few hours to 1 day At least 2X more true vulnerabilities found 1 to 2 days 10s to 100s, 95% reduction 1 to 2 weeks Repeat vulnerabilities reduced by 40% Before FortifyBenefits After Fortify Scalability 30 to 50 scans covering 25 apps per quarter 300 scans covering 75 apps per quarter Summary of Operational Improvements from Fortify EMPOWERING CONTINUOUS DELIVERY Mainstay’s previous research identified Fortify as one of the leaders in helping organizations find more vulnerabilities, and doing so earlier in the software development lifecycle. The current survey clearly confirmed this earlier conclusion — with customers reporting they found twice as many relevant vulnerabilities with Fortify compared to competing solutions. However, in this survey, organizations pointed to additional benefits that were equally, if not more, critical to success. These included Fortify’s ability to produce fewer false positives, and its ability to provide rich insights and correlations to efficiently remediate the remaining valid vulnerabilities. Together these capabilities are giving organizations the means to support their expanding development environments and significantly faster release cadences. BENEFIT SUMMARY The figure below summarizes the range of benefits that organizations can achieve by adopting Fortify. In addition to the operational improvements, many of the organizations found that Fortify enabled them to: • Accelerate application time to market • Reduce disaster recovery and data breach costs • Get better value for services from third-party development vendors TEAMING WITH FORTIFY FOR GREATER ASSURANCE To realize the full potential of their SSA programs, organizations augmented their Fortify solutions with managed services and resources from Fortify’s professional services team. These include best practices, metrics, and templates designed to ensure a predictable and measurable software security process.
Continuous Delivery of Business Value with Fortify WHITE PAPER 11 THE WAY FORWARD For companies that leverage software to compete, the ability to rapidly develop and update applications has become a strategic necessity. Application development teams are addressing this demand for continuous software delivery by moving from annual and quarterly releases to monthly, weekly and even daily releases. For software security teams, this translates into a set of challenges beyond just uncovering as many vulnerabilities as possible, as early as possible. To sustain fast-paced continuous delivery environments and ever-growing volumes of applications, security teams will need to introduce more automation and achieve even greater levels of operational efficiency. In this survey of leading companies, we found that Fortify is changing the game for development and security teams. Using Fortify’s end-to-end application security solutions, organizations can test application code and remediate vulnerabilities faster and more effectively than ever before. Driving the speed and performance boost is a new generation of triaging tools and technologies that virtually eliminate false-positives and isolate valid vulnerabilities for swift remediation. Going forward, release cadences will only get faster, forcing IT to condense development cycles even more. It is a trend that will compel greater numbers of organizations to adopt next-generation security assurance technologies that can scale exponentially and ensure continuous delivery as the business’s reliance on software grows. In this new era, Fortify will continue to innovate and help organizations keep pace with high-performance application security solutions and services. For more information about Fortify, visit fortify.com. ENDNOTES 1 When automotive manufacturer Tesla discovers an issue with its cars, it delivers the software directly to the owner via a download the owner initiates in the car, saving Tesla millions of dollars. Traditional automobiles, by contrast, require expensive physical recalls when an engineering or manufacturing issue is discovered. 2 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 3 The average development organization uses as many as 10 security testing and remediation tools. 4 This current survey builds on earlier studies of the business impact of Fortify solutions. See:“Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions,” Mainstay, 2010 (updated 2013). http://h30528.www3.hp.com/Security/Fortify_Mainstay_ROI_Study.pdf 5 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 6 A leading bank reported that a scan for a large application could throw up as much as 50,000 vulnerabilities. 7 Fortify’s more than 50,000 pre-defined rules across several programming languages contributed to finding more vulnerabilities, companies said. 8 A typical Fortify on Demand environment can comprise about 400 developers and 75 applications built using Java (80%), .NET (12%) and Mobile (8%). 9 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.
Sponsored by: Research and analysis for this study was conducted by Mainstay, an independent consulting firm that has performed over 300 studies for leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp. This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained from sources considered reliable, but is not warranted by Mainstay. Copyright © 2017 Mainstay. Mainstay www.mainstaycompany.com 2929 Campus Drive, Suite 150 San Mateo, CA, 94405 p. 650.638.0575 f. 650.638.0578

Empfohlen

Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementWhiteSource
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecJessica Lavery Pozerski
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeSean Varga
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
 

Empfohlen

Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Secunia Vulnerability Review 2014
Secunia Vulnerability Review 2014Kim Jensen
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementWhiteSource
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecJessica Lavery Pozerski
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeSean Varga
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
 
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsDevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsCognizant
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSonatype
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar finalDevOps.com
 
Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey ResultsTim Mackey
 
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamOpen Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamBlack Duck by Synopsys
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelSBWebinars
 
The Forrester Wave™: Enterprise Mobile Management Q3 2014
The Forrester Wave™: Enterprise Mobile Management Q3 2014The Forrester Wave™: Enterprise Mobile Management Q3 2014
The Forrester Wave™: Enterprise Mobile Management Q3 2014Symantec
 
Thinking of choosing Trend Micro?
Thinking of choosing Trend Micro?Thinking of choosing Trend Micro?
Thinking of choosing Trend Micro?Symantec
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopmentCISEC
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
Revolution in Mobility
Revolution in MobilityRevolution in Mobility
Revolution in MobilityMichael Clifford, CPP
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesWebinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesSynopsys Software Integrity Group
 
Safe code CSA cloud final1213
Safe code CSA cloud final1213Safe code CSA cloud final1213
Safe code CSA cloud final1213Giuliano Tavaroli
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesSonatype
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsDevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsCognizant
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSonatype
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar finalDevOps.com
 
Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey ResultsTim Mackey
 
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamOpen Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamBlack Duck by Synopsys
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelSBWebinars
 
The Forrester Wave™: Enterprise Mobile Management Q3 2014
The Forrester Wave™: Enterprise Mobile Management Q3 2014The Forrester Wave™: Enterprise Mobile Management Q3 2014
The Forrester Wave™: Enterprise Mobile Management Q3 2014Symantec
 
Thinking of choosing Trend Micro?
Thinking of choosing Trend Micro?Thinking of choosing Trend Micro?
Thinking of choosing Trend Micro?Symantec
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopmentCISEC
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesWebinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesSynopsys Software Integrity Group
 
Safe code CSA cloud final1213
Safe code CSA cloud final1213Safe code CSA cloud final1213
Safe code CSA cloud final1213Giuliano Tavaroli
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesSonatype
 

Was ist angesagt? (20)

DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsDevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar final
 
Open Source 360 Survey Results
Open Source 360 Survey ResultsOpen Source 360 Survey Results
Open Source 360 Survey Results
 
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing ScamOpen Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
Open Source Insight: OWASP Top 10, Red Hat OpenShift News, & Gmail Phishing Scam
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
The Forrester Wave™: Enterprise Mobile Management Q3 2014
The Forrester Wave™: Enterprise Mobile Management Q3 2014The Forrester Wave™: Enterprise Mobile Management Q3 2014
The Forrester Wave™: Enterprise Mobile Management Q3 2014
 
Thinking of choosing Trend Micro?
Thinking of choosing Trend Micro?Thinking of choosing Trend Micro?
Thinking of choosing Trend Micro?
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment20140121 cisec-safety criticalsoftwaredevelopment
20140121 cisec-safety criticalsoftwaredevelopment
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!
 
Revolution in Mobility
Revolution in MobilityRevolution in Mobility
Revolution in Mobility
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesWebinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design Practices
 
Safe code CSA cloud final1213
Safe code CSA cloud final1213Safe code CSA cloud final1213
Safe code CSA cloud final1213
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
 

Ähnlich wie Fortify Continuous Delivery

Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
Does Application Security Pay? Measuring the Business Impact of Software Secu...
Does Application Security Pay? Measuring the Business Impact of Software Secu...Does Application Security Pay? Measuring the Business Impact of Software Secu...
Does Application Security Pay? Measuring the Business Impact of Software Secu...Mainstay
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdfSavinder Puri
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Appendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docxAppendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docxlisandrai1k
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CICoveros, Inc.
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceSource Code Control Limited
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
SIG-product-overview.pdf
SIG-product-overview.pdfSIG-product-overview.pdf
SIG-product-overview.pdfAklnt
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4stemkat
 

Ähnlich wie Fortify Continuous Delivery (20)

Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
Does Application Security Pay? Measuring the Business Impact of Software Secu...
Does Application Security Pay? Measuring the Business Impact of Software Secu...Does Application Security Pay? Measuring the Business Impact of Software Secu...
Does Application Security Pay? Measuring the Business Impact of Software Secu...
 
Low.pdf
Low.pdfLow.pdf
Low.pdf
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Appendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docxAppendix AOperating ScenarioGPSCDU Project for Wild B.docx
Appendix AOperating ScenarioGPSCDU Project for Wild B.docx
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CI
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Software Testing ppt
Software Testing pptSoftware Testing ppt
Software Testing ppt
 
VER_WP_CrackingCode_FINAL
VER_WP_CrackingCode_FINALVER_WP_CrackingCode_FINAL
VER_WP_CrackingCode_FINAL
 
SIG-product-overview.pdf
SIG-product-overview.pdfSIG-product-overview.pdf
SIG-product-overview.pdf
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4
 

Mehr von Mainstay

Oracle c2c IBM EPM
Oracle c2c IBM EPMOracle c2c IBM EPM
Oracle c2c IBM EPMMainstay
 
Oracle Exadata and Allegro cs f
Oracle Exadata and Allegro cs fOracle Exadata and Allegro cs f
Oracle Exadata and Allegro cs fMainstay
 
Xerox Cal State Fullerton Case Study
Xerox Cal State Fullerton Case StudyXerox Cal State Fullerton Case Study
Xerox Cal State Fullerton Case StudyMainstay
 
Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Mainstay
 
Oracle cdw loan servicer case study-final_for web
Oracle cdw loan servicer case study-final_for webOracle cdw loan servicer case study-final_for web
Oracle cdw loan servicer case study-final_for webMainstay
 
RFP Appendix example
RFP Appendix exampleRFP Appendix example
RFP Appendix exampleMainstay
 
Discrete MFG IoT Factory of the Future
Discrete MFG IoT Factory of the FutureDiscrete MFG IoT Factory of the Future
Discrete MFG IoT Factory of the FutureMainstay
 
Kofax medical claims_infographic
Kofax medical claims_infographicKofax medical claims_infographic
Kofax medical claims_infographicMainstay
 
Case study kele_bluewolf
Case study kele_bluewolfCase study kele_bluewolf
Case study kele_bluewolfMainstay
 
Perona workshop process
Perona workshop processPerona workshop process
Perona workshop processMainstay
 
Mainstay event conference services
Mainstay event conference servicesMainstay event conference services
Mainstay event conference servicesMainstay
 
Social media program
Social media programSocial media program
Social media programMainstay
 
SJSU Pioneers New Educational Methods
SJSU Pioneers New Educational MethodsSJSU Pioneers New Educational Methods
SJSU Pioneers New Educational MethodsMainstay
 
21st Century Unbounded University
21st Century Unbounded University21st Century Unbounded University
21st Century Unbounded UniversityMainstay
 
Kofax Insurance
Kofax InsuranceKofax Insurance
Kofax InsuranceMainstay
 
Mainstay Advisor
Mainstay AdvisorMainstay Advisor
Mainstay AdvisorMainstay
 
Customer BBA Process
Customer BBA ProcessCustomer BBA Process
Customer BBA ProcessMainstay
 
DCI and NetApp
DCI and NetAppDCI and NetApp
DCI and NetAppMainstay
 
Cisco and SJSU
Cisco and SJSUCisco and SJSU
Cisco and SJSUMainstay
 

Mehr von Mainstay (20)

Oracle c2c IBM EPM
Oracle c2c IBM EPMOracle c2c IBM EPM
Oracle c2c IBM EPM
 
Oracle Exadata and Allegro cs f
Oracle Exadata and Allegro cs fOracle Exadata and Allegro cs f
Oracle Exadata and Allegro cs f
 
Xerox Cal State Fullerton Case Study
Xerox Cal State Fullerton Case StudyXerox Cal State Fullerton Case Study
Xerox Cal State Fullerton Case Study
 
Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16
 
Oracle cdw loan servicer case study-final_for web
Oracle cdw loan servicer case study-final_for webOracle cdw loan servicer case study-final_for web
Oracle cdw loan servicer case study-final_for web
 
RFP Appendix example
RFP Appendix exampleRFP Appendix example
RFP Appendix example
 
Discrete MFG IoT Factory of the Future
Discrete MFG IoT Factory of the FutureDiscrete MFG IoT Factory of the Future
Discrete MFG IoT Factory of the Future
 
Kofax medical claims_infographic
Kofax medical claims_infographicKofax medical claims_infographic
Kofax medical claims_infographic
 
Case study kele_bluewolf
Case study kele_bluewolfCase study kele_bluewolf
Case study kele_bluewolf
 
Perona workshop process
Perona workshop processPerona workshop process
Perona workshop process
 
Mainstay event conference services
Mainstay event conference servicesMainstay event conference services
Mainstay event conference services
 
Social media program
Social media programSocial media program
Social media program
 
SJSU Pioneers New Educational Methods
SJSU Pioneers New Educational MethodsSJSU Pioneers New Educational Methods
SJSU Pioneers New Educational Methods
 
21st Century Unbounded University
21st Century Unbounded University21st Century Unbounded University
21st Century Unbounded University
 
Kofax Insurance
Kofax InsuranceKofax Insurance
Kofax Insurance
 
Mainstay Advisor
Mainstay AdvisorMainstay Advisor
Mainstay Advisor
 
Customer BBA Process
Customer BBA ProcessCustomer BBA Process
Customer BBA Process
 
DCI and NetApp
DCI and NetAppDCI and NetApp
DCI and NetApp
 
Cisco and SJSU
Cisco and SJSUCisco and SJSU
Cisco and SJSU
 
Un
UnUn
Un
 

Kürzlich hochgeladen

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Kürzlich hochgeladen (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Fortify Continuous Delivery

  • 1. Continuous Delivery of Business Value with Fortify Mainstay Customer Evidence Research WHITE PAPER
  • 2. Continuous Delivery of Business Value with Fortify WHITE PAPER 22 MEETING THE SECURITY DEMANDS OF DIGITAL TRANSFORMATION Today every business is becoming a software business. Even traditional brick-and-mortar industries are facing the necessity of software-driven “digital transformation” to stay relevant and competitive in their markets. Industrial icon GE, for instance, is developing software that harnesses data from sensors inside wind turbines to squeeze more electricity from existing wind farms.Automakers embed tens of millions of lines of code into their increasingly “smart” and “connected” vehicles.1 As software becomes core to every business — and as cloud-based software services surge in popularity — companies are developing and updating applications faster than ever before. Welcome to the new era of continuous software delivery. Continuous delivery means development teams are releasing software with new features and functionalities in increasingly shorter cycles, from every year or quarter to every month, week, or day. The approach is now woven into the DevOps environments of leading enterprises like Microsoft, Google and Facebook, which typically issue major software releases every week across their web sites, followed by daily bug fixes over the rest of the week. Forrester Research predicts that organizations will go from four application releases per year in 2010 to as many as 120 releases per year by 2020, a 30x increase.2 SECURITY TEAMS UNDER PRESSURE With the market moving to an agile, continuous delivery model, development and security teams within organizations are scrambling to keep up with the sheer number of applications and releases, which is putting pressure on a key part of the development lifecycle: software security assurance (SSA). Simply put, organizations cannot afford for security testing and remediation to slow the pace of software delivery. This challenge is complicated by several trends: • The proliferation of SaaS and mobile devices, which requires even more testing of applications for security flaws. • Many enterprises maintain hybrid environments with a mix of legacy and COTS applica- tions and varying release cycles, thus increasing the complexity of security programs. • Developers increasingly utilize downloaded code from open-source software (OSS) repositories such as Maven and GitHub, many of which are known to contain vulnerabilities. Organizations generally have been slow to respond to the challenge, in part because most of them are still using outmoded security testing tools and practices. These tools lack automated features that could enable organizations to tackle greater volumes of code and scans in less time. Often these tools cover only part of the security-testing process, a handful of specific languages, or limited deployment options, forcing organizations to switch between multiple tools during the development cycle, hurting productivity.3 A NEW ERA IN SOFTWARE SECURITY Continuous delivery of applications has become the new normal for soft- ware development organizations across every industry. Software development teams are now expected to deliver new releases and updates at a dizzying pace, putting tremendous pressure on software security teams to keep up. In this report, we detail how development organizations at leading companies are using software security solutions from Fortify to scan more applications faster, focus and streamline reme- diation efforts with better triaging, and integrate security assurance methods throughout the software development environment. No longer a production bottleneck, security teams can now support increasingly ambitious release schedules, ensuring faster time to market and freeing developers to focus on creating better software.
  • 3. Continuous Delivery of Business Value with Fortify WHITE PAPER 3 In fact, industry analysts estimate that even though 90% of companies are engaged in application development —  and 99% agree it’s an opportunity to increase enterprise security — only 20% are doing anything about it. Gartner estimates that fewer than 20% of enterprise security architects have systematically incorporated information security into their DevOps initiatives. Fewer still have achieved the singular degree of security automation required to qualify as Secure DevOps. SHIFTING TO THE ‘LEFT’ Until recently, organizations have focused security testing and remediation efforts primarily on the later phases of the software development lifecycle. However, this is precisely when the cost of remediation is most expensive and time consuming. In addition, as tight product-launch deadlines shrink remediation windows, the probability increases that applications will be released into production with known or unknown vulnerabilities. Poor scalability of current toolsets also dictate relatively fewer scans, cutting into productivity as the number of applications and releases continues to grow. All of this represents a reactive approach to security assurance that increases the risk of project delays, compro- mises application security, and ultimately prevents organizations from scaling to meet the demands of continuous delivery. By contrast, leading organizations we researched are taking a more agile and proactive approach — one that emphasizes earlier, more frequent testing with feedback loops designed to produce progressively cleaner code. In effect, these organizations are shifting security testing operations to the “left,” thus reducing the number of vulnerabilities introduced during the coding phase, as shown below. According to a recent study, organizations that make this move end up spending 55% less time remediating security issues.5 THE EVOLUTION OF SOFTWARE SECURITY ASSURANCE Mainstay conducted initial research on the economic impact of Fortify’s appli- cation security solutions in 2010, a time when the biggest challenges facing IT and application security teams was simply finding software vulnerabilities, and finding them earlier enough to make remedi- ation easier.4 In 2013, Mainstay re-surveyed leading organizations and concluded they were still largely focused on finding and fixing as many vulnerabilities as possible, and many were choosing cloud services to extend these capabilities to third-party developers. Our latest survey found an evolving market for soft- ware security solutions, with organizations demanding greater speed and scalability to meet more ambitious release cadences. Beyond just finding every potential vulnerability, organiza- tions now want better triaging to quickly focus on and remediate flaws that pose the most serious risk to the business. Laggards Test Later and Less Frequently Leaders Deploy Software Security Throughout the Software Development Cycle • Reactive • Likelihood of discovering more vulnerabilities than available capacity to triage or remediate • Difficulty in remediating • High risk of application delays • Incompatible with frequent development releases Requirements Design Code Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Code Reviews Scope of Software Security Scans Need to “Shift Left” • Proactive • Vulnerabilities are discovered early • Easier to remediate • The number of iterations that occur across the SDLC improves time to production • The time required to fix an issue is less as you shift left, driving shorter time to production Requirements Design Code Reviews Static Code Analysis Dynamic Code Analysis Real-time Security Testing Software Security Requirements Analysis Threat Modeling Security Architecture Design Reviews Security Testing Penetration Testing Vulnerability Scanning Coding Integration ProductionQA Scope of Software Security Scans with Fortify “Shift Left” Creates the Environment to Support Frequent Releases as Well as Faster Delivery
  • 4. Continuous Delivery of Business Value with Fortify WHITE PAPER 4 SURVEY OF SOFTWARE SECURITY OPERATIONS AT LEADING COMPANIES To understand how leading enterprises are coping with the demands of continuous software delivery, market analyst Mainstay conducted in-depth interviews with application security leaders from a diverse set of companies that adopted products and services from Fortify. Mainstay supplemented these interviews with an online survey to develop an even broader portrait of the challenges that software development and security departments face in today’s fast-paced environment. Among the companies participating in the software security survey were: • One of the world’s largest financial services holding companies. • Two of the world’s largest multinational oil and gas companies • Global peer-to-peer lending and online trading platform company • A provider of online investing services for institutions • One of the world’s largest banks with operations in over 50 countries The survey looked at five critical aspects in the software security assurance process and evaluated how the adoption of Fortify impacted each one: • Scan Setup. Ease and speed in setting up scans; how well security tools and processes are integrated with development environment • Scan Performance. Speed of scans and the number of vulnerabilities found • Triaging. How effectively vulnerabilities are prioritized and the number of false positives identified; ability to prioritize by criticality; impact of Fortify on Mean Time to Triage (MTTT) • Remediation. Number of vulnerabilities requiring fixing; remediation efficiency and speed; reduction in repeat vulnerabilities; impact of Fortify on Mean Time to Remediate (MTTR) • Scalability. Our study also looked at how organizations are deploying Fortify to flexibly scale their security processes to scan and remediate significantly more applications in less time. Metrics include the quantity of apps scanned, scan cycles performed, and developer issues avoided at the source during coding. The following sections discuss the results of the survey. • Ease • Speed • Readiness/integration with development environments • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality Setting Up Scans Performing Scans Triaging Remediating Process Scalability /integration opment nts • Speed • Number of vulnerabilities identified • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality p Scans Performing Scans Triaging Remediating Process Scalability of lities • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding • Speed • Number of false positives identified • Prioritizing by criticality ng Scans Triaging Remediating Process Scalability • Number of vulnerabilities to fix • Speed of fixing • Prioritize by address critical vulnerabilities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding of false s identified ng by y ing Remediating Process Scalability of lities to fix fixing by critical lities first • Number of apps • Number of scan cycles • Developer issues avoided at source during coding ating Process Scalability WHY FORTIFY Of the companies surveyed, 54% said that Fortify was their first choice for application security software before later deciding to implement Fortify. Their top three reasons for choosing Fortify were: • Solution flexibility • Greater coverage of different programming languages and third-party code • Better ability to find and fix vulnerabilities
  • 5. Continuous Delivery of Business Value with Fortify WHITE PAPER 5 KEY FINDING: FORTIFY PROVIDES FASTER, MORE EFFECTIVE SOFTWARE SECURITY ASSURANCE Faster Scan Setups In a continuous delivery environment, development teams must move quickly to plan and execute security scans. However, given the wide variety of programming languages and code components commonly found in a modern development environment, it can be a slow process to assemble the right security tools — and the right people and expertise — for the job. Before moving to Fortify, fewer than half of the organizations in our survey could accommodate the requirements of fast-release cycles (weekly). The Fortify platform provided coverage and integration across a broad range of development environments and languages, eliminating the need for multiple point tools and the experts necessary to operate them. On average, companies replaced about 10 tools with a single Fortify solution. This allowed organizations to streamline their software security environment, reduce complexity and improve operational efficiencies. Customers believed this offers the potential to lower the overall cost involved in software security licenses and maintenance. LESS TIME SCANNING, MORE TIME ENHANCING APPS Scanning within an integrated development environment (IDE) can take several hours and add 25% or more to development overhead. To speed the process, one Fortify customer created a centralized Hadoop repository where developers can upload code and run scans in minutes. As a result, developers avoid getting bogged down by administrative and security tasks and now have more time to focus on improving the software. The customer considers this to be a huge competitive advantage in an increasingly software- driven world. Fewer Security Tools Needed Before Fortify After Fortify $17.5K $5K $10K $15K $20K $2K 89% reduction FeeSavings 10Customers replaced 10 different point tools with Fortify, saving on integration and set-up efforts. 1 Number of Software Security Tools Faster Setups Allows More Frequent Releases Before Fortify After FortifySurvey Finding: Organizations were able to increase their ability to do weekly, monthly or quarterly releases with the same amount of resources. Percentage of companies that could support monthly or weekly release cadences 35% 100% Increasing adoption of agile environments is driving the demand for tighter process integration across the develop- ment lifecycle. Organizations that moved to the Fortify environment — which provides tools and plugins to simplify integration with existing development environments —  could create fast, automated processes for uploading code, running scans, and incorporating security checks into each phase of the development cycle. In fact, the survey found that the percentage of customers who could improve their release frequencies — from annual or quarterly to monthly, weekly, or even daily releases — increased significantly. Whereas only 35% of the respondents could do monthly or weekly releases before adopting Fortify, nearly all respondents said they could handle accelerate release schedules after adopting Fortify’s speed-enhancing rules engines, templates, and triaging technologies.
  • 6. Continuous Delivery of Business Value with Fortify WHITE PAPER 6 More Efficient Scanning Most companies focus on combatting the top 10 common critical vulnerabilities that impact their organization (or application security landscape). For the companies surveyed in 2017, these included cross-site scripting (XSS), SQL injection, broken authentication, cross-site request forgery, and security misconfigurations. More than half of survey respondents reported that Fortify was particularly effective in finding these high-risk vulnerabilities early in the development lifecycle, when they can be remediated more easily and cheaply.6 Tools such as Fortify Security Assistant, for example, enabled developers to identify vulnerabilities in real time while they are writing code. Overall, companies using Fortify Static Code Analyzer found they could uncover tens of thousands of previously unidentified vulnerabilities. In addition, respondents said they could run the scans in a significantly shorter amount of time — from several days to just a few hours or even minutes — freeing developers to focus more time on what they do best: writing high-quality code and not waiting for scans. 6 Twice as Many True Vulnerabilities Found… Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of legitimate vulnera- bilities found with Fortify was double that of other software vendors. Number of True Vulnerabilities Found 2X …With Significantly Faster Scans Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that scanning with Fortify was 10–15 times faster than with other software vendors. Speed of Scans 10–15X WHAT TYPES OF VULNERABILITIES MATTER? In our survey, most customers were concerned not just with common vulnerabilities like cross-site scripting and SQL injections, but were also worried about data breaches and the consequences that ensued, which most rated as one of their top security concerns.
  • 7. Continuous Delivery of Business Value with Fortify WHITE PAPER 7 Better Triaging, Fewer False Positives Survey participants were attracted to Fortify’s unique ability to dig through large sets of vulnerabilities, identify those vulnerabilities that are meaningful to the organization, and quickly separate false positives and low-risk issues from serious flaws, significantly reducing mean time to triage (MTT). Many of the companies augmented their triaging routines by factoring in the latest industry intelligence and trends, and by connecting static and dynamic analyses. Several companies regularly tapped experts from Fortify to design and execute these time-saving triaging protocols. One leading data-analytics company, for example, routinely uploads code to Fortify on Demand to scan, then conducts a joint review and triaging session with the technical account manager before starting remediation. Before Fortify After Fortify $17.5K 0 $5K $10K $15K $20K $2K 89% reduction SSA FeeSavings Customers reported that the number of false positives were reduced by up to 95% with Fortify on Demand managed services offering. Reduction in False Positives 95% Fewer False Positives Improved Remediation Efforts Survey respondents repeatedly stressed the importance of finding vulnerabilities early in the development lifecycle, noting that it took nearly 100-times more effort to remediate security flaws if they’re found after software has gone into production versus during the coding process.Vulnerabilities found during quality assurance testing is less expensive to remediate but still takes about 10-times more effort and time to fix compared to the coding phase. On average organizations reported they could complete triaging and remediation tasks about 10-times faster with Fortify — from 20 days per application to just one to two days.Again, the time saved could be redirected to enhancing the software in ways that made it more appealing to end users. Before Fortify After Fortify Customers reported that, with Fortify, they are able to speed up the triaging and remediation process. 20 days per app to triage and remediate 1–2 days per app to triage and remediate 10x Faster Triaging and Remediation Faster Remediation FALSE POSITIVES CAN SLOW YOU DOWN A leading financial institution reported that scans for a large application could uncover as many as 50,000 vulnerabilities, of which 60% could consist of time-wasting false positives, flaws the organization did not deem important, or vulnerabilities that could be sorted into groups for more efficient remediation. Using Fortify’s software and managed services, the institution avoided false positives and leveraged insights that improved triaging and remediation, reducing workloads significantly. Noted one IT executive: “The only way to scale is by eliminating false positives.”
  • 8. Continuous Delivery of Business Value with Fortify WHITE PAPER 8 KEY FINDING: FORTIFY’S SCALABILITY DRIVES CONTINUOUS DELIVERY As the number of applications continues to grow, organizations need to scale their software security programs to avoid delays in delivering releases and updates. Companies in the survey consistently identified a set of obstacles to achieving process scalability. These included: • Disparate point solutions • Manual processes/lack of automation • Poor identification of vulnerabilities • Large amount of false positives • Lack of access to security expertise When organizations combined Fortify solutions with its managed services offering, they could transform software security assurance into a fully scalable and repeatable process capable of managing the increasing operational demands of enterprise-level development organizations.8 What does true scalability look like? Before adopting Fortify, one customer in the survey could complete about 30–50 scans per quarter, covering about 25 applications. Since implementing Fortify, it can complete 300 scans covering 75 applications — a 30X increase in speed and capacity. Before Fortify After Fortify Customers reported that the number of false positives were reduced by up to 95% with Fortify and managed services support. 30–50 scans covering 25 apps 300 scans covering 75 apps 30X More Scanning, More Apps Before Fortify After Fortify Customers reported seeing a 40% reduction in repeat vulnerabilities, thus creating high-quality and secured applications. 40% Reduction in Vulnerabilities Fewer Repeat Vulnerabilities Before Fortify After Fortify Survey Finding: Fortify customers expect to double the number of applications scanned in the future. 2X X Scaling Up for the Future
  • 9. Continuous Delivery of Business Value with Fortify WHITE PAPER 9 KEY FINDING: FORTIFY ENABLES FASTER TIME TO MARKET When organizations used Fortify to accelerate and improve the quality of their software security testing and remediation, they significantly reduced the length of their software development lifecycles, helping teams throughout the organization meet rapid-release deadlines. As illustrated below, before adopting Fortify, organizations faced longer testing timelines — the result of less- frequent and later-cycle scanning and remediation efforts. Respondents reported that late-cycle security “surprises” could easily threaten market launches. With Fortify, organizations can scan code, find and fix vulnerabilities in frequent iterations starting early in the lifecycle, and leverage advanced triaging techniques to shrink cycles even further.The result: A greater number of relevant vulnerabilities are uncovered and remediated earlier, and tail-end surprises are minimized. Furthermore, repeat vulnerabilities are progressively reduced because developers learn to code more securely, resulting in cleaner and more secure code in each future cycle. NumberofVulnerabilitiesFound Time Time Scalability and Time to Market Acceleration 30X More 2X More Vulnerabilities Found More Vulnerabilities Remediated 10X Faster 10–15X Faster Scans 95% Fewer False Positives Effort Peaks High Risk Rare Release Events “Waterfall Methodology” Smoother Effort Less Risk Frequent Release Events “Agile Methodology” Without Fortify With Fortify Faster Time to Market with Fortify KEY FINDING: FORTIFY IMPROVES MANAGEMENT OF EXTENDED DEVELOPMENT ECOSYSTEMS Managing Third-Party Developers Many organizations today supplement their in-house developers with third-party coding contractors. Operationalizing the software security process to include these external teams, however, can be a complex challenge for development organizations. Several of the companies we studied are using Fortify on Demand to extend security testing and quality control to third party developers. Some have created innovative “pay for performance” programs that enabled companies to adjust fees paid to outsourcing partners based on the “cleanliness” of the code delivered. The result: improved product quality and better value for the money spent on outside vendors.
  • 10. Continuous Delivery of Business Value with Fortify WHITE PAPER 10 Simplify and reduce SSA set-up time Scan faster Find more vulnerabilities Triage and audit faster Reduce number of false positives Reduce remediation effort Avoid repeat vulnerabilties 10 point tools 1 to 3 weeks per app Thousands per app 1 to 2 weeks per app 1,000 to 50,000 per app 3 to 4 weeks Repeat vulnerabilities common Single end-to-end tool A few hours to 1 day At least 2X more true vulnerabilities found 1 to 2 days 10s to 100s, 95% reduction 1 to 2 weeks Repeat vulnerabilities reduced by 40% Before FortifyBenefits After Fortify Scalability 30 to 50 scans covering 25 apps per quarter 300 scans covering 75 apps per quarter Summary of Operational Improvements from Fortify EMPOWERING CONTINUOUS DELIVERY Mainstay’s previous research identified Fortify as one of the leaders in helping organizations find more vulnerabilities, and doing so earlier in the software development lifecycle. The current survey clearly confirmed this earlier conclusion — with customers reporting they found twice as many relevant vulnerabilities with Fortify compared to competing solutions. However, in this survey, organizations pointed to additional benefits that were equally, if not more, critical to success. These included Fortify’s ability to produce fewer false positives, and its ability to provide rich insights and correlations to efficiently remediate the remaining valid vulnerabilities. Together these capabilities are giving organizations the means to support their expanding development environments and significantly faster release cadences. BENEFIT SUMMARY The figure below summarizes the range of benefits that organizations can achieve by adopting Fortify. In addition to the operational improvements, many of the organizations found that Fortify enabled them to: • Accelerate application time to market • Reduce disaster recovery and data breach costs • Get better value for services from third-party development vendors TEAMING WITH FORTIFY FOR GREATER ASSURANCE To realize the full potential of their SSA programs, organizations augmented their Fortify solutions with managed services and resources from Fortify’s professional services team. These include best practices, metrics, and templates designed to ensure a predictable and measurable software security process.
  • 11. Continuous Delivery of Business Value with Fortify WHITE PAPER 11 THE WAY FORWARD For companies that leverage software to compete, the ability to rapidly develop and update applications has become a strategic necessity. Application development teams are addressing this demand for continuous software delivery by moving from annual and quarterly releases to monthly, weekly and even daily releases. For software security teams, this translates into a set of challenges beyond just uncovering as many vulnerabilities as possible, as early as possible. To sustain fast-paced continuous delivery environments and ever-growing volumes of applications, security teams will need to introduce more automation and achieve even greater levels of operational efficiency. In this survey of leading companies, we found that Fortify is changing the game for development and security teams. Using Fortify’s end-to-end application security solutions, organizations can test application code and remediate vulnerabilities faster and more effectively than ever before. Driving the speed and performance boost is a new generation of triaging tools and technologies that virtually eliminate false-positives and isolate valid vulnerabilities for swift remediation. Going forward, release cadences will only get faster, forcing IT to condense development cycles even more. It is a trend that will compel greater numbers of organizations to adopt next-generation security assurance technologies that can scale exponentially and ensure continuous delivery as the business’s reliance on software grows. In this new era, Fortify will continue to innovate and help organizations keep pace with high-performance application security solutions and services. For more information about Fortify, visit fortify.com. ENDNOTES 1 When automotive manufacturer Tesla discovers an issue with its cars, it delivers the software directly to the owner via a download the owner initiates in the car, saving Tesla millions of dollars. Traditional automobiles, by contrast, require expensive physical recalls when an engineering or manufacturing issue is discovered. 2 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 3 The average development organization uses as many as 10 security testing and remediation tools. 4 This current survey builds on earlier studies of the business impact of Fortify solutions. See:“Does Application Security Pay? Measuring the Business Impact of Software Security Assurance Solutions,” Mainstay, 2010 (updated 2013). http://h30528.www3.hp.com/Security/Fortify_Mainstay_ROI_Study.pdf 5 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013. 6 A leading bank reported that a scan for a large application could throw up as much as 50,000 vulnerabilities. 7 Fortify’s more than 50,000 pre-defined rules across several programming languages contributed to finding more vulnerabilities, companies said. 8 A typical Fortify on Demand environment can comprise about 400 developers and 75 applications built using Java (80%), .NET (12%) and Mobile (8%). 9 “Better Outcomes, Faster Results: Continuous Delivery and the Race for Better Business Performance,” Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise), Dec. 2013.
  • 12. Sponsored by: Research and analysis for this study was conducted by Mainstay, an independent consulting firm that has performed over 300 studies for leading information technology providers including Cisco, Oracle, SAP, Microsoft, Dell, Lexmark, HP, EMC and NetApp. This case study was based on interviews with security executives currently using SSA solutions. Information contained in the publication has been obtained from sources considered reliable, but is not warranted by Mainstay. Copyright © 2017 Mainstay. Mainstay www.mainstaycompany.com 2929 Campus Drive, Suite 150 San Mateo, CA, 94405 p. 650.638.0575 f. 650.638.0578