Tim Mackey, Senior Technology Evangelist, Synopsys presented, "Creating a Modern AppSec Toolchain to Quantify Service Risks." For more information on his presentation, please visit https://www.synopsys.com/blogs/software-security/application-security-toolchain/

1. © 2019 Synopsys, Inc.1
Creating a Modern AppSec Toolchain to
Quantify Service Risks
Tim Mackey, Senior Technology Evangelist, Synopsys

2. © 2019 Synopsys, Inc.2
Modern Application Development and Risk
It’s not just about the applications…think process

3. © 2019 Synopsys, Inc.3
Data breaches are serious business
Average cost of data breach:
$7.35 Million
Lost business:
$4.03 Million
Average time to identify
and contain a breach:
206 days
Source: 2017 Cost of Data Breach Study (US Data)
– Ponemon Insitute
Average cost of data breach:
$7.91 Million
Lost business:
$4.20 Million
Average time to identify
and contain a breach:
253 days
Source: 2018 Cost of Data Breach Study (US Data)
– Ponemon Insitute
2017 2018

4. © 2019 Synopsys, Inc.4
Modern application
=
Proprietary Code
+
Open Source Components
+
API Usage
+
Application
Behavior and Configuration

5. © 2019 Synopsys, Inc.5
Gartner definition of DevSecOps
Information security architects must
• Integrate security at multiple points and
• Preserve teamwork, agility and speed in dev environments
Security activities must be an integral part of the
DevSecOps pipeline. DevOps teams have to own security
the same way they own development and operations.
Sec

6. © 2019 Synopsys, Inc.6
The toolchain starts with process
i.e. define security targets and build toolchain from that

7. © 2019 Synopsys, Inc.7
DevSecOps Pipeline: Quality and Security Checks
Build Test Prod
Ops
Deploy
Dev
IDE Feedback
•Risk assessment
•Threat model
•Lightweight SAST
•Local unit tests
• Functional tests
• Load test
• Performance test
• DAST/IAST
• Penetration test
•SAST
•SCA
•Unit tests
•Config tests
•Hardening check
•Network scanning
•Continuous monitoring
•Threat intelligence
•CVE reports
•Regulatory changes

8. © 2019 Synopsys, Inc.8
Example: IoT takes over the world
• Limited CPU resources
• Limited RAM for features
• C/C++ typical
• MQTT common protocol
• Responsive application
• View device data
• View historical information
Web UI
4
4
• Lightweight protocol
• High volume
• Pub/Sub interface
MQTT Broker
Encrypted data
published via MQTT2
IoT Device
• iOS/Android application
• Configure device
• View device data
• Receive notifications
Mobile Interface1
Configure
via Bluetooth
represents constraints
in the system
3
Data stored
for analysis
Analysis Engine
Authentication
and
Authorization
Analysis
Engine MQTT
WebSocket
Core
Data
• Avoid MITM
• Certification
of image
OTA

9. © 2019 Synopsys, Inc.9
Identify security targets from platform requirements
Goal:
Select an IoT
toolchain meeting
product and cost
requirements
Role: Security Architect with CISO and Product Owner guidance
Tasks and requirements:
1. Select platform supporting desired protocols
• Protocol implementations must be resilient
2. Select candidate vendor or open source stack
3. Validate protocols against cost and stability
• Define protocol fuzzing framework
4. Report on security targets during development

10. © 2019 Synopsys, Inc.10
Select development frameworks and environment
Role: Development Lead with Product Owner guidance
Goal:
Select frameworks
capable of meeting
time to market and
security targets
Tasks and requirements
1. Select languages based on security
2. Define build environment
3. Identify commercial and open source
frameworks and libraries
• Define governance for security updates
4. Enable IDE security plugins
5. Enable build time CI analysis

11. © 2019 Synopsys, Inc.11
Continuous security assessments during development
Role: Developer with Development Lead guidance
Goal:
Identify security
governance issues
prior to commits
Tasks:
1. Transparent security review during coding
• No disruption to existing workflows
2. Remediation and contextual guidance
• Lower defect costs by shifting left
3. Developer reviews results before merging

12. © 2019 Synopsys, Inc.12
Continuous security assessments during build
Role: Release Engineer with guidance from QA and Product Owner
Goal:
Ensure release
meets security and
functional targets
Tasks and requirements:
1. Build triggered from merge/pull request
2. Detailed scans run parallel to build process
3. Optionally fail builds based on security
targets/exceptions
4. Analysis summaries fed back to IDE plugins
5. Centralized security progress tracking

13. © 2019 Synopsys, Inc.13
Confirm governance and security target progress
Role: Security Architect
Goal:
Ensure release
meets security and
functional targets
Tasks:
1. Centralized view of security results
2. Review by common taxonomy
• (OWASP Top 10, SANS Top 25)
3. Triage issue status via defect workflows
4. Measure progress against governance targets
5. Define security targets for future releases

14. © 2019 Synopsys, Inc.14
Embedding security targets within your toolchain
Developer
Build
Test
Deploy
Production
Feedback and Security
Monitoring

15. © 2019 Synopsys, Inc.15
IDE-based Security Analysis
Supports most popular IDEs
– IntelliJ, Eclipse, Visual Studio
– Works natively in the developer’s environment
Integrates local and central analysis into IDE
– Reduce incidence of security and quality issues entering codebases
– SAST (Coverity), SCA (Black Duck), IAST(Seeker) and managed
services information at developers finger tips
Provides context-sensitive training & tutorials
– Built-in eLearning integration
– Delivers the right training at the right time
Strengthen adoption by providing security information where developers work – in the IDE

16. © 2019 Synopsys, Inc.16
Centralized Reporting and Analysis
Unified UI, reporting, and alerts
– Simple unified user experience
– Quickly onboard new projects and analysis engines
Flexible cloud-based deployment
– Public/Private Cloud & on-premises
– Single or Multi-tenant
Integrated Analysis Engines
– SAST, SCA, IAST, DAST, Pen Testing, Network
Enterprise systems integrated
– SSO, RBAC
– SCM, CI, Issue Tracking Integrations
– Open API for proprietary integrations
Providing a comprehensive view of software security and quality risks across teams
z

17. © 2019 Synopsys, Inc.17
Security Toolchain – Synopsys Polaris with Code Sight
Code Sight IDE Plugins
3
• Invoke analysis
• Perform capture and
send to platform
CI/CD
Integration
2
• Run analysis on the platform
• Central issue triage and management
• Centralized reporting
56
1
• Support all popular IDEs
• Incremental, high-fidelity analysis
• Local issue triage and management
• Check in to SCM and trigger central builds
• Complement central scans
Polaris Central
Server in the
Public/Private Cloud
Alert and
notifications
4

18. © 2019 Synopsys, Inc.18
Key takeaways
Measure progress against targets and changes in direction
• Identify opportunities to reduce business risk with new technologies
• Design update mechanisms for resiliency against MITM attacks
• Legacy best practices may increase risk when applied to new paradigms
Reduce risks of non-compliance
• Implement continuous monitoring of all deployed apps, complete with dependency inventory
• Reassess point in time decisions and impact of new regulations
• Proactively compare running infrastructure against configured infrastructure for deltas
Define security targets when selecting components and toolchains
• Ensure criteria is understood in Ops, Development and Procurement
• Train all development and operations teams to identify changes in risk
• Document decisions impacting risk acceptance at all points in the SDLC