SlideShare a Scribd company logo

Webinar – Risk-based adaptive DevSecOps

Synopsys Software Integrity Group
Synopsys Software Integrity Group

During a recent webinar, Meera Rao, DevSecOps Practice Director with Synopsys Software Integrity Group spoke on Risk Based Adaptive DevSecOps. Building security automation into the DevOps pipeline is a key pain point for many organizations. Some firms deploy to production as frequently as every five minutes—a velocity that security struggles to match. Implementing intelligence within the DevOps pipeline supports security activities by matching the team’s velocity, providing intelligent feedback, and supporting organizations as they scale their security testing activities. For more information, please visit our website at https://www.synopsys.com/devops

Software
1 of 20
Download to read offline
CONFIDENTIAL© 2019 Synopsys, Inc.1 Risk-Based Adaptive DevSecOps Build Secure, High-Quality Software Faster Meera Rao DevSecOps Practice Director Synopsys Software Integrity Group
CONFIDENTIAL© 2019 Synopsys, Inc.2 Agenda DevSecOps challenges Previous solutions Risk-based adaptive DevSecOps (RAD) framework 4 risk-based adaptive models
CONFIDENTIAL© 2019 Synopsys, Inc.3 DevSecOps challenges
CONFIDENTIAL© 2019 Synopsys, Inc.4 DevSecOps challenges • Barrier to velocity and innovation • Causes deadlines to slip • Time-consuming and doesn’t support hourly deployments • Needs a lot of customization • No uniform way to provide continuous feedback • Scaling remains a challenge • Finally, no risk-based approach Software security is often viewed as an impediment to DevOps
CONFIDENTIAL© 2019 Synopsys, Inc.5 Current solutions
© 2019 Synopsys, Inc.6 Application security touchpoints The use of security analysis techniques on a specified (i.e., designed) or functional (i.e., running) instance of a software application to identify potential vulnerabilities or other risk Plan </> Code commit • Security requirements • Threat models • Risk analysis • IDE integration • Static analysis • Pre-commit Build DeployRelease Operate and Monitor • SAST and SCA • Manual code review • DAST/IAST • SAST • Fuzz testing Test • Secure configuration • Packaging for deployment • Operational protections • Penetration testing • Continuous scanning • Bug bounty • Red teaming • RASP
© 2019 Synopsys, Inc.7 3-tiered SAST solution Solution: Centralized SSG service bureau (out-of-band) When in SDLC—SAST or manual code review on demand Frequency—Ad hoc basis, nightly or weekly Purpose Comprehensive review Achieve deeper coverage Solution: Hybrid model (commit, build, and test time) When in SDLC—check-in builds Frequency—As developers check in code Purpose Reduce risk, inline with pipeline Capture real-time metrics Solution: Self-service (pre-commit) When in SDLC—Just in time within developers' IDEs Frequency—As code is being developed Purpose Developer enablement Just-in-time security expert Assurance Reduce risk, ongoing detection Prevent and enable Manual code review with SAST tools SAST in the pipeline SAST in IDE pre-commit hooks
CONFIDENTIAL© 2019 Synopsys, Inc.8 SAST integration in pipeline SAST01 The SAST tool runs in the IDE as developers write code. The tool is configured to detect vulnerabilities that have zero false positives, including issues such as SQL injection and XSS. The scan should take seconds. SAST02 The SAST tool is automated on the CI server. The tool is configured for the client’s top 10 issues, such as command injection and hard-coded keys. The tool also uses rules from SAST01. The scan should take 4–5 minutes so developers get feedback fast. SAST03 The SAST tool uses rules for the OWASP Top 10 and any customized rulesets written for client-specific APIs. The scan can be run in parallel with other activities and should take 10–15 minutes. SAST04 The SAST tool uses comprehensive rulesets. All previous rulesets are excluded. The goal is to find issues before the code goes to production. The scan should take anywhere from an hour to 3–4 hours, depending on production velocity.
CONFIDENTIAL© 2019 Synopsys, Inc.9 Major and minor pipelines Pre-commit • IDE SAST check • Git hooks • Threat modeling • Risk analysis Commit • Clean and compile • Lightweight SAST • Gather metrics • Create bug tickets Build • Package and publish artifact • Build and scan container images • SCA • Comprehensive SAST • Gather metrics • Create bug tickets Test • QA testing • DAST/IAST • Gather metrics • Create bug tickets Pre-commit • IDE SAST check • Git hooks Commit • Clean and compile • Lightweight SAST • Gather metrics • Create bug tickets Build • Package and publish artifact • Build and scan container images • Gather metrics • Create bug tickets Test • QA testing • Lightweight DAST • Gather metrics • Create bug tickets CI/CD minor pipeline CI/CD major pipeline
CONFIDENTIAL© 2019 Synopsys, Inc.10 Risk-based adaptive DevSecOps (RAD) framework
CONFIDENTIAL© 2019 Synopsys, Inc.11 Why risk-based adaptive DevSecOps? • Closes the gap between DevOps and security teams • Helps DevOps teams accelerate deployment without compromising security. • Implements intelligence within the pipeline by: ØMatching the team’s velocity ØProviding intelligent feedback ØSupporting organizations at scale ØHelping align people, process, and technology Development Security Operations
CONFIDENTIAL© 2019 Synopsys, Inc.12 Risk-based adaptive DevSecOps (RAD) models AST Model Dynamic Model GRC Model Assurance Model The RAD framework is a fully automated, risk-based, dynamic, adaptable engine that intakes information from various systems to make real-time security activity decisions.
CONFIDENTIAL© 2019 Synopsys, Inc.13 AST Model Tool Description Static analysis security testing (SAST) Analyzes an application’s source code to identify vulnerabilities without execution Dynamic analysis security testing (DAST) Performed specifically to find security defects, usually in web applications Software composition analysis (SCA) Finds reported vulnerabilities in third-party software components Interactive application security testing (IAST) Typically encompasses the use of software test harnesses (i.e., agents) to monitor an application being tested using DAST, as well as corresponding SAST output to further fine-tune testing— enhancing overall testing coverage, speed, and accuracy Infrastructure testing Finds vulnerabilities in provisioned infrastructure that expose the attack surface Runtime application self-protection (RASP) Integrates with an application to prevent attacks at runtime by monitoring and analyzing traffic and user behavior
CONFIDENTIAL© 2019 Synopsys, Inc.14 Dynamic Model Retrieve bill of materials from version control repository. • Understand what code has changed • Quantify how much code has changed • Evaluate significance of code that has changed • Understand whether any open source has changed • Consider the nature of the release (major, minor, or a release candidate) The model uses all the above information and information from other models to trigger appropriate security activities.
CONFIDENTIAL© 2019 Synopsys, Inc.15 GRC Model Is the application internet- facing? Does the applicationcollect, process, orpresent sensitive data(e.g., PII, HCI)? Is this application subject to any security requirements due to government or industry regulations? Some common questions this model uses:
CONFIDENTIAL© 2019 Synopsys, Inc.16 Assurance Model Run lightweight IDE-based SAST tool C: Run pre-commit checks Checks passed? Code check-in successful CI/CD pipeline activities kicked off Commit code to SCM Trigger out-of-band activities Penetration testing Manual code review ARA Threat modeling
CONFIDENTIAL© 2019 Synopsys, Inc.17 Bringing it all together API RAD framework DevSecOps pipeline activities GRC ModelAST Model SAST SCA IAST DAST IAC CS/CC Dynamic Model Assurance Model
CONFIDENTIAL© 2019 Synopsys, Inc.18 Summing it up • No matter what AST tools you’re using, ensure that they support the technologies your organization uses and the applications you’re building in your pipeline. • The results of AST tools and security activities should be pushed to various systems for appropriate data gathering and analysis (GRC tool, defect tracking tool, metrics dashboard). • Out-of-band activities are determined by the RAD framework for assurance, but not part of the automated pipeline. • Reinforce company security standards and provide real-time feedback and guidance so development can address application security goals proactively. • Incentivize teams to make their modules fail the build on security issues. • Improve time to production without compromising your security profile/posture by using the RAD framework.
CONFIDENTIAL© 2019 Synopsys, Inc.19 Questions?
Thank You

Recommended

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleSynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Software Integrity Group
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 

Recommended

Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleSynopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Software Integrity Group
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This WorksSynopsys Software Integrity Group
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to meMichelle Ribeiro
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecopsVeritis Group, Inc
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewSynopsys Software Integrity Group
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outlineNickleus Jimenez
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealitySynopsys Software Integrity Group
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 

More Related Content

What's hot

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsSynopsys Software Integrity Group
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecopsVeritis Group, Inc
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 

What's hot (20)

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Talk DevSecOps to me
Talk DevSecOps to meTalk DevSecOps to me
Talk DevSecOps to me
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 

Similar to Webinar – Risk-based adaptive DevSecOps

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program DevOps.com
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsDevOps.com
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptxArthur528009
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as codePrancer Io
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
7 flavours of devops implementation
7 flavours of devops implementation7 flavours of devops implementation
7 flavours of devops implementationAspire Systems
 
Analyst Resources for Chief Information Security Officers (CISOs)
Analyst Resources for Chief Information Security Officers (CISOs)Analyst Resources for Chief Information Security Officers (CISOs)
Analyst Resources for Chief Information Security Officers (CISOs)Synopsys Software Integrity Group
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your BusinessWeCode Inc
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXNGINX, Inc.
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 

Similar to Webinar – Risk-based adaptive DevSecOps (20)

Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Your Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOpsYour Resolution for 2018: Five Principles For Securing DevOps
Your Resolution for 2018: Five Principles For Securing DevOps
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Testing infrastructure as code
Testing infrastructure as codeTesting infrastructure as code
Testing infrastructure as code
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
7 flavours of devops implementation
7 flavours of devops implementation7 flavours of devops implementation
7 flavours of devops implementation
 
Analyst Resources for Chief Information Security Officers (CISOs)
Analyst Resources for Chief Information Security Officers (CISOs)Analyst Resources for Chief Information Security Officers (CISOs)
Analyst Resources for Chief Information Security Officers (CISOs)
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business2022: 6 Cloud-Native App Development Trends to Transform Your Business
2022: 6 Cloud-Native App Development Trends to Transform Your Business
 
Shift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINXShift Left for More Secure Apps with F5 NGINX
Shift Left for More Secure Apps with F5 NGINX
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 

More from Synopsys Software Integrity Group

Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersSynopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileSynopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsSynopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsSynopsys Software Integrity Group
 

More from Synopsys Software Integrity Group (20)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 

Recently uploaded

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 

Recently uploaded (20)

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 

Webinar – Risk-based adaptive DevSecOps

  • 1. CONFIDENTIAL© 2019 Synopsys, Inc.1 Risk-Based Adaptive DevSecOps Build Secure, High-Quality Software Faster Meera Rao DevSecOps Practice Director Synopsys Software Integrity Group
  • 2. CONFIDENTIAL© 2019 Synopsys, Inc.2 Agenda DevSecOps challenges Previous solutions Risk-based adaptive DevSecOps (RAD) framework 4 risk-based adaptive models
  • 3. CONFIDENTIAL© 2019 Synopsys, Inc.3 DevSecOps challenges
  • 4. CONFIDENTIAL© 2019 Synopsys, Inc.4 DevSecOps challenges • Barrier to velocity and innovation • Causes deadlines to slip • Time-consuming and doesn’t support hourly deployments • Needs a lot of customization • No uniform way to provide continuous feedback • Scaling remains a challenge • Finally, no risk-based approach Software security is often viewed as an impediment to DevOps
  • 5. CONFIDENTIAL© 2019 Synopsys, Inc.5 Current solutions
  • 6. © 2019 Synopsys, Inc.6 Application security touchpoints The use of security analysis techniques on a specified (i.e., designed) or functional (i.e., running) instance of a software application to identify potential vulnerabilities or other risk Plan </> Code commit • Security requirements • Threat models • Risk analysis • IDE integration • Static analysis • Pre-commit Build DeployRelease Operate and Monitor • SAST and SCA • Manual code review • DAST/IAST • SAST • Fuzz testing Test • Secure configuration • Packaging for deployment • Operational protections • Penetration testing • Continuous scanning • Bug bounty • Red teaming • RASP
  • 7. © 2019 Synopsys, Inc.7 3-tiered SAST solution Solution: Centralized SSG service bureau (out-of-band) When in SDLC—SAST or manual code review on demand Frequency—Ad hoc basis, nightly or weekly Purpose Comprehensive review Achieve deeper coverage Solution: Hybrid model (commit, build, and test time) When in SDLC—check-in builds Frequency—As developers check in code Purpose Reduce risk, inline with pipeline Capture real-time metrics Solution: Self-service (pre-commit) When in SDLC—Just in time within developers' IDEs Frequency—As code is being developed Purpose Developer enablement Just-in-time security expert Assurance Reduce risk, ongoing detection Prevent and enable Manual code review with SAST tools SAST in the pipeline SAST in IDE pre-commit hooks
  • 8. CONFIDENTIAL© 2019 Synopsys, Inc.8 SAST integration in pipeline SAST01 The SAST tool runs in the IDE as developers write code. The tool is configured to detect vulnerabilities that have zero false positives, including issues such as SQL injection and XSS. The scan should take seconds. SAST02 The SAST tool is automated on the CI server. The tool is configured for the client’s top 10 issues, such as command injection and hard-coded keys. The tool also uses rules from SAST01. The scan should take 4–5 minutes so developers get feedback fast. SAST03 The SAST tool uses rules for the OWASP Top 10 and any customized rulesets written for client-specific APIs. The scan can be run in parallel with other activities and should take 10–15 minutes. SAST04 The SAST tool uses comprehensive rulesets. All previous rulesets are excluded. The goal is to find issues before the code goes to production. The scan should take anywhere from an hour to 3–4 hours, depending on production velocity.
  • 9. CONFIDENTIAL© 2019 Synopsys, Inc.9 Major and minor pipelines Pre-commit • IDE SAST check • Git hooks • Threat modeling • Risk analysis Commit • Clean and compile • Lightweight SAST • Gather metrics • Create bug tickets Build • Package and publish artifact • Build and scan container images • SCA • Comprehensive SAST • Gather metrics • Create bug tickets Test • QA testing • DAST/IAST • Gather metrics • Create bug tickets Pre-commit • IDE SAST check • Git hooks Commit • Clean and compile • Lightweight SAST • Gather metrics • Create bug tickets Build • Package and publish artifact • Build and scan container images • Gather metrics • Create bug tickets Test • QA testing • Lightweight DAST • Gather metrics • Create bug tickets CI/CD minor pipeline CI/CD major pipeline
  • 10. CONFIDENTIAL© 2019 Synopsys, Inc.10 Risk-based adaptive DevSecOps (RAD) framework
  • 11. CONFIDENTIAL© 2019 Synopsys, Inc.11 Why risk-based adaptive DevSecOps? • Closes the gap between DevOps and security teams • Helps DevOps teams accelerate deployment without compromising security. • Implements intelligence within the pipeline by: ØMatching the team’s velocity ØProviding intelligent feedback ØSupporting organizations at scale ØHelping align people, process, and technology Development Security Operations
  • 12. CONFIDENTIAL© 2019 Synopsys, Inc.12 Risk-based adaptive DevSecOps (RAD) models AST Model Dynamic Model GRC Model Assurance Model The RAD framework is a fully automated, risk-based, dynamic, adaptable engine that intakes information from various systems to make real-time security activity decisions.
  • 13. CONFIDENTIAL© 2019 Synopsys, Inc.13 AST Model Tool Description Static analysis security testing (SAST) Analyzes an application’s source code to identify vulnerabilities without execution Dynamic analysis security testing (DAST) Performed specifically to find security defects, usually in web applications Software composition analysis (SCA) Finds reported vulnerabilities in third-party software components Interactive application security testing (IAST) Typically encompasses the use of software test harnesses (i.e., agents) to monitor an application being tested using DAST, as well as corresponding SAST output to further fine-tune testing— enhancing overall testing coverage, speed, and accuracy Infrastructure testing Finds vulnerabilities in provisioned infrastructure that expose the attack surface Runtime application self-protection (RASP) Integrates with an application to prevent attacks at runtime by monitoring and analyzing traffic and user behavior
  • 14. CONFIDENTIAL© 2019 Synopsys, Inc.14 Dynamic Model Retrieve bill of materials from version control repository. • Understand what code has changed • Quantify how much code has changed • Evaluate significance of code that has changed • Understand whether any open source has changed • Consider the nature of the release (major, minor, or a release candidate) The model uses all the above information and information from other models to trigger appropriate security activities.
  • 15. CONFIDENTIAL© 2019 Synopsys, Inc.15 GRC Model Is the application internet- facing? Does the applicationcollect, process, orpresent sensitive data(e.g., PII, HCI)? Is this application subject to any security requirements due to government or industry regulations? Some common questions this model uses:
  • 16. CONFIDENTIAL© 2019 Synopsys, Inc.16 Assurance Model Run lightweight IDE-based SAST tool C: Run pre-commit checks Checks passed? Code check-in successful CI/CD pipeline activities kicked off Commit code to SCM Trigger out-of-band activities Penetration testing Manual code review ARA Threat modeling
  • 17. CONFIDENTIAL© 2019 Synopsys, Inc.17 Bringing it all together API RAD framework DevSecOps pipeline activities GRC ModelAST Model SAST SCA IAST DAST IAC CS/CC Dynamic Model Assurance Model
  • 18. CONFIDENTIAL© 2019 Synopsys, Inc.18 Summing it up • No matter what AST tools you’re using, ensure that they support the technologies your organization uses and the applications you’re building in your pipeline. • The results of AST tools and security activities should be pushed to various systems for appropriate data gathering and analysis (GRC tool, defect tracking tool, metrics dashboard). • Out-of-band activities are determined by the RAD framework for assurance, but not part of the automated pipeline. • Reinforce company security standards and provide real-time feedback and guidance so development can address application security goals proactively. • Incentivize teams to make their modules fail the build on security issues. • Improve time to production without compromising your security profile/posture by using the RAD framework.
  • 19. CONFIDENTIAL© 2019 Synopsys, Inc.19 Questions?