Weitere ähnliche Inhalte Ähnlich wie A New View of Your Application Security Program with Snyk and ThreadFix (20) Mehr von Denim Group (17) Kürzlich hochgeladen (20) A New View of Your Application Security Program with Snyk and ThreadFix1. © 2019 Denim Group – All Rights Reserved
A New View of Your Application
Security Program with Snyk and
ThreadFix
November 12, 2019
Dan Cornell, CTO, Denim Group
Hayley Denbraver, Developer Advocate, Snyk
3. © 2019 Denim Group – All Rights Reserved
Agenda
• Snyk Background and Demo
• ThreadFix Background
• Snyk and ThreadFix
3
5. © 2019 Denim Group – All Rights Reserved
Production Code
5
6. © 2019 Denim Group – All Rights Reserved
Production Code
6
Original Code
7. © 2019 Denim Group – All Rights Reserved
Production Code
7
8. © 2019 Denim Group – All Rights Reserved
Production Code
8
9. © 2019 Denim Group – All Rights Reserved
Snyk: Use Open Source, Stay Secure
• Snyk helps you find and fix vulnerabilities
in your open source dependencies
• Snyk allows developers to address open
source security throughout the software
development lifecycle
• Snyk meets developers where they are—in
the languages and tools that they use
every day
9
16. © 2019 Denim Group – All Rights Reserved
Vulnerable App
16
25. © 2019 Denim Group – All Rights Reserved
ThreadFix Background
25
26. © 2019 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your applications and
vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools
they are already using
• Provide access to powerful analytics
26
27. © 2019 Denim Group – All Rights Reserved
ThreadFix Overview
27
28. © 2019 Denim Group – All Rights Reserved
Create a consolidated view of
your applications and
vulnerabilities
28
29. © 2019 Denim Group – All Rights Reserved
Application Portfolio Tracking
29
30. © 2019 Denim Group – All Rights Reserved
Vulnerability Consolidation
30
31. © 2019 Denim Group – All Rights Reserved
Prioritize application risk
decisions based on data
31
32. © 2019 Denim Group – All Rights Reserved
Vulnerability Prioritization
32
33. © 2019 Denim Group – All Rights Reserved
Reporting and Metrics
33
34. © 2019 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools they
are already using
34
35. © 2019 Denim Group – All Rights Reserved
Defect Tracker Integration
35
36. © 2019 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your
pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
http://www.slideshare.net/denimgroup/rsa2015-blending-
theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
36
37. © 2019 Denim Group – All Rights Reserved
AppSec Testing for DevOps
• Configuring Testing Policies
• AppSec Testing for DevOps in Action
37
38. © 2019 Denim Group – All Rights Reserved
Policy Configuration
• Testing
• Synchronous
• Asynchronous
• Decision
• Reporting
Blog Post: Effective Application
Security Testing in DevOps Pipelines
http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
https://www.denimgroup.com/resources/effective-application-security-for-devops/
38
39. © 2019 Denim Group – All Rights Reserved
Testing Configuration
39
40. © 2019 Denim Group – All Rights Reserved
Testing in Action
40
41. © 2019 Denim Group – All Rights Reserved
Testing in Action
41
42. © 2019 Denim Group – All Rights Reserved
Testing in Action
42
43. © 2019 Denim Group – All Rights Reserved
Snyk and ThreadFix Together
43
44. © 2019 Denim Group – All Rights Reserved
Snyk and ThreadFix Integration
• Documentation: https://pypi.org/project/snyk-threadfix/
44
45. © 2019 Denim Group – All Rights Reserved
@denimgroup
www.threadfix.it
www.denimgroup.com
@snyksec
www.snyk.io
45