Weitere ähnliche Inhalte Ähnlich wie Enabling Developers in Your Application Security Program With Coverity and ThreadFix (20) Mehr von Denim Group (15) Kürzlich hochgeladen (20) Enabling Developers in Your Application Security Program With Coverity and ThreadFix1. © 2019 Denim Group – All Rights Reserved
Enabling Developers in Your
Application Security Program
With Coverity and ThreadFix
August 22, 2019
Dan Cornell, CTO, Denim Group
Mehdi Hashemian, Coverity Product Manager, Synopsys
3. © 2019 Denim Group – All Rights Reserved
Agenda
• Synopsys and Coverity Background
• ThreadFix Background
• Coverity and ThreadFix Together
3
4. © 2019 Denim Group – All Rights Reserved
Synopsys and Coverity
4
5. © 2019 Denim Group – All Rights Reserved
Who is Synopsys?
5
Team and technology
that found Heartbleed
The Leading Static
Analysis solution for
security AND quality
400+ security experts
and full portfolio of
managed and
professional services
The authority on open
source security and risk
management
6. © 2019 Denim Group – All Rights Reserved
Selecting a static analysis solution
Your developers are the front line for security & quality – do they have the tools they need?
Will your security &
development teams be
able to trust the results
the solution produces?
Accuracy
Does the solution
support all the
languages and
frameworks you use?
Coverage
Will the solution
provide consistent
results across desktop
and build server
analysis?
Consistency
Will the solution
perform and scale to
meet the volume and
speed of your
development?
Scalability
7. © 2019 Denim Group – All Rights Reserved
Coverity Static Analysis
Find critical defects and security weaknesses in code as it’s written
Fast
Incremental analysis; easily
analyzes hundreds of millions of
lines of code with ease; supports
thousands of developers
Accurate
Patented technology enables
deep, full path coverage; includes
interprocedural analysis, false-
path pruning
Integrated
Open platform; easily integrated
with IDEs, CI build servers, SCM
and issue tracking systems
8. © 2019 Denim Group – All Rights Reserved
Security
guidelines
Standards
compliance
Language
support
SDLC
workflow
Coverity Static Analysis
Broad standards compliance and SDLC integrations
10. © 2019 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications, assets, and vulnerabilities
• Prioritize risk decisions based on data
• Translate vulnerabilities to developers in the
tools they are already using
10
11. © 2019 Denim Group – All Rights Reserved
ThreadFix Overview
11
12. © 2019 Denim Group – All Rights Reserved
Create a consolidated
view of your assets,
applications, and
vulnerabilities
12
17. © 2019 Denim Group – All Rights Reserved
Test Result Consolidation
17
• Organizations typically
see a 15-35% reduction in
finding count due to
normalization and de-
duplication.
• Includes technology from
Denim Group patents:
• US 10,043,012 Method
of Correlating Static and
Dynamic Application
Security Testing Results
for Web Applications
• US 10,043,004 Method
of Correlating Static and
Dynamic Application
Security Testing Results
for a Web and Mobile
Application
18. © 2019 Denim Group – All Rights Reserved
Prioritize risk decisions
based on data
18
19. © 2019 Denim Group – All Rights Reserved
Vulnerability Prioritization
19
21. © 2019 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools
they are already using
21
22. © 2019 Denim Group – All Rights Reserved
Defect Tracker Integration
22
23. © 2019 Denim Group – All Rights Reserved
Defect Tracker Integration
23
• Bi-directional
integration: bundle
vulnerabilities into
software defects,
track development
team progress
resolving them
• Reduction of Mean
Time To Fix (MTTF)
up to 44%
24. © 2019 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your
pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu
http://www.slideshare.net/denimgroup/rsa2015-blending-
theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
24
25. © 2019 Denim Group – All Rights Reserved
Policy Configuration
• Testing
• Synchronous
• Asynchronous
• Decision
• Reporting
Blog Post: Effective Application
Security Testing in DevOps Pipelines
http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
https://www.denimgroup.com/resources/effective-application-security-for-devops/
25
26. © 2019 Denim Group – All Rights Reserved
Coverity and ThreadFix
Together
26
27. © 2019 Denim Group – All Rights Reserved
Connecting To Coverity
27
28. © 2019 Denim Group – All Rights Reserved
Coverity Results in ThreadFix
28
29. © 2019 Denim Group – All Rights Reserved
Coverity Detail
29
30. © 2019 Denim Group – All Rights Reserved
Coverity Results in ThreadFix
30
31. © 2019 Denim Group – All Rights Reserved
Application and Infrastructure
31
32. © 2019 Denim Group – All Rights Reserved
@denimgroup
www.threadfix.it
www.denimgroup.com
@synopsys
@CoverityScan
www.synopsys.com
32