Blending Automated and Manual Testing Making Application Vulnerability Management Pay Dividends.

Slides:



Advertisements
Similar presentations
OWASP CLASP Overview.
Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
I.T. DIGIT TestCentre Vulnerability assessment service Gabriel BABIANO DIGIT.A.3 29/11/2012.
<<replace with Customer Logo>>
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Visual Studio Team System (VSTS). Richard Hundhausen Author of software development books Microsoft Regional Director Microsoft MVP (VSTS) MCT, MCSD,
Information Security Maintenance
HIGH PERFORMANCE CONTINUOUS DELIVERY VERSIONING AND RELEASE MANAGEMENT ALIGNED.
Metrics Project and Process Metrics. Why do we measure? Assessing project status Allows us to track risks Before they go critical Adjust workflow See.
SwE 434. Rational Quality Manager Rational Quality Manager is a collaborative, Web-based tool that offers comprehensive test planning, test construction,
Software Project Transition Planning
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Vulnerability Assessments
SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Copyright © Panaya Oracle ® E-Business Suite Testing: How to Get Your Business Users On-Board Amir Farhi Director, Product Marketing.
VoIP Security Assessment Service Mark D. Collier Chief Technology Officer
> Blueprint Kickoff >. Introductions Customer Vision & Success Criteria Apigee Accelerator Overview Blueprint Schedule Roles & Responsibilities Communications.
The Integration Story: Rational Quality Manager / Team Foundation Server / Quality Center Introductions This presentation will provide an introduction.
The OWASP Foundation OWASP NoVA October 4 th 2012 Benchmarking Web Application Scanners for YOUR Organization Dan Cornell Founder.
Chapter : Software Process
Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.
Test Organization and Management
1 CSE 2102 CSE 2102 CSE 2102: Introduction to Software Engineering Ch9: Software Engineering Tools and Environments.
Thirteenth Lecture Hour 8:30 – 9:20 am, Sunday, September 16 Software Management Disciplines Process Automation (from Part III, Chapter 12 of Royce’ book)
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
SIUE Injury Tracking System Project Plan. Team Members: Robbie Marsh Robbie Marsh –Project Manager/Webmaster Ken Metcalf Ken Metcalf –Lead Programmer.
RUP Implementation and Testing
EEye Digital Security    On the Frontline of the Threat Landscape: Simple configuration goes a long way.
™ ™ © 2006, KDM Analytics Software Assurance Ecosystem and its Applications Djenana Campara Chief Executive Officer, KDM Analytics Board Director, Object.
Jenkins User Conference Jenkins User Conference Palo Alto, Oct 23 Continuous Delivery at Yahoo Stas Zvinyatskovsky Architect Advertising.
EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
AppSec USA 2014 Denver, Colorado Building Your Application Security Data Hub The Imperative for Structured Vulnerability Information This presentation.
Microsoft Security Development Lifecycle
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
OWASP Dependency-Check
System Changes and Interventions: Registry as a Clinical Practice Tool Mike Hindmarsh Improving Chronic Illness Care, a national program of the Robert.
Collaborate 2009 Projects SIG Suhail Maqsood Vice President.
© 2007 IBM Corporation SOA on your terms and our expertise Software WebSphere Process Server and Portal Integration Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Development Life Cycle Baking Security into Development September 2010.
Microsoft Management Seminar Series SMS 2003 Change Management.
HP PPM Center release 8 Helping IT answer the tough questions
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Ex Libris Developers Network Develop. Experiment. Collaborate.
Team SHARP February 10,  Sponsor ◦ Dr. Will Tracz  Faculty Coach ◦ Robert Kuehl  Members ◦ Samuel Goshen ◦ Leo Torbochkin ◦ Dan Edenhofer ◦ Dominic.
Illuminating Britelite’s Internal Services for Success Strategy for Process Improvement.
Challenges in Agile Unclear project scope, multiple iterations, minimal documentation, early and frequent testing needs and active stakeholder involvement.
APRIL 10, Meeting Agenda  Prototype 2 Goals  Robust Connections Demo  System Diagnostics Tool Demo  Final Prototype Risk Mitigation  Final.
SG SCM with MKS scmGalaxy Author: Rajesh Kumar
Cisco Consulting Services for Application-Centric Cloud Your Company Needs Fast IT Cisco Application-Centric Cloud Can Help.
Parasoft : Improving Productivity in IT Organizations David McCaw.
1. ENTERPRISE AGILE TRANSFORMATION AT THE US POSTAL SERVICE MAY 24, Agile Business Solutions.
EMI INFSO-RI SA2: Quality Assurance Status Report Alberto Aimar(SA2) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
Security Chapter Demo Sprint meeting – Chapter Leader – Pascal Bisson Chapter Architect – Cyril Dangerville (presenter)
FROM CONTINUOUS INTEGRATION TO VIRTUAL PATCHING BUILDING APPSEC ALL ALONG THE WEB APPLICATION LIFECYCLE.
Testing and Release Procedures/Tools Cristina Aiftimiei (INFN-CNAF) Mario David (LIP)
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
CSCE 548 Secure Software Development Risk-Based Security Testing
Speaker’s Name, SAP Month 00, 2017
Building an AppSec Pipeline: Keeping your program, and your life, sane
AppExchange Security Certification
Herding Cats and Security Tools
DevOps Acceleration Engine
DevOps in Localization Continuous Delivery
Technical Capabilities
Presentation transcript:

Blending Automated and Manual Testing Making Application Vulnerability Management Pay Dividends

My Background Dan Cornell, founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San

My Background Steve Springett, Application Security Architect for Axway Software developer by background Leader of OWASP Dependency-Track Contributor to OWASP

Goal: Continuous Security Prerequisites – Standardization – Continuous Integration – Continuous Delivery Compliments – Continuous Acceptance

Standardization All projects use same build system All projects built the same way Automated onboarding for new projects Per-project build expertise not required

Metrics Artifacts Continuous Integration Continuous Integration Factory Source Code (SCM)

Deliverables Continuous Delivery Continuous Delivery Factory Artifacts

Security Metrics Continuous Security Continuous Security Factory Source Code (SCM) Deliverables

Automated Security Metrics Static Analysis Findings Dynamic Analysis Findings Component Analysis Findings Attack Surface Analysis Findings

Continuous Security Pipe Jenkins CI ThreadFix Defect Tracker SCM False Positive

Target Application

12 ThreadFix Accelerate Software Remediation ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.

ThreadFix Open Source (MPL) application vulnerability management platform Create a consolidated view of your applications and vulnerabilities Prioritize application risk decisions based on data Translate vulnerabilities to developers in the tools they are already using

ThreadFix Community Edition Main ThreadFix website: – General information, downloads ThreadFix GitHub site: – Code, issue tracking ThreadFix GitHub wiki: – Project documentation ThreadFix Google Group: – Community support, general discussion

Vulnerability Aggregation Automated Manual

Access to Vulnerability Data Tradeoffs – The more places the vulnerability data lives, the more likely a compromise – Withholding information from people who need it makes remediation more challenging

Managing All Vulnerability Data Manual activities – Penetration Testing – Code Reviews 3 rd Party Data Sources – Customer-performed Testing – External auditor-performed Results

SSVL and Manual Results SSVL Data Format: – SSVL Conversion Tool: –

RESTful API to Vulnerability Data Custom R&D Monitoring Dashboard Custom Dashboards

Key Performance Indicators Don’t go overboard – Use only what is needed Progress and velocity Per team comparison Min/max/avg time to close per severity By CWE

Lessons Learned Always automate static analysis Always automate attack surface analysis Always automate component analysis Always automate dynamic analysis Always perform manual dynamic analysis Use native tools & workflow for static analysis

Lessons Learned Provide as much visibility as possible – Varying degrees of detail – Multiple delivery vehicles Set clear pass/fail criteria for Security Bars – Provide custom dashboard to provide status and advanced warning

Additional Advice Automation is not better than manual – It’s faster and more efficient – Both are necessary Don’t forget manual assessments – Threat Modeling – Secure Design/Architecture and Code Review – Penetration Testing

Finally Vulnerabilities in CI / CD / CS Infrastructure – Threat Model – Secure Architecture Review – Patch Management – Configuration Management – Key Management – Always use TLS

Q & A