Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAST is MUST About Me Moni (Moshe) many years in IT totally ignorant of risk posed by code. Checkmarx director of sales for.

Published byShawn Sutton Modified over 8 years ago

Similar presentations

Presentation on theme: "SAST is MUST About Me Moni (Moshe) many years in IT totally ignorant of risk posed by code. Checkmarx director of sales for."— Presentation transcript:

1 SAST is MUST Moni.Stern@checkmarx.com

2 About Me Moni (Moshe) many years in IT totally ignorant of risk posed by code. Checkmarx director of sales for Central Europe. Hold an Engineering degree Technion/ Israel

3 The risk Comparison: Pen, Manual, vs. Automated S-SDLC SAST landscape (Ignorance, $, “tools”, products) Resources Open Source Analysis CxSAST Demo From DevOps to Continuous delivery Agenda

4 Most Vulnerabilities are in Applications Gartner: Application Security Testing of Cloud Services Providers Is a Must NIST: 92% of exploitable vulnerabilities are in software SANS.ORG: Application Vulnerabilities exceed OS Vulnerabilities OWASP: Application Security is no longer a choice Watchfire: 90% of sites are vulnerable to application attacks Symantec: 78% percent of easily exploitable vulnerabilities affected Web applications Cybersecurityventures: 90 % of security incidents result from exploits against defects in software Cybersecurityventures: 90 % of security incidents result from exploits against defects in software 75%-90% of Vulnerabilities Are in Web Apps

5 Risk: SANS 2015 Web Applications Deemed Most Risky

6 Security Layers Applications and data, not the infrastructure, are the main focus of modern cyberattacks. HP Fortify, IBM

7 What is SAST? OWASP Source code analysis (SCA/SAST m.s.) tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Under the hood: (is a flow from input to sink, sanitized?) CxList db = Find_DB_In() - Find_DAL_DB(); CxList inputs = Find_Interactive_Inputs(); CxList sanitized = Find_SQL_Sanitize(); Sanitized? result = inputs.InfluencingOnAndNotSanitized(db, sanitized, CxList.InfluenceAlgorithmCalculation.NewAlgorithm); =Flow

8 Constant changes +Landscape  No individual SECURITY EXPERT Can track, no manual code review.  Developers busy delivering code (scared of results)  A Product is a MUST, CX has > 120 R&D. 20+ Languages, 80 frameworks20+ Languages, 80 frameworks  Landscape: Lack of awareness Open sources “tools” and manual code review Budget IBM HP CX

9 Singapore Gov. Regulation- MAS TRM MAS TRM FIN MUST SCAN THE CODE Singapore Technology risk management guidelines paragraph 6.3 for SAST vs. Pen Test. AllTechnology risk management guidelines 6.3.1 – “Black-box testing is not an effective tool in identifying or detecting these security threats and weaknesses.” 6.3.2 – “Source code review [SAST] is a methodical examination of the source code of an application with the objective of finding defects that are due to coding errors, poor coding practices or malicious attempts. …designed to identify security vulnerabilities and deficiencies, and mistakes in system design or functionality relating to areas such as control structure, security, input validation, error handling, file update, function parameter verification, before the system is implemented.”security vulnerabilities

10 The risk in unsecure delivery >

11 Question Who has Performed Pen Testing? Who has Performed SAST (SCA)?

12 Appsec Programs Maturity

13 Checkmarx | All Rights Reserved What do you do before project delivery? Issue Pen-Testing Manual Code SAST CoverageLow Low – Requires highly skilled auditors Full DetectionLowLow + 1:6 Client 1:24 Server False NegativeVery highHigh +Very low MitigationDifficult Complex, not optimized Easy Optimized S-SDLC / Dev OpsNo Yes CINo Yes OptimizationNo High Source webapsec.org

14 Checkmarx | All Rights Reserved $80 $240 $960 $7600 Good to start Source: Ponemon Institute: National Institute of Standards and Technology COST OF A SECURITY BUG AT EACH DEVELOPMENT STAGE DevelopmentBuildQA/TestingProduction SA >> QA

15 Traditional SDLC

16 DevOps S-SDLC & Agile dev Developers Build Management Source Repository AuditorsBug Tracking Dashboards Agile Dev. CI =Incremental scan OSA Checkmarx | All Rights Reserved Cont. Delivery

17 Developer perspective

18 Security/ Developer perspective Start Here

19 OSA OPEN SOURCE ANALYSIS Checkmarx | All Rights Reserved Inventory: which open source components are used? Security: which known open source vulnerabilities exist and how to fix them Legal: ensure open-source license usage compliance

20 Security/ Developer perspective You are welcome to request: GameOfHacks a self-guided limited cloud demo Register here as company = EMEARegister here an evaluation copy a full PoC if you plan to purchase 1 free application scan for 1 week through our partners. Cost – discuss with our partners. Meet us at the booth.

Download ppt "SAST is MUST About Me Moni (Moshe) many years in IT totally ignorant of risk posed by code. Checkmarx director of sales for."

Similar presentations

DevOps and Security: It’s Happening. Right Now.

DevOps and Security: It’s Happening. Right Now.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.

Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.

Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.
OpenMake Dynamic DevOps

OpenMake Dynamic DevOps
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION

DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Accelerating Product and Service Innovation © 2013 IBM Corporation IBM Integrated Solution for System z Development (ISDz) Henk van der Wijk 23 Januari.

Accelerating Product and Service Innovation © 2013 IBM Corporation IBM Integrated Solution for System z Development (ISDz) Henk van der Wijk 23 Januari.

Similar presentations

Ads by Google