Download presentation
Presentation is loading. Please wait.
Published byShawn Sutton Modified over 8 years ago
1
SAST is MUST Moni.Stern@checkmarx.com
2
About Me Moni (Moshe) many years in IT totally ignorant of risk posed by code. Checkmarx director of sales for Central Europe. Hold an Engineering degree Technion/ Israel
3
The risk Comparison: Pen, Manual, vs. Automated S-SDLC SAST landscape (Ignorance, $, “tools”, products) Resources Open Source Analysis CxSAST Demo From DevOps to Continuous delivery Agenda
4
Most Vulnerabilities are in Applications Gartner: Application Security Testing of Cloud Services Providers Is a Must NIST: 92% of exploitable vulnerabilities are in software SANS.ORG: Application Vulnerabilities exceed OS Vulnerabilities OWASP: Application Security is no longer a choice Watchfire: 90% of sites are vulnerable to application attacks Symantec: 78% percent of easily exploitable vulnerabilities affected Web applications Cybersecurityventures: 90 % of security incidents result from exploits against defects in software Cybersecurityventures: 90 % of security incidents result from exploits against defects in software 75%-90% of Vulnerabilities Are in Web Apps
5
Risk: SANS 2015 Web Applications Deemed Most Risky
6
Security Layers Applications and data, not the infrastructure, are the main focus of modern cyberattacks. HP Fortify, IBM
7
What is SAST? OWASP Source code analysis (SCA/SAST m.s.) tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Under the hood: (is a flow from input to sink, sanitized?) CxList db = Find_DB_In() - Find_DAL_DB(); CxList inputs = Find_Interactive_Inputs(); CxList sanitized = Find_SQL_Sanitize(); Sanitized? result = inputs.InfluencingOnAndNotSanitized(db, sanitized, CxList.InfluenceAlgorithmCalculation.NewAlgorithm); =Flow
8
Constant changes +Landscape No individual SECURITY EXPERT Can track, no manual code review. Developers busy delivering code (scared of results) A Product is a MUST, CX has > 120 R&D. 20+ Languages, 80 frameworks20+ Languages, 80 frameworks Landscape: Lack of awareness Open sources “tools” and manual code review Budget IBM HP CX
9
Singapore Gov. Regulation- MAS TRM MAS TRM FIN MUST SCAN THE CODE Singapore Technology risk management guidelines paragraph 6.3 for SAST vs. Pen Test. AllTechnology risk management guidelines 6.3.1 – “Black-box testing is not an effective tool in identifying or detecting these security threats and weaknesses.” 6.3.2 – “Source code review [SAST] is a methodical examination of the source code of an application with the objective of finding defects that are due to coding errors, poor coding practices or malicious attempts. …designed to identify security vulnerabilities and deficiencies, and mistakes in system design or functionality relating to areas such as control structure, security, input validation, error handling, file update, function parameter verification, before the system is implemented.”security vulnerabilities
10
The risk in unsecure delivery >
11
Question Who has Performed Pen Testing? Who has Performed SAST (SCA)?
12
Appsec Programs Maturity
13
Checkmarx | All Rights Reserved What do you do before project delivery? Issue Pen-Testing Manual Code SAST CoverageLow Low – Requires highly skilled auditors Full DetectionLowLow + 1:6 Client 1:24 Server False NegativeVery highHigh +Very low MitigationDifficult Complex, not optimized Easy Optimized S-SDLC / Dev OpsNo Yes CINo Yes OptimizationNo High Source webapsec.org
14
Checkmarx | All Rights Reserved $80 $240 $960 $7600 Good to start Source: Ponemon Institute: National Institute of Standards and Technology COST OF A SECURITY BUG AT EACH DEVELOPMENT STAGE DevelopmentBuildQA/TestingProduction SA >> QA
15
Traditional SDLC
16
DevOps S-SDLC & Agile dev Developers Build Management Source Repository AuditorsBug Tracking Dashboards Agile Dev. CI =Incremental scan OSA Checkmarx | All Rights Reserved Cont. Delivery
17
Developer perspective
18
Security/ Developer perspective Start Here
19
OSA OPEN SOURCE ANALYSIS Checkmarx | All Rights Reserved Inventory: which open source components are used? Security: which known open source vulnerabilities exist and how to fix them Legal: ensure open-source license usage compliance
20
Security/ Developer perspective You are welcome to request: GameOfHacks a self-guided limited cloud demo Register here as company = EMEARegister here an evaluation copy a full PoC if you plan to purchase 1 free application scan for 1 week through our partners. Cost – discuss with our partners. Meet us at the booth.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.