Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developer Workflow in Application Security on Cloud Static Analyzer

Published byEustace Lane Modified over 7 years ago

Similar presentations

Presentation on theme: "Developer Workflow in Application Security on Cloud Static Analyzer"— Presentation transcript:

1 Developer Workflow in Application Security on Cloud Static Analyzer
6/14/16 Developer Workflow in Application Security on Cloud Static Analyzer Author notes: <please delete these instructions before presenting> This is the IBM Security Default Template for both internal and external use. It’s aspect ratio is 16:10 and measures 10 x 6.25”. This template was created in Microsoft PowerPoint 365 Pro Plus 2016. Template files (saved with the file extension .potx) contain slide designs and customized layouts and are stored in your Microsoft templates folder* To save your new template as your default template for future use: Click “File / Save as” and choose “PowerPoint template (.potx) from the pull down menu” Rename file to, “Blank.potx” and click “Save” (file will then be stored to the default template location) Themes provide a complete slide design that can be applied to your existing presentation, including background designs, font styles, colors, and layouts To save your new template’s theme file; click “View / Slide Master / Themes” On the Themes pull down menu, select, “Save Current Theme” This new Theme file is how you apply the new template design to your existing presentations For more information, visit: Office.com / PowerPoint / Support Copy your existing source slides in slide sorter view Paste special by right-clicking in slide sorter view of destination file or template Select “Keep source formatting” This helps to ensure your slides retain their existing styles Each slide needs to be adjusted by doing the following in “Normal view” Select body content except title and footer by (Control “A”; then select title and footers while holding shift key) Cut remaining selected body content (Control “X”) Reset slide layout using new template layouts Paste slide content back onto slide (Control “V”) Learn more about using templates, visit: Office.com / PowerPoint / Support Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: USA toll: Participant passcode: Slides and additional dial in numbers: NOTICE: By participating in this call, you give your Irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM’s use of such Recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call. September 14, 2016 1 1

2 Panelist: Scott Hurd - AppScan Support Engineer
8/15/16 Presenters: David Marshak - Senior Product Manager, Application Security Jason Todd - Developer Lead for Appscan Security On The Cloud Panelist: Scott Hurd - AppScan Support Engineer Moderator: Joe Kiggen – AppScan and SKLA Support Manager 2 2 2

3 ? Application security challenges Compliance Pace Resources
8/15/16 Application security challenges Compliance Pace Resources ? External regulations and internal policy requirements Rapid growth in applications, releases and technology Small security teams, lots of applications Which applications pose the biggest business risk? How do we test apps for security in rapid DevOps / Agile shops without slowing down the process / business? How do we reduce costs and catch security problems earlier in the lifecycle? How do we prioritize the work for the resources I have? What do we test and how do we test it? How do we staff and improve skills and awareness? Where is my business risk? How do I set internal policy requirements for application security? Is my private / sensitive data exposed by apps? How do I check for and demonstrate application compliance? 3 3

4 Find during Development
8/15/16 Cost of Security Defects Find during Development $80 / defect Find during Build $240 / defect Find in Production $7,600 / defect Find during QA/Test $960 / defect 80% of development costs are spent identifying and correcting defects! Cost of a Data Breach $7.2M 80 days to detect More than four months (123 days) to resolve Source: National Institute of Standards and Technology Source: Ponemon Institute 4 4

5 IBM Application Security on Cloud
8/15/16 Dramatically simplifies and improves Application Security Testing Easy to Use Easy to Understand Secure  Integrates into your Continuous Engineering Processes  5 5

6 Automation drives early detection and reduces cost to fix!
Quickly Plug Into Your Application Lifecycle 8/15/16 Streamlined incorporation into existing DevOps / continuous integration frameworks Automated No waiting on manual steps Integrates with developer IDEs (Eclipse, Visual Studio) Scan daily, weekly Plugins simplify setup e.g. UrbanCode and Maven Extend your environment with robust REST API Automation drives early detection and reduces cost to fix! 6 6

7 IBM Application Security on Cloud – Actionable Results
8/15/16 7 7

8 Overview: Application Security on Cloud Feature Summary
8/15/16 Application Security Management Build an inventory of application assets; classify and rank applications by business impact; organize scans by application; obtain a security rating for each application; prioritize vulnerabilities and manage their resolution View a dashboard to understand application security posture and monitor progress Dynamic Analyzer Dynamic web application security analysis Based on AppScan’s Dynamic Application Security Testing engine Scan pre-production or production web apps hosted on public and private networks Mobile Analyzer Interactive mobile applications security analysis Supports Android and iOS Static Analyzer Static security testing for applications. Java, .NET, Node.js, PHP, Ruby, JavaScript… Simple and accurate capability, based on the AppScan Source engine, with IBM’s cognitive Intelligent Findings Analytics Consulting Services IBM Application Security experts: Help ensure Client’s success with ASoC, from DevOps integration thru interpreting scan results Perform application scanning and manual application penetration testing for our Clients 8 8

9 Static Analyzer Workflow
8/15/16 Static Analyzer Service Vulnerability Analysis IR Intelligent Findings Analytics Findings Report upload Existing Build Infrastructure IR Generation “Compile” IR Gen Utility 1Source App IR IDE: Eclipse, IntelliJ, Visual Studio IDE, Maven. Urban Code Plugin or CLI 1Java, .NET, PHP, C/C++ 2NodeJS, JavaScript, Ruby 2Artifacts 9 9

10 Intelligent Finding Analytics: The problem
8/15/16 Scan something Get Results Triage Results (Look for needles in the haystack) Vulnerability Analysis 10 10

11 Intelligent Finding Analytics: The Solution
8/15/16 Scan something Vulnerability Analysis Intelligent Finding Analytics * Cognitive Learning * “Security Expert in a Box” Get triaged results! 11 11

12 Machine learning with Intelligent Findings Analytics*
8/15/16 Applying Cognitive Computing to security vulnerability analysis Machine learning with Intelligent Findings Analytics* Learned results Scan results Reduce false positives Minimize “unlikely attack scenarios” Provide fix recommendations that resolve multiple vulnerabilities Intelligent Findings Analytics Built on Watson Machine Learning Trained by IBM Security Experts Fully automated review of scan findings Patents pending 12 12

13 Meets or exceeds human experts
Intelligent Findings Analytics Results 8/15/16 Meets or exceeds human experts Returns results in seconds, rather than hours or days 90-95% average reduction in false positives Integrates right back into the development workflow Fix an average 8-10 issues in a single place in the code 13 13

14 Meets or exceeds human experts
Intelligent Findings Analytics Results 8/15/16 Meets or exceeds human experts Returns results in seconds, rather than hours or days 90-95% average reduction in false positives Integrates right back into the development workflow Fix an average 8-10 issues in a single place in the code IFA Example Real World Applications Scan Findings Vulnerabilities Fix Recommendations Application 1 55,132 14,050 60 Application 2 12,480 1,057 35 Application 3 247,350 1,271 103 14 14

15 Automation Driven Model
8/15/16 Automation Driven Model Intermediate Representation Security Results Automated Build Environment Developer analyzes security issues Build exceeds security risk! 15 15

16 Developer Driven Model
8/15/16 Developer Driven Model Intermediate Representation Security Results Developer’s IDE Plug-in 16 16

17 Static Analyzer IDE Plug-in
8/15/16 Static Analyzer IDE Plug-in Available for Visual Studio, IntelliJ and Eclipse Generate IRX and submit Static scans to Bluemix or SCX Manage scans and work with detailed results Progressive discovery of the most important issues, with guided assistance User experience based on Fixing Issues, not sorting through 1000s of individual findings 17 17

18 8/15/16 Demo 18 18

19 Static Analyzer Developer IDE Plug-ins
8/15/16 First, select where you will run scans Next, select the plug-ins that you want to install 19 19

20 Static Analyzer Developer IDE Plug-ins
8/15/16 From the context menu in your IDE, select Security Analysis/Run Static Analysis on a project node Static Analyzer will run, first generating your IRX file aka “Preparing” After Preparing, if this is your first run of the tool, you will be prompted for Service credentials 20 20

21 Static Analyzer Developer IDE Plug-ins
8/15/16 After preparing and authenticating to the Service, the scan is submitted and shows up in the Security Scans view When the analysis completes on the Service, the Security Scans view is updated with high level issue information, and an IDE specific notification alert is presented And now you can open the static HTML report or dig in to the result details and do some interesting things… 21 21

22 Static Analyzer Developer IDE Plug-ins
8/15/16 Common HTML Report open in your IDE 22 22

23 Static Analyzer Developer IDE Plug-ins
8/15/16 Results viewer in your IDE Issues are arranged in to “Fix Groups” Goal is progressive and guided discovery of issues, allowing you to drill in to details with help along the way 23 23

24 Static Analyzer Developer IDE Plug-ins
8/15/16 Help and remediation advice for Fix Groups and Vulnerability Types 24 24

25 Static Analyzer Developer IDE Plug-ins
8/15/16 Drill in to the details of a Fix Group… 25 25

26 Static Analyzer Developer IDE Plug-ins
8/15/16 View trace information and link to your source file locations from just about anywhere 26 26

27 Questions for the panel
8/16/16 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to ask questions at the end of the document: 27 27 27

28 Get started with IBM Security Support
Header content 1 | header content 2 6/14/16 Where do you get more information? Questions on this or other topics can be directed to the product forum: AppScan Static Analyzer forum. Videos you can review: How to use the IBM Application Security on Cloud service User management in IBM Application Security on Cloud Demo: Running a Static Analysis from within an IDE with IBM Application Security on Cloud Useful links: Get started with IBM Security Support IBM Support Portal | Sign up for “My Notifications” Follow us: 28 28

29 Mandatory closing slide with copyright and legal disclaimers.
8/15/16 Mandatory closing slide with copyright and legal disclaimers. 29 29 29

Download ppt "Developer Workflow in Application Security on Cloud Static Analyzer"

Similar presentations

Best Practices for Upgrading Oracle PeopleSoft Environments

Best Practices for Upgrading Oracle PeopleSoft Environments
© 2007 ReadyTalk800.843.9167www.readytalk.com1598 Wynkoop, Denver, CO 80202www.readytalk.com Conferencing Service You shouldn’t need a degree in computer.

© 2007 ReadyTalk www.readytalk.com1598 Wynkoop, Denver, CO 80202www.readytalk.com Conferencing Service You shouldn’t need a degree in computer.
Accelerating Product and Service Innovation © 2013 IBM Corporation IBM Integrated Solution for System z Development (ISDz) Henk van der Wijk 23 Januari.

Accelerating Product and Service Innovation © 2013 IBM Corporation IBM Integrated Solution for System z Development (ISDz) Henk van der Wijk 23 Januari.
© 2007 ReadyTalk800.843.9167www.readytalk.com1598 Wynkoop, Denver, CO 80202www.readytalk.com Welcome to ReadyTalk Training.

© 2007 ReadyTalk www.readytalk.com1598 Wynkoop, Denver, CO 80202www.readytalk.com Welcome to ReadyTalk Training.
The FlexTraining Total E-Learning Solution

The FlexTraining Total E-Learning Solution
Developer TECH REFRESH 15 Junho 2015 #pttechrefres h Understand your end-users and your app with Application Insights.

Developer TECH REFRESH 15 Junho 2015 #pttechrefres h Understand your end-users and your app with Application Insights.
Doc.: IEEE 802.11-yy/xxxxr0 Submission Month Year John Doe, Some CompanySlide 1 [place presentation subject title text here] Notice: This document has.

Doc.: IEEE yy/xxxxr0 Submission Month Year John Doe, Some CompanySlide 1 [place presentation subject title text here] Notice: This document has.
Snip2Code: Search, Share and Collect Code Snippets Faster, Easier, Efficiently with Power of Microsoft Azure Platform MICROSOFT AZURE ISV PROFILE: SNIP2CODE.

Snip2Code: Search, Share and Collect Code Snippets Faster, Easier, Efficiently with Power of Microsoft Azure Platform MICROSOFT AZURE ISV PROFILE: SNIP2CODE.
Power Point Mistakes Contrasting background and text Microsoft Office PowerPoint 2007 enables users to quickly create high-impact, dynamic presentations,

Power Point Mistakes Contrasting background and text Microsoft Office PowerPoint 2007 enables users to quickly create high-impact, dynamic presentations,
The Derivitec Risk Portal Provides Powerful, Cost-Effective Risk Management Solutions, Powered by Azure, that Deploy in Minutes MICROSOFT AZURE ISV PROFILE:

The Derivitec Risk Portal Provides Powerful, Cost-Effective Risk Management Solutions, Powered by Azure, that Deploy in Minutes MICROSOFT AZURE ISV PROFILE:
 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.

 1- Definition  2- Helpdesk  3- Asset management  4- Analytics  5- Tools.
Welcome to Zoom Training

Welcome to Zoom Training
6/14/16 Installing and Maintaining Certificates with IBM® Security AppScan™ Enterprise and IBM® Security AppScan™ Source Author notes:

6/14/16 Installing and Maintaining Certificates with IBM® Security AppScan™ Enterprise and IBM® Security AppScan™ Source Author notes:
Chapter 17 The Need for HTML 5.

Chapter 17 The Need for HTML 5.
IBM® Security Network Protection – Troubleshooting the XGS appliance

IBM® Security Network Protection – Troubleshooting the XGS appliance
AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.

AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.
Contract Lifecycle Management In the Disruptive Age

Contract Lifecycle Management In the Disruptive Age
AppScan® Source – How to use filters

AppScan® Source – How to use filters
Welcome: Hands-On Lab Plug in to the network.

Welcome: Hands-On Lab Plug in to the network.
Welcome to Cisco! Getting Started…

Welcome to Cisco! Getting Started…

Similar presentations

Ads by Google