SlideShare a Scribd company logo

A Successful SAST Tool Implementation

Checkmarx
Checkmarx

The document discusses implementing a static application security testing (SAST) tool. It recommends starting with a central scanning model where a security team scans code and reports vulnerabilities. Over time, the organization can transition to a full software development lifecycle model where developers use the tool during coding. Key factors for a successful implementation include choosing the right scanning model, training users, and establishing processes for fixing and verifying issues. The document also provides tips on maximizing returns and reducing costs such as licensing the tool granularly and keeping deployment and training short.

1 of 4
Downloaded 28 times
A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx assafp@checkmarx.com, Jan 2012 The development world has come to realize that the way we build applications opens the door to hackers. We are starting to realize that it is the code itself that is enabling the attacks. It’s the responsibility of the development team to build software that is inherently impervious to attack. Catching and dealing with security defects earlier in the development lifecycle is much more economical than dealing with them once the applications have been deployed. Traditionally, the responsibility of security in development had been left to specialists who had their own tools to provide security guidance to development. This approach, while often effective had proved costly, and more importantly, did not easily integrate into a software team’s process. And there were technical problems: Current static analysis tools generated significant false positive results. This further exacerbated the problem by forcing teams to track down problems that do not actually exist. Recently there have been fundamental changes in the static security analysis tool arena. They are usability, efficiency and false positive reporting. These changes address the major issues that developers have shied away from the earlier tools: These next generation tools are designed to integrate with normal software engineering workflows, accurately report on security defects, and suggest techniques for repair that fit the engineer’s development and testing process. These tools, typified by CxEnterprise from Checkmarx, allow static analysis to integrate with the development teams IDEs and allow security analysis to take place as part of their normal iterative design, code, test, and analysis process. Integrating in this manner allows the users to solve real problems, and get smarter in the process. Users gain insight to what secure code looks like, and how to incorporate that knowledge into future activities. Once you have chosen a tool, you will be able to complete comprehensive code audits with minimum effort and fewer resources. In matter of minutes you can now scan for OWASP, SANS, CWE, PCI as well as other standards and regulations and discover security vulnerabilities. A common question among organizations that are considering implementing a SAST tool is how to plan and prepare a smooth implementation and be able to prevail over the expected obstacles. In order to do so, you should be able to answer these questions:  Who should be the SAST tool owner in your organization?  What type of license, and how many are needed for your organization? How should the licenses be distributed among the different roles and development teams?  What resources are necessary in order to deploy the tool, and how long will it take?  Which users should be trained, and what is the appropriate training level for each role?  Scan methodology: o What scan model should be implemented? Central or full SDLC? o Who is responsible for scanning the projects? o Who is responsible for reviewing and fixing results? o How do you verify that the code has been fixed according to the findings? www.checkmarx.com
A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx assafp@checkmarx.com, Jan 2012  Results: o How to avoid an overflow of results? o Classification and prioritization of results (company and specific projects). o Choosing the right scan presets (OWASP, SANS, PCI etc.). o Dealing with “false positives” (are they really false positives?).  How can you increase the ROI and reduce the TCO? There are 2 main scanning models: i. Central Scanning Model – recommended for deployment phase #1 ii. Full SDLC Scanning Model – recommended for deployment phase #2 www.checkmarx.com
A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx assafp@checkmarx.com, Jan 2012 Central Scanning is the best way to begin using a SAST tool. The main effort is in installing the system and training a few selected people, primarily the security team. Productivity is immediate, as the tool will begin producing audit reports soon after the installation is completed. A Central Scanning model can be implemented and used in 2 modes: i. The security engineer centrally scans the projects for all development units. ii. Automated scanning; scheduled scans and/or automated build scans. In a Central Scanning model, developers can review results either by using the tool’s IDE plug-in, client, or different report formats. It should be decided whether the developers receive raw results, or alternatively, after someone has reviewed, prioritized and forwarded a customized report for them. A few key elements are needed for successful central scanning: i. Rapid and effective deployment and training. It should take no longer than 3 days to fully install the system and train a handful of users. ii. Simple installation and connectivity – a SAST server which is IDE indifferent and platform independent, allows scanning different languages without installing and updating the different compilers. All that is needed for scanning is access to the source code repository. iii. Ability to scan non compiled code – allows simple scan setup, without the need to contact and communicate with the developing teams in order to obtain the different project components (DLL’s, JAR’s, libraries etc.). iv. User friendly UI – using the same UI for all the different languages makes life easier, especially if a web UI is used, in which case you do not need to install any client or change your end-users PC image. A web UI also permits the running of the tool from any operating system. v. Building an effective workflow which defines the organization’s security policy, best coding practices, scan schedules, remediation policy and responsibilities. There are different approaches to Central Scanning, but here are some of the recommended basics:  Choose no more than 5-10 applications to scan for the first 2-3 months. You will find it easier to review and discuss the results (you should have plenty on your first scans) with the development teams or projects.  Scan both projects and security issues, from high priority downward: o o  High priority applications  low priority High risk vulnerabilities presets  medium threat  low threat  best coding Train the developers and make sure they are familiar with the scanned vulnerabilities, as well as with the tool and the way results are presented. After you have accumulated some mileage with your SAST tool in the Central Scanning model, it’s time to consider a Full SDLC, getting the development teams more involved in reviewing, and remediating the code. www.checkmarx.com
A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx assafp@checkmarx.com, Jan 2012 The Full SDLC Scanning model clearly shows that your organization has matured and is taking responsibility by practicing secure coding throughout the coding stage. By scanning the code as it is being developed, the organization can expect some major benefits: i. Fixing fewer findings as the code is being developed. Once ready for release, projects will have fewer issues to fix in preparation for production. ii. By providing a SAST tool for developers to use, a steep learning curve is often achieved, as they tend to better understand the vulnerabilities and their causes, as well as how to avoid them in the future. iii. The majority of technical vulnerabilities can be easily detected and fixed during the coding stage. This results in fewer complex and business logic issues for regulatory audits or penetration testing (if practiced). Here are some of the recommended distributed scanning basics:  Train the trainers; power users on each development team. Once they will have the knowledge, they will be able to run scans, review results and provide support to their respective teams.  Train the developers and make sure they are comfortable with the scanned vulnerabilities, as well as with the tool and the way results are presented.  Build a clear process and security policy, so that developers understand what is expected from them; when and what to scan, and what to do with the findings, etc.  Gradually deploy the developers UI’s, adding a few teams at a time. Maximizing the ROI while reducing the TCO is extremely relevant in today’s economy. Some of the factors that should be taken into consideration are: i. Licensing costs – granular licensing model enabling low entry price ii. Infrastructure costs – standard hardware and 3rd party software iii. Deployment and training costs – just a few days to full production iv. Implementation costs – flexible and quick customization process v. Operational costs – less management and administration needed vi. Full SDLC – enablement due to non-required build and support of partial code scanning vii. Tool productivity – large number of scans per month, high precision and effective remediation Checkmarx experts have implemented hundreds of systems around the globe, experiencing a large variety of verticals, companies, development environments and organizational models. We are more than ready to share our experience with you and your company, so that you too can successfully deploy and use our SAST technology and improve your secure coding methodology. www.checkmarx.com
Ad

Recommended

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdf
PencilData
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
Deborah Obasogie
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Ad

More Related Content

What's hot (20)

Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdf
PencilData
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
Deborah Obasogie
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
Michael Gough
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdf
PencilData
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
Deborah Obasogie
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 

Viewers also liked (12)

DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
DevOpsDays Tel Aviv
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
Security Tests as Part of CI - Nir Koren, SAP - DevOpsDays Tel Aviv 2015
DevOpsDays Tel Aviv
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Ad

Similar to A Successful SAST Tool Implementation (20)

10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
SecPod Technologies
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
DevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for StudentsDevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdfMaximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
JamesEddie2
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Software Development for Startups: Transform Your Ideas into Reality
Software Development for Startups: Transform Your Ideas into RealitySoftware Development for Startups: Transform Your Ideas into Reality
Software Development for Startups: Transform Your Ideas into Reality
Lucy Zeniffer
 
What Skills Do You Gain From A Post Graduate Program In Devops?
What Skills Do You Gain From A Post Graduate Program In Devops?What Skills Do You Gain From A Post Graduate Program In Devops?
What Skills Do You Gain From A Post Graduate Program In Devops?
anilshah77000
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
Enov8
 
Software process methodologies and a comparative study of various models
Software process methodologies and a comparative study of various modelsSoftware process methodologies and a comparative study of various models
Software process methodologies and a comparative study of various models
iaemedu
 
Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...
safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...
safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...
ICT Frame Magazine Pvt. Ltd.
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
Software Development Process (SDP).pdf
Software Development Process (SDP).pdfSoftware Development Process (SDP).pdf
Software Development Process (SDP).pdf
SagarBhusal17
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
SecPod Technologies
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
Arun Prabhakar
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
DevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for StudentsDevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdfMaximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
Maximizing Potential - Hiring and Managing Dedicated Software Developers.pdf
JamesEddie2
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Software Development for Startups: Transform Your Ideas into Reality
Software Development for Startups: Transform Your Ideas into RealitySoftware Development for Startups: Transform Your Ideas into Reality
Software Development for Startups: Transform Your Ideas into Reality
Lucy Zeniffer
 
What Skills Do You Gain From A Post Graduate Program In Devops?
What Skills Do You Gain From A Post Graduate Program In Devops?What Skills Do You Gain From A Post Graduate Program In Devops?
What Skills Do You Gain From A Post Graduate Program In Devops?
anilshah77000
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
Mohammed Ahmed
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
Enov8
 
Software process methodologies and a comparative study of various models
Software process methodologies and a comparative study of various modelsSoftware process methodologies and a comparative study of various models
Software process methodologies and a comparative study of various models
iaemedu
 
Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?Why Data Security Should Be a Priority in Your Software Development Strategy?
Why Data Security Should Be a Priority in Your Software Development Strategy?
Mars Devs
 
safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...
safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...
safe-software-deployment-how-software-manufacturers-can-ensure-reliability-fo...
ICT Frame Magazine Pvt. Ltd.
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
Software Development Process (SDP).pdf
Software Development Process (SDP).pdfSoftware Development Process (SDP).pdf
Software Development Process (SDP).pdf
SagarBhusal17
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Ad

More from Checkmarx (7)

The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
Checkmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
Checkmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 

Recently uploaded (20)

DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 

A Successful SAST Tool Implementation

  • 1. A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx [email protected], Jan 2012 The development world has come to realize that the way we build applications opens the door to hackers. We are starting to realize that it is the code itself that is enabling the attacks. It’s the responsibility of the development team to build software that is inherently impervious to attack. Catching and dealing with security defects earlier in the development lifecycle is much more economical than dealing with them once the applications have been deployed. Traditionally, the responsibility of security in development had been left to specialists who had their own tools to provide security guidance to development. This approach, while often effective had proved costly, and more importantly, did not easily integrate into a software team’s process. And there were technical problems: Current static analysis tools generated significant false positive results. This further exacerbated the problem by forcing teams to track down problems that do not actually exist. Recently there have been fundamental changes in the static security analysis tool arena. They are usability, efficiency and false positive reporting. These changes address the major issues that developers have shied away from the earlier tools: These next generation tools are designed to integrate with normal software engineering workflows, accurately report on security defects, and suggest techniques for repair that fit the engineer’s development and testing process. These tools, typified by CxEnterprise from Checkmarx, allow static analysis to integrate with the development teams IDEs and allow security analysis to take place as part of their normal iterative design, code, test, and analysis process. Integrating in this manner allows the users to solve real problems, and get smarter in the process. Users gain insight to what secure code looks like, and how to incorporate that knowledge into future activities. Once you have chosen a tool, you will be able to complete comprehensive code audits with minimum effort and fewer resources. In matter of minutes you can now scan for OWASP, SANS, CWE, PCI as well as other standards and regulations and discover security vulnerabilities. A common question among organizations that are considering implementing a SAST tool is how to plan and prepare a smooth implementation and be able to prevail over the expected obstacles. In order to do so, you should be able to answer these questions:  Who should be the SAST tool owner in your organization?  What type of license, and how many are needed for your organization? How should the licenses be distributed among the different roles and development teams?  What resources are necessary in order to deploy the tool, and how long will it take?  Which users should be trained, and what is the appropriate training level for each role?  Scan methodology: o What scan model should be implemented? Central or full SDLC? o Who is responsible for scanning the projects? o Who is responsible for reviewing and fixing results? o How do you verify that the code has been fixed according to the findings? www.checkmarx.com
  • 2. A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx [email protected], Jan 2012  Results: o How to avoid an overflow of results? o Classification and prioritization of results (company and specific projects). o Choosing the right scan presets (OWASP, SANS, PCI etc.). o Dealing with “false positives” (are they really false positives?).  How can you increase the ROI and reduce the TCO? There are 2 main scanning models: i. Central Scanning Model – recommended for deployment phase #1 ii. Full SDLC Scanning Model – recommended for deployment phase #2 www.checkmarx.com
  • 3. A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx [email protected], Jan 2012 Central Scanning is the best way to begin using a SAST tool. The main effort is in installing the system and training a few selected people, primarily the security team. Productivity is immediate, as the tool will begin producing audit reports soon after the installation is completed. A Central Scanning model can be implemented and used in 2 modes: i. The security engineer centrally scans the projects for all development units. ii. Automated scanning; scheduled scans and/or automated build scans. In a Central Scanning model, developers can review results either by using the tool’s IDE plug-in, client, or different report formats. It should be decided whether the developers receive raw results, or alternatively, after someone has reviewed, prioritized and forwarded a customized report for them. A few key elements are needed for successful central scanning: i. Rapid and effective deployment and training. It should take no longer than 3 days to fully install the system and train a handful of users. ii. Simple installation and connectivity – a SAST server which is IDE indifferent and platform independent, allows scanning different languages without installing and updating the different compilers. All that is needed for scanning is access to the source code repository. iii. Ability to scan non compiled code – allows simple scan setup, without the need to contact and communicate with the developing teams in order to obtain the different project components (DLL’s, JAR’s, libraries etc.). iv. User friendly UI – using the same UI for all the different languages makes life easier, especially if a web UI is used, in which case you do not need to install any client or change your end-users PC image. A web UI also permits the running of the tool from any operating system. v. Building an effective workflow which defines the organization’s security policy, best coding practices, scan schedules, remediation policy and responsibilities. There are different approaches to Central Scanning, but here are some of the recommended basics:  Choose no more than 5-10 applications to scan for the first 2-3 months. You will find it easier to review and discuss the results (you should have plenty on your first scans) with the development teams or projects.  Scan both projects and security issues, from high priority downward: o o  High priority applications  low priority High risk vulnerabilities presets  medium threat  low threat  best coding Train the developers and make sure they are familiar with the scanned vulnerabilities, as well as with the tool and the way results are presented. After you have accumulated some mileage with your SAST tool in the Central Scanning model, it’s time to consider a Full SDLC, getting the development teams more involved in reviewing, and remediating the code. www.checkmarx.com
  • 4. A successful SAST tool implementation By Assaf Pilo – Director of Sales and Marketing, Checkmarx [email protected], Jan 2012 The Full SDLC Scanning model clearly shows that your organization has matured and is taking responsibility by practicing secure coding throughout the coding stage. By scanning the code as it is being developed, the organization can expect some major benefits: i. Fixing fewer findings as the code is being developed. Once ready for release, projects will have fewer issues to fix in preparation for production. ii. By providing a SAST tool for developers to use, a steep learning curve is often achieved, as they tend to better understand the vulnerabilities and their causes, as well as how to avoid them in the future. iii. The majority of technical vulnerabilities can be easily detected and fixed during the coding stage. This results in fewer complex and business logic issues for regulatory audits or penetration testing (if practiced). Here are some of the recommended distributed scanning basics:  Train the trainers; power users on each development team. Once they will have the knowledge, they will be able to run scans, review results and provide support to their respective teams.  Train the developers and make sure they are comfortable with the scanned vulnerabilities, as well as with the tool and the way results are presented.  Build a clear process and security policy, so that developers understand what is expected from them; when and what to scan, and what to do with the findings, etc.  Gradually deploy the developers UI’s, adding a few teams at a time. Maximizing the ROI while reducing the TCO is extremely relevant in today’s economy. Some of the factors that should be taken into consideration are: i. Licensing costs – granular licensing model enabling low entry price ii. Infrastructure costs – standard hardware and 3rd party software iii. Deployment and training costs – just a few days to full production iv. Implementation costs – flexible and quick customization process v. Operational costs – less management and administration needed vi. Full SDLC – enablement due to non-required build and support of partial code scanning vii. Tool productivity – large number of scans per month, high precision and effective remediation Checkmarx experts have implemented hundreds of systems around the globe, experiencing a large variety of verticals, companies, development environments and organizational models. We are more than ready to share our experience with you and your company, so that you too can successfully deploy and use our SAST technology and improve your secure coding methodology. www.checkmarx.com