SlideShare a Scribd company logo

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com
DevOps.com

Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can: Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities. Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence. Fully automate secure app delivery and deployment, without the need for extra security scans or processes. Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.

1 of 28
Downloaded 36 times
© 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
© 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
© 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
© 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
© 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
© 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
© 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
© 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
© 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
© 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
© 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
© 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
© 2019 Synopsys, Inc.15 Introducing Seeker IAST
© 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
© 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
© 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
© 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
© 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
© 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
© 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
© 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
© 2019 Synopsys, Inc.24 Seeker In Action Demonstration
© 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
© 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
© 2019 Synopsys, Inc.27 Q & A
Thank You Follow us on twitter : @zubaira, @kimm_yeo
Ad

Recommended

Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Gitlab ci-cd
Gitlab ci-cdGitlab ci-cd
Gitlab ci-cd
Dan MAGIER
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Sonarqube
SonarqubeSonarqube
Sonarqube
Peerapat Asoktummarungsri
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
Steve Mactaggart
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
Edureka!
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Julien Maitrehenry
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "
Innovation Roots
 
Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)
Abeer R
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Track code quality with SonarQube
Track code quality with SonarQubeTrack code quality with SonarQube
Track code quality with SonarQube
Dmytro Patserkovskyi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
SRE 101
SRE 101SRE 101
SRE 101
Diego Pacheco
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Ad

More Related Content

What's hot (20)

DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Sonarqube
SonarqubeSonarqube
Sonarqube
Peerapat Asoktummarungsri
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
Steve Mactaggart
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
Edureka!
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Julien Maitrehenry
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "
Innovation Roots
 
Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)
Abeer R
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Track code quality with SonarQube
Track code quality with SonarQubeTrack code quality with SonarQube
Track code quality with SonarQube
Dmytro Patserkovskyi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
SRE 101
SRE 101SRE 101
SRE 101
Diego Pacheco
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
Sonarqube
SonarqubeSonarqube
Sonarqube
Peerapat Asoktummarungsri
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
Steve Mactaggart
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
Edureka!
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Julien Maitrehenry
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "
Innovation Roots
 
Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)Getting started with Site Reliability Engineering (SRE)
Getting started with Site Reliability Engineering (SRE)
Abeer R
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Track code quality with SonarQube
Track code quality with SonarQubeTrack code quality with SonarQube
Track code quality with SonarQube
Dmytro Patserkovskyi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
SRE 101
SRE 101SRE 101
SRE 101
Diego Pacheco
 

Similar to Bridging the Security Testing Gap in Your CI/CD Pipeline (20)

Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
Carlos Andrés García
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
VMware Tanzu
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
Panoptica
 
DevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for StudentsDevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
HCLSoftware
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
Carlos Andrés García
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
VMware Tanzu
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
Panoptica
 
DevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for StudentsDevSecOps Powerpoint Presentation for Students
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
Ad

More from DevOps.com (20)

Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source SoftwareModernizing on IBM Z Made Easier With Open Source Software
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and SnykNext Generation Vulnerability Assessment Using Datadog and Snyk
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
Vulnerability Discovery in the CloudVulnerability Discovery in the Cloud
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
A New Year’s Ransomware ResolutionA New Year’s Ransomware Resolution
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
Don't Panic! Effective Incident ResponseDon't Panic! Effective Incident Response
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's CultureCreating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with TeleportRole Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
Monitoring Serverless Applications with DatadogMonitoring Serverless Applications with Datadog
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or PrivatelyDeliver your App Anywhere … Publicly or Privately
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
Securing medical apps in the age of covid finalSecuring medical apps in the age of covid final
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
How to Build a Healthy On-Call CultureHow to Build a Healthy On-Call Culture
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021The Evolving Role of the Developer in 2021
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?Service Mesh: Two Big Words But Do You Need It?
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift EnvironmentsSecure Data Sharing in OpenShift Environments
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Ad

Recently uploaded (20)

Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep DiveDesigning Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 

Bridging the Security Testing Gap in Your CI/CD Pipeline

  • 1. © 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
  • 2. © 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
  • 3. © 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
  • 4. © 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
  • 5. © 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
  • 6. © 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
  • 7. © 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 8. © 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
  • 9. © 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 10. © 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
  • 11. © 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
  • 12. © 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
  • 13. © 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
  • 14. © 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
  • 15. © 2019 Synopsys, Inc.15 Introducing Seeker IAST
  • 16. © 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
  • 17. © 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
  • 18. © 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
  • 19. © 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
  • 20. © 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
  • 21. © 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
  • 22. © 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
  • 23. © 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
  • 24. © 2019 Synopsys, Inc.24 Seeker In Action Demonstration
  • 25. © 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
  • 26. © 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
  • 27. © 2019 Synopsys, Inc.27 Q & A
  • 28. Thank You Follow us on twitter : @zubaira, @kimm_yeo