SlideShare a Scribd company logo

Secure DevOps with ThreadFix 2.3

Denim Group
Denim Group

This webinar looks at the new features included in the upcoming 2.3 release of ThreadFix that help organizations secure their DevOps initiatives. These include greatly expanded Scan Orchestration capabilities to support ThreadFix's use in Continuous Integration/Continuous Development (CI/CD) environments as well as tighter integrations with developer tools to reduce the effort and time required for vulnerability remediation. We will also highlight generous contributions from the ThreadFix community from organizations such as Pearson and Samsung.

1 of 34
Downloaded 23 times
© 2015 Denim Group – All Rights Reserved Secure DevOps with ThreadFix 2.3! ! Dan Cornell! @danielcornell This presentation contains information about DHS-funded research: Topic Number: H-SB013.1-002 - Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-13-R-00009-H-SB013.1-002-0003-I
© 2015 Denim Group – All Rights Reserved 2 ThreadFixAccelerate Software Remediation ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
© 2015 Denim Group – All Rights Reserved What Can We Do With ThreadFix? •  Create a consolidated view of your applications and vulnerabilities •  Prioritize application risk decisions based on data •  Translate vulnerabilities to developers in the tools they are already using 3
© 2015 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 4
© 2015 Denim Group – All Rights Reserved Application Portfolio Tracking •  Track multiple “Teams” •  Arbitrary distinction – geography, line of business, common tools and practices •  Track multiple “Applications” per “Team” •  Unit of scanning or testing •  Track Application metadata •  Criticality, hosted URL, source code location •  Reporting can be done at the organization, Team or Application level 5
© 2015 Denim Group – All Rights Reserved Demo: Application Portfolio Tracking 6
© 2015 Denim Group – All Rights Reserved Fill ThreadFix Up With Vulnerability Data •  Manual file upload •  REST API •  https://github.com/denimgroup/threadfix/wiki/Threadfix-REST-Interface •  Command Line Interface (CLI) •  https://github.com/denimgroup/threadfix/wiki/Command-Line-Interface •  JAR can also be used as a Java REST client library •  Jenkins plugin •  Contributed from the ThreadFix community (yeah!) •  https://github.com/automationdomination/threadfix-plugin 7
© 2015 Denim Group – All Rights Reserved What Does ThreadFix Do With Scan Results •  Diff against previous scans with same technology •  What vulnerabilities are new? •  What vulnerabilities went away? •  What vulnerabilities resurfaced? •  Findings marked as false positive are remembered across scans •  Hopefully saving analyst time •  Normalize and merge with other scanners’ findings •  SAST to SAST •  DAST to DAST •  SAST to DAST via Hybrid Analysis Mapping (HAM) 8
© 2015 Denim Group – All Rights Reserved Demo: Vulnerability Merge 9
© 2015 Denim Group – All Rights Reserved Hybrid Analysis Mapping (HAM) •  Initial research funded by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate via a Phase 1 and (now) Phase 2 Small Business Innovation Research (SBIR) contract •  Acronyms! •  Initial goal: SAST to DAST merging •  Results: That, plus other stuff 10
© 2015 Denim Group – All Rights Reserved Demo: Merging Static and Dynamic Scanner Results 11
© 2015 Denim Group – All Rights Reserved Demo: De-Duplicate Dynamic RESTful Scanner Results 12
© 2015 Denim Group – All Rights Reserved Prioritize application risk decisions based on data 13
© 2015 Denim Group – All Rights Reserved Vulnerability Filtering •  Filter vulnerability data •  Scanner, scanner count •  Vulnerability type •  Path, parameter •  Severity •  Status •  Aging •  Save filters for future use 14
© 2015 Denim Group – All Rights Reserved Demo: Vulnerability Filtering 15
© 2015 Denim Group – All Rights Reserved Reporting •  Trending •  Progress by Vulnerability •  For program benchmarking •  Portfolio Report •  For resource prioritization •  Comparison •  For scanner/technology benchmarking 16
© 2015 Denim Group – All Rights Reserved Demo: Reporting 17
© 2015 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using 18
© 2015 Denim Group – All Rights Reserved Mapping Vulnerabilities to Defects •  1:1 mapping is (usually) a horrible idea –  500 XSS turned into 500 defects? –  If it takes longer to administer the bug than it does to fix the code… •  Cluster like vulnerabilities –  Using the same libraries / functions –  Cut-and-paste remediation code –  Be careful about context-specific encoding •  Combine by severity –  Especially if they are cause for an out-of-cycle release •  Which developer “owns” the code? 19
© 2015 Denim Group – All Rights Reserved Defect Tracker Integration •  Bundle multiple vulnerabilities into a defect •  Using standard filtering criteria •  ThreadFix periodically updates defect status from the tracker 20
© 2015 Denim Group – All Rights Reserved Demo: Defect Tracker Integration 21
© 2015 Denim Group – All Rights Reserved Important Links •  Main ThreadFix website: www.threadfix.org •  General information, downloads •  ThreadFix GitHub site: www.github.com/denimgroup/threadfix •  Code, issue tracking •  ThreadFix GitHub wiki: https://github.com/denimgroup/threadfix/wiki •  Project documentation •  ThreadFix Google Group: https://groups.google.com/forum/?fromgroups#!forum/threadfix •  Community support, general discussion 22
© 2015 Denim Group – All Rights Reserved Secure DevOps with ThreadFix •  What does your pipeline look like? http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending- theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to- speed.html
© 2015 Denim Group – All Rights Reserved Demo: Scheduling a Recurring Scan
© 2015 Denim Group – All Rights Reserved Demo: On Demand Scan Agent Task
© 2015 Denim Group – All Rights Reserved Demo: Kicking off a Scan via Command Line
© 2015 Denim Group – All Rights Reserved Demo: Getting Notified of Policy Violations
© 2015 Denim Group – All Rights Reserved Demo: Jenkins Plugin https://wiki.jenkins-ci.org/display/JENKINS/ThreadFix+Plugin
© 2015 Denim Group – All Rights Reserved Contributor Spotlight
© 2015 Denim Group – All Rights Reserved Pearson Links Aaron Weaver and Matt Tesauro’s presentations at OWASP AppSecEU 2015: •  http://www.denimgroup.com/blog/denim_group/2015/06/threadfix-pearson.html Matt Tesauro: •  Go client library: •  https://github.com/mtesauro/tfclient •  Checkmarx/ThreadFix integration •  https://github.com/mtesauro/tfCheckmarxUpload Adam Parson: •  Python client library: •  https://github.com/aparsons/threadfix_api
© 2015 Denim Group – All Rights Reserved Pearson Notes Many thanks to Pearson for their sponsorship of: •  Defect Tracker Default Credentials •  Deep Linking After Authentication •  Scan Details REST Call •  Scan List REST Call •  Unmapped Findings Data in Scan Upload REST Response •  Full URL in Vulnerability Tree •  Custom CWE Remediation Advice on Defects •  Set CWE Text REST Call, and CWE Text in Vuln Search •  Multi-File Scan Upload •  Multi-File Scan Upload Endpoint •  Scanner-Specific Filters •  Tag REST Calls •  REST Application Update Call •  REST Team Update Call •  AppScan Enterprise Support
© 2015 Denim Group – All Rights Reserved Samsung SSIC Links •  Samsung blog post about their ThreadFix architecture: https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html Many thanks to Samsung SSIC for their donation of: •  Default system for defect submissions •  Scheduled email reports for new vulnerabilities •  Defect description more extensive and flexible with velocity template engine •  Ability to submit defects from vulnerability details page
© 2015 Denim Group – All Rights Reserved I Want to Contribute! •  Great! •  Let us know what you’re interested in •  Sign a contributor agreement •  Contribute! Main Contributor Page: https://github.com/denimgroup/threadfix/wiki/ThreadFix-Development-Community
© 2015 Denim Group – All Rights Reserved Questions / Contact Information Dan Cornell Principal and CTO dan@denimgroup.com Twitter @danielcornell (844) 572-4400 www.denimgroup.com www.threadfix.org 34
Ad

Recommended

The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
Ad

More Related Content

What's hot (20)

Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic Security
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment Techniques
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 

Viewers also liked (10)

Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackers
grugq
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Perforce
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Sonatype
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
Denim Group
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
Virtual Forge
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackers
grugq
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Perforce
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Sonatype
 
Ad

Similar to Secure DevOps with ThreadFix 2.3 (20)

Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Enterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsEnterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using Jenkins
CollabNet
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...Create a Unified View of Your Application Security Program – Black Duck Hub a...
Create a Unified View of Your Application Security Program – Black Duck Hub a...
Denim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Enterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using JenkinsEnterprise CI as-a-Service using Jenkins
Enterprise CI as-a-Service using Jenkins
CollabNet
 
Ad

More from Denim Group (16)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 

Recently uploaded (14)

TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIATAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN 99
 
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
werhkr1
 
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness GuideThe Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
russellpeter1995
 
Paper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdfPaper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdf
Steven McGee
 
Save TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - TikcdSave TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - Tikcd
Tikcd
 
an overview of information systems .ppt
an overview of information systems .pptan overview of information systems .ppt
an overview of information systems .ppt
DominicWaweru
 
plataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdfplataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdf
valdiviesovaleriamis
 
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCONJava developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Jago de Vreede
 
introduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.pptintroduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.ppt
SherifElGohary7
 
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 202530 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
steve198109
 
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdfBig_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
avreyjeyson
 
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdfGiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 
35 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 202535 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 2025
steve198109
 
ProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptxProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptx
OlenaKotovska
 
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIATAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN99 PUSAT GAME AMAN DAN TERGACOR SE ASIA
TAIPAN 99
 
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
DEF CON 25 - Whitney-Merrill-and-Terrell-McSweeny-Tick-Tick-Boom-Tech-and-the...
werhkr1
 
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness GuideThe Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
The Hidden Risks of Hiring Hackers to Change Grades: An Awareness Guide
russellpeter1995
 
Paper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdfPaper: World Game (s) Great Redesign.pdf
Paper: World Game (s) Great Redesign.pdf
Steven McGee
 
Save TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - TikcdSave TikTok Video Without Watermark - Tikcd
Save TikTok Video Without Watermark - Tikcd
Tikcd
 
an overview of information systems .ppt
an overview of information systems .pptan overview of information systems .ppt
an overview of information systems .ppt
DominicWaweru
 
plataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdfplataforma virtual E learning y sus características.pdf
plataforma virtual E learning y sus características.pdf
valdiviesovaleriamis
 
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCONJava developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Java developer-friendly frontends: Build UIs without the JavaScript hassle- JCON
Jago de Vreede
 
introduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.pptintroduction to html and cssIntroHTML.ppt
introduction to html and cssIntroHTML.ppt
SherifElGohary7
 
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 202530 Best WooCommerce Plugins to Boost Your Online Store in 2025
30 Best WooCommerce Plugins to Boost Your Online Store in 2025
steve198109
 
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdfBig_fat_report_from Kaspersky_IR_Report_2024.pdf
Big_fat_report_from Kaspersky_IR_Report_2024.pdf
avreyjeyson
 
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdfGiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
GiacomoVacca - WebRTC - troubleshooting media negotiation.pdf
Giacomo Vacca
 
35 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 202535 Must-Have WordPress Plugins to Power Your Website in 2025
35 Must-Have WordPress Plugins to Power Your Website in 2025
steve198109
 
ProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptxProjectArtificial Intelligence Good or Evil.pptx
ProjectArtificial Intelligence Good or Evil.pptx
OlenaKotovska
 

Secure DevOps with ThreadFix 2.3

  • 1. © 2015 Denim Group – All Rights Reserved Secure DevOps with ThreadFix 2.3! ! Dan Cornell! @danielcornell This presentation contains information about DHS-funded research: Topic Number: H-SB013.1-002 - Hybrid Analysis Mapping (HAM) Proposal Number: HSHQDC-13-R-00009-H-SB013.1-002-0003-I
  • 2. © 2015 Denim Group – All Rights Reserved 2 ThreadFixAccelerate Software Remediation ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.
  • 3. © 2015 Denim Group – All Rights Reserved What Can We Do With ThreadFix? •  Create a consolidated view of your applications and vulnerabilities •  Prioritize application risk decisions based on data •  Translate vulnerabilities to developers in the tools they are already using 3
  • 4. © 2015 Denim Group – All Rights Reserved Create a consolidated view of your applications and vulnerabilities 4
  • 5. © 2015 Denim Group – All Rights Reserved Application Portfolio Tracking •  Track multiple “Teams” •  Arbitrary distinction – geography, line of business, common tools and practices •  Track multiple “Applications” per “Team” •  Unit of scanning or testing •  Track Application metadata •  Criticality, hosted URL, source code location •  Reporting can be done at the organization, Team or Application level 5
  • 6. © 2015 Denim Group – All Rights Reserved Demo: Application Portfolio Tracking 6
  • 7. © 2015 Denim Group – All Rights Reserved Fill ThreadFix Up With Vulnerability Data •  Manual file upload •  REST API •  https://github.com/denimgroup/threadfix/wiki/Threadfix-REST-Interface •  Command Line Interface (CLI) •  https://github.com/denimgroup/threadfix/wiki/Command-Line-Interface •  JAR can also be used as a Java REST client library •  Jenkins plugin •  Contributed from the ThreadFix community (yeah!) •  https://github.com/automationdomination/threadfix-plugin 7
  • 8. © 2015 Denim Group – All Rights Reserved What Does ThreadFix Do With Scan Results •  Diff against previous scans with same technology •  What vulnerabilities are new? •  What vulnerabilities went away? •  What vulnerabilities resurfaced? •  Findings marked as false positive are remembered across scans •  Hopefully saving analyst time •  Normalize and merge with other scanners’ findings •  SAST to SAST •  DAST to DAST •  SAST to DAST via Hybrid Analysis Mapping (HAM) 8
  • 9. © 2015 Denim Group – All Rights Reserved Demo: Vulnerability Merge 9
  • 10. © 2015 Denim Group – All Rights Reserved Hybrid Analysis Mapping (HAM) •  Initial research funded by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate via a Phase 1 and (now) Phase 2 Small Business Innovation Research (SBIR) contract •  Acronyms! •  Initial goal: SAST to DAST merging •  Results: That, plus other stuff 10
  • 11. © 2015 Denim Group – All Rights Reserved Demo: Merging Static and Dynamic Scanner Results 11
  • 12. © 2015 Denim Group – All Rights Reserved Demo: De-Duplicate Dynamic RESTful Scanner Results 12
  • 13. © 2015 Denim Group – All Rights Reserved Prioritize application risk decisions based on data 13
  • 14. © 2015 Denim Group – All Rights Reserved Vulnerability Filtering •  Filter vulnerability data •  Scanner, scanner count •  Vulnerability type •  Path, parameter •  Severity •  Status •  Aging •  Save filters for future use 14
  • 15. © 2015 Denim Group – All Rights Reserved Demo: Vulnerability Filtering 15
  • 16. © 2015 Denim Group – All Rights Reserved Reporting •  Trending •  Progress by Vulnerability •  For program benchmarking •  Portfolio Report •  For resource prioritization •  Comparison •  For scanner/technology benchmarking 16
  • 17. © 2015 Denim Group – All Rights Reserved Demo: Reporting 17
  • 18. © 2015 Denim Group – All Rights Reserved Translate vulnerabilities to developers in the tools they are already using 18
  • 19. © 2015 Denim Group – All Rights Reserved Mapping Vulnerabilities to Defects •  1:1 mapping is (usually) a horrible idea –  500 XSS turned into 500 defects? –  If it takes longer to administer the bug than it does to fix the code… •  Cluster like vulnerabilities –  Using the same libraries / functions –  Cut-and-paste remediation code –  Be careful about context-specific encoding •  Combine by severity –  Especially if they are cause for an out-of-cycle release •  Which developer “owns” the code? 19
  • 20. © 2015 Denim Group – All Rights Reserved Defect Tracker Integration •  Bundle multiple vulnerabilities into a defect •  Using standard filtering criteria •  ThreadFix periodically updates defect status from the tracker 20
  • 21. © 2015 Denim Group – All Rights Reserved Demo: Defect Tracker Integration 21
  • 22. © 2015 Denim Group – All Rights Reserved Important Links •  Main ThreadFix website: www.threadfix.org •  General information, downloads •  ThreadFix GitHub site: www.github.com/denimgroup/threadfix •  Code, issue tracking •  ThreadFix GitHub wiki: https://github.com/denimgroup/threadfix/wiki •  Project documentation •  ThreadFix Google Group: https://groups.google.com/forum/?fromgroups#!forum/threadfix •  Community support, general discussion 22
  • 23. © 2015 Denim Group – All Rights Reserved Secure DevOps with ThreadFix •  What does your pipeline look like? http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending- theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to- speed.html
  • 24. © 2015 Denim Group – All Rights Reserved Demo: Scheduling a Recurring Scan
  • 25. © 2015 Denim Group – All Rights Reserved Demo: On Demand Scan Agent Task
  • 26. © 2015 Denim Group – All Rights Reserved Demo: Kicking off a Scan via Command Line
  • 27. © 2015 Denim Group – All Rights Reserved Demo: Getting Notified of Policy Violations
  • 28. © 2015 Denim Group – All Rights Reserved Demo: Jenkins Plugin https://wiki.jenkins-ci.org/display/JENKINS/ThreadFix+Plugin
  • 29. © 2015 Denim Group – All Rights Reserved Contributor Spotlight
  • 30. © 2015 Denim Group – All Rights Reserved Pearson Links Aaron Weaver and Matt Tesauro’s presentations at OWASP AppSecEU 2015: •  http://www.denimgroup.com/blog/denim_group/2015/06/threadfix-pearson.html Matt Tesauro: •  Go client library: •  https://github.com/mtesauro/tfclient •  Checkmarx/ThreadFix integration •  https://github.com/mtesauro/tfCheckmarxUpload Adam Parson: •  Python client library: •  https://github.com/aparsons/threadfix_api
  • 31. © 2015 Denim Group – All Rights Reserved Pearson Notes Many thanks to Pearson for their sponsorship of: •  Defect Tracker Default Credentials •  Deep Linking After Authentication •  Scan Details REST Call •  Scan List REST Call •  Unmapped Findings Data in Scan Upload REST Response •  Full URL in Vulnerability Tree •  Custom CWE Remediation Advice on Defects •  Set CWE Text REST Call, and CWE Text in Vuln Search •  Multi-File Scan Upload •  Multi-File Scan Upload Endpoint •  Scanner-Specific Filters •  Tag REST Calls •  REST Application Update Call •  REST Team Update Call •  AppScan Enterprise Support
  • 32. © 2015 Denim Group – All Rights Reserved Samsung SSIC Links •  Samsung blog post about their ThreadFix architecture: https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html Many thanks to Samsung SSIC for their donation of: •  Default system for defect submissions •  Scheduled email reports for new vulnerabilities •  Defect description more extensive and flexible with velocity template engine •  Ability to submit defects from vulnerability details page
  • 33. © 2015 Denim Group – All Rights Reserved I Want to Contribute! •  Great! •  Let us know what you’re interested in •  Sign a contributor agreement •  Contribute! Main Contributor Page: https://github.com/denimgroup/threadfix/wiki/ThreadFix-Development-Community
  • 34. © 2015 Denim Group – All Rights Reserved Questions / Contact Information Dan Cornell Principal and CTO [email protected] Twitter @danielcornell (844) 572-4400 www.denimgroup.com www.threadfix.org 34