running a comprehensive application security program with checkmarx and threadfix 

© 2016 Denim Group – All Rights Reserved

Running a Comprehensive Application Security Program with

Checkmarx and ThreadFixSeptember 15, 2016

1

Matt$RoseGlobal'Director'of'Application'Security'Strategy,Checkmarx

Dan$CornellCTO,'Denim'Group

© 2016 Denim Group – All Rights Reserved

Agenda

• State of Application Security• Checkmarx Overview• ThreadFix Overview• ThreadFix / Checkmarx Integration

2

Checkmarx Secure SDLC with ThreadFix

Matt Rose – Global Director Application Security Strategy, Checkmarx

Dan Cornell – CTO, Denim Group

WHAT ACTUALLY MATTERS IN APPLICATION SECURITY TESTING?

SECURITY PROFESSIONALS WANT TO TEST, DEVELOPERS WANT TO CODE

Proprietary and Confidential | All Rights Reserved

Test

CHECKMARX CREATES YOUR SDLC A SECURE SDLC

Ticketing/Bug

Tracking Systems

Build(self test)

ReleaseDecision

Backlog

Design

Develop

Security GateScanning

Developer IDE Plugins

Trending and Reporting

Data Export API

Scan Automation

SVN TFS

CLI, Web Services API

TFS

Bamboo

Web Service API

CLI

Build Servers

Proprietary and Confidential | All Rights Reserved

The Software you sell or develop for your customers needs to be secure. Be proactive and use your Application Security program as a differentiatorThis leads to:

Less vulnerabilitiesLower costsFar more secure applicationsSatisfied Customers

BOTTOM LINE

Proprietary and Confidential | All Rights Reserved

© 2016 Denim Group – All Rights Reserved

ThreadFix Overview

• Create a consolidated view of your applications and vulnerabilities

• Prioritize application risk decisions based on data

• Translate vulnerabilities to developers in the tools they are already using

3

© 2016 Denim Group – All Rights Reserved

ThreadFix Overview

4

© 2016 Denim Group – All Rights Reserved

Create a consolidated view of your

applications and vulnerabilities

5

© 2016 Denim Group – All Rights Reserved

Application Portfolio Tracking

6

© 2016 Denim Group – All Rights Reserved

Easy Checkmarx CxSAST Import

© 2016 Denim Group – All Rights Reserved

Vulnerability Consolidation

8

© 2016 Denim Group – All Rights Reserved

Prioritize application risk decisions based on

data

9

© 2016 Denim Group – All Rights Reserved

Vulnerability Prioritization

10

© 2016 Denim Group – All Rights Reserved

Prioritization with Hotspot

© 2016 Denim Group – All Rights Reserved

Reporting and Metrics

12

© 2016 Denim Group – All Rights Reserved

Translate vulnerabilities to developers in the

tools they are already using

13

© 2016 Denim Group – All Rights Reserved

Defect Tracker Integration

14

© 2016 Denim Group – All Rights Reserved

Questions and Contact

ThreadFixwww.threadfix.it

Checkmarxwww.checkmarx.com