threadfix 2.5 webinar

©  2017  Denim  Group  – All  Rights  Reserved

Building  a  world  where  technology  is trusted. ThreadFix 2.5Application  Security  at  DevOps  SpeedApril  18th,  2017

Dan  Cornell,  CTOKyle  Pippin,  Product  Manager

©  2017  Denim  Group  – All  Rights  Reserved

Agenda

©  2017  Denim  Group  – All  Rights  Reserved

Agenda• Application  Security  and  DevOps• ThreadFix Background• ThreadFix 2.5  Release• Coming  Up  in  the  2.5  Series

2

©  2017  Denim  Group  – All  Rights  Reserved

Application  Security  and  DevOps

©  2017  Denim  Group  – All  Rights  Reserved

DevOps  Is  Coming

©  2017  Denim  Group  – All  Rights  Reserved

Some  Security  Teams  Will  Adapt

(Others  Will  Not)

5

©  2017  Denim  Group  – All  Rights  Reserved

Use  This  Transition  to  Your  Advantage

6

©  2017  Denim  Group  – All  Rights  Reserved

Move  Security  to  the  Left  and  Get  Buy-­In

7

©  2017  Denim  Group  – All  Rights  Reserved

Better  Security  Insight,  More  Often

8

©  2017  Denim  Group  – All  Rights  Reserved

What  Does  Application  Security  Want

• Reduce  Risk  Exposure

• Introduce  Fewer  Vulnerabilities

• Find  Vulnerabilities  Early

• Fix  Vulnerabilities  Quickly

9

©  2017  Denim  Group  – All  Rights  Reserved

What  Do  DevOps  Teams  Want?

10

©  2017  Denim  Group  – All  Rights  Reserved

How  Do  We  Make  This  a  Reality?

11

©  2017  Denim  Group  – All  Rights  Reserved

Application  Security  Testing  in  CI/CD  Pipelines

12

©  2017  Denim  Group  – All  Rights  Reserved

AppSec Testing  Policies  for  DevOps

13

©  2017  Denim  Group  – All  Rights  Reserved

Testing  Tradeoffs

14

©  2017  Denim  Group  – All  Rights  Reserved

Decision-­Making  Factors

15

©  2017  Denim  Group  – All  Rights  Reserved

Reporting  Recommendations

(Hint:  Not  With  These)

16

©  2017  Denim  Group  – All  Rights  Reserved

ThreadFix Background

©  2017  Denim  Group  – All  Rights  Reserved

ThreadFix Overview• Create  a  consolidated  view  of  your  applications  and  vulnerabilities

• Prioritize  application  risk  decisions  based  on  data

• Translate  vulnerabilities  to  developers  in  the  tools  they  are  already  using

18

©  2017  Denim  Group  – All  Rights  Reserved

ThreadFix Overview

19

©  2017  Denim  Group  – All  Rights  Reserved

Create  a  consolidated  view  of  your  

applications  and  vulnerabilities

20

©  2017  Denim  Group  – All  Rights  Reserved

Application  Portfolio  Tracking

21

©  2017  Denim  Group  – All  Rights  Reserved

Vulnerability  Consolidation

22

©  2017  Denim  Group  – All  Rights  Reserved

Prioritize  application  risk  decisions  based  on  

data

23

©  2017  Denim  Group  – All  Rights  Reserved

Vulnerability  Prioritization

24

©  2017  Denim  Group  – All  Rights  Reserved

Prioritization  with  Hotspot

©  2017  Denim  Group  – All  Rights  Reserved

Reporting  and  Metrics

26

©  2017  Denim  Group  – All  Rights  Reserved

Translate  vulnerabilities  to  developers  in  the  tools  they  are  already  

using

27

©  2017  Denim  Group  – All  Rights  Reserved

Defect  Tracker  Integration

28

©  2017  Denim  Group  – All  Rights  Reserved

ThreadFix 2.5  Release

©  2017  Denim  Group  – All  Rights  Reserved

Secure  DevOps with  ThreadFix

• What  does  your  pipeline  look  like?

http://www.slideshare.net/mtesauro/mtesauro-­keynote-­appseceu http://www.slideshare.net/denimgroup/rsa2015-­blending-­theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally

https://blog.samsungsami.io/development/security/2015/06/16/getting-­security-­up-­to-­speed.html

©  2017  Denim  Group  – All  Rights  Reserved

AppSec Testing  for  DevOps

• Configuring  Testing  Policies

• AppSec Testing  for  DevOps  in  Action

©  2017  Denim  Group  – All  Rights  Reserved

Policy  Configuration• Testing• Synchronous• Asynchronous

• Decision• Reporting

32

Blog  Post:  Effective  Application  Security  Testing  in  DevOps  Pipelineshttp://www.denimgroup.com/blog/2016/12/effective-­application-­security-­testing-­in-­devops-­pipelines/

https://www.denimgroup.com/resources/effective-­application-­security-­for-­devops/

©  2017  Denim  Group  – All  Rights  Reserved

Testing  Configuration

33

©  2017  Denim  Group  – All  Rights  Reserved

Testing  Configuration

34

©  2017  Denim  Group  – All  Rights  Reserved

Decision  Configuration

35

©  2017  Denim  Group  – All  Rights  Reserved

Decision  Configuration

36

©  2017  Denim  Group  – All  Rights  Reserved

Reporting  Configuration

37

©  2017  Denim  Group  – All  Rights  Reserved

Reporting  Configuration

38

©  2017  Denim  Group  – All  Rights  Reserved

Reporting  Configuration

39

©  2017  Denim  Group  – All  Rights  Reserved

Reporting  Configuration

40

©  2017  Denim  Group  – All  Rights  Reserved

Testing  in  Action

41

©  2017  Denim  Group  – All  Rights  Reserved

Testing  in  Action

42

©  2017  Denim  Group  – All  Rights  Reserved

Testing  in  Action

43

©  2017  Denim  Group  – All  Rights  Reserved

Testing  in  Action

44

©  2017  Denim  Group  – All  Rights  Reserved

Testing  in  Action

45

©  2017  Denim  Group  – All  Rights  Reserved

Testing  in  Action

46

©  2017  Denim  Group  – All  Rights  Reserved

Testing  in  Action

47

©  2017  Denim  Group  – All  Rights  Reserved

Coming  Up  in  the  2.5  Series

©  2017  Denim  Group  – All  Rights  Reserved

Coming  Soon• Support  for  more  SAST  and  DAST  tools

• “Easy  Mode”  for  CI/CD  plugins

©  2017  Denim  Group  – All  Rights  Reserved

Building  a  world  where  technology  is trusted.

@denimgroupwww.denimgroup.com

50

www.threadfix.it