Page 1
© 2017 Denim Group – All Rights Reserved
Elevate Your Application Security Program with BurpSuite Pro and ThreadFix
July 18th, 2017
Dan Cornell, CTO, Denim Group
Dafydd Stuttard, Director, PortSwigger Web Security
Page 2
© 2017 Denim Group – All Rights Reserved
Agenda
1
Page 3
© 2017 Denim Group – All Rights Reserved
Agenda
• BurpSuite Pro Background and Demo• ThreadFix Background• BurpSuite Pro and ThreadFix Together
2
Page 4
© 2017 Denim Group – All Rights Reserved
BurpSuite Pro Background and Demo
3
Page 5
© 2017 Denim Group – All Rights Reserved
ThreadFix Background
4
Page 6
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview• Create a consolidated view of your applications
and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
5
Page 7
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview
6
Page 8
© 2017 Denim Group – All Rights Reserved
Create a consolidated view of your applications
and vulnerabilities
7
Page 9
© 2017 Denim Group – All Rights Reserved
Application Portfolio Tracking
8
Page 10
© 2017 Denim Group – All Rights Reserved
Vulnerability Consolidation
9
Page 11
© 2017 Denim Group – All Rights Reserved
Prioritize application risk decisions based on data
10
Page 12
© 2017 Denim Group – All Rights Reserved
Vulnerability Prioritization
11
Page 13
© 2017 Denim Group – All Rights Reserved
Prioritization with Hotspot
12
Page 14
© 2017 Denim Group – All Rights Reserved
Reporting and Metrics
13
Page 15
© 2017 Denim Group – All Rights Reserved
Translate vulnerabilities to developers in the tools they are already using
14
Page 16
© 2017 Denim Group – All Rights Reserved
Defect Tracker Integration
15
Page 17
© 2017 Denim Group – All Rights Reserved
BurpSuite Pro and ThreadFix Together
16
Page 18
© 2017 Denim Group – All Rights Reserved
Hybrid Analysis Mapping• Merge BurpSuite Pro scan results with the
results of SAST
• Soon: Better imports of Burp Infiltrator for IAST/HAM-like capabilities
17
Page 19
© 2017 Denim Group – All Rights Reserved
ThreadFix ScanAgent
• Drive BurpSuite Pro automated scanning from ThreadFix• One-time scans• Scheduled scans• CI/CD integration
18
Page 20
© 2017 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
19
Page 21
© 2017 Denim Group – All Rights Reserved
AppSec Testing for DevOps
• Configuring Testing Policies
• AppSec Testing for DevOps in Action
20
Page 22
© 2017 Denim Group – All Rights Reserved
Policy Configuration• Testing
• Synchronous• Asynchronous
• Decision• Reporting
Blog Post: Effective Application Security Testing in DevOps Pipelineshttp://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
https://www.denimgroup.com/resources/effective-application-security-for-devops/
21
Page 23
© 2017 Denim Group – All Rights Reserved
Testing Configuration
22
Page 24
© 2017 Denim Group – All Rights Reserved
Testing Configuration
23
Page 25
© 2017 Denim Group – All Rights Reserved
Decision Configuration
24
Page 26
© 2017 Denim Group – All Rights Reserved
Decision Configuration
25
Page 27
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
26
Page 28
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
27
Page 29
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
28
Page 30
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
29
Page 31
© 2017 Denim Group – All Rights Reserved
Testing in Action
30
Page 32
© 2017 Denim Group – All Rights Reserved
Testing in Action
31
Page 33
© 2017 Denim Group – All Rights Reserved
Testing in Action
32
Page 34
© 2017 Denim Group – All Rights Reserved
Testing in Action
33
Page 35
© 2017 Denim Group – All Rights Reserved
Testing in Action
34
Page 36
© 2017 Denim Group – All Rights Reserved
Testing in Action
35
Page 37
© 2017 Denim Group – All Rights Reserved
Testing in Action
36
Page 38
© 2017 Denim Group – All Rights Reserved
@denimgroupwww.threadfix.it
www.denimgroup.com
@Burp_Suitewww.portswigger.net
37