elevate your application security program with burp suite and threadfix
TRANSCRIPT
© 2017 Denim Group – All Rights Reserved
Elevate Your Application Security Program with BurpSuite Pro and ThreadFix
July 18th, 2017
Dan Cornell, CTO, Denim Group
Dafydd Stuttard, Director, PortSwigger Web Security
© 2017 Denim Group – All Rights Reserved
Agenda
1
© 2017 Denim Group – All Rights Reserved
Agenda
• BurpSuite Pro Background and Demo• ThreadFix Background• BurpSuite Pro and ThreadFix Together
2
© 2017 Denim Group – All Rights Reserved
BurpSuite Pro Background and Demo
3
© 2017 Denim Group – All Rights Reserved
ThreadFix Background
4
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview• Create a consolidated view of your applications
and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
5
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview
6
© 2017 Denim Group – All Rights Reserved
Create a consolidated view of your applications
and vulnerabilities
7
© 2017 Denim Group – All Rights Reserved
Application Portfolio Tracking
8
© 2017 Denim Group – All Rights Reserved
Vulnerability Consolidation
9
© 2017 Denim Group – All Rights Reserved
Prioritize application risk decisions based on data
10
© 2017 Denim Group – All Rights Reserved
Vulnerability Prioritization
11
© 2017 Denim Group – All Rights Reserved
Prioritization with Hotspot
12
© 2017 Denim Group – All Rights Reserved
Reporting and Metrics
13
© 2017 Denim Group – All Rights Reserved
Translate vulnerabilities to developers in the tools they are already using
14
© 2017 Denim Group – All Rights Reserved
Defect Tracker Integration
15
© 2017 Denim Group – All Rights Reserved
BurpSuite Pro and ThreadFix Together
16
© 2017 Denim Group – All Rights Reserved
Hybrid Analysis Mapping• Merge BurpSuite Pro scan results with the
results of SAST
• Soon: Better imports of Burp Infiltrator for IAST/HAM-like capabilities
17
© 2017 Denim Group – All Rights Reserved
ThreadFix ScanAgent
• Drive BurpSuite Pro automated scanning from ThreadFix• One-time scans• Scheduled scans• CI/CD integration
18
© 2017 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
19
© 2017 Denim Group – All Rights Reserved
AppSec Testing for DevOps
• Configuring Testing Policies
• AppSec Testing for DevOps in Action
20
© 2017 Denim Group – All Rights Reserved
Policy Configuration• Testing
• Synchronous• Asynchronous
• Decision• Reporting
Blog Post: Effective Application Security Testing in DevOps Pipelineshttp://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
https://www.denimgroup.com/resources/effective-application-security-for-devops/
21
© 2017 Denim Group – All Rights Reserved
Testing Configuration
22
© 2017 Denim Group – All Rights Reserved
Testing Configuration
23
© 2017 Denim Group – All Rights Reserved
Decision Configuration
24
© 2017 Denim Group – All Rights Reserved
Decision Configuration
25
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
26
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
27
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
28
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
29
© 2017 Denim Group – All Rights Reserved
Testing in Action
30
© 2017 Denim Group – All Rights Reserved
Testing in Action
31
© 2017 Denim Group – All Rights Reserved
Testing in Action
32
© 2017 Denim Group – All Rights Reserved
Testing in Action
33
© 2017 Denim Group – All Rights Reserved
Testing in Action
34
© 2017 Denim Group – All Rights Reserved
Testing in Action
35
© 2017 Denim Group – All Rights Reserved
Testing in Action
36
© 2017 Denim Group – All Rights Reserved
@denimgroupwww.threadfix.it
www.denimgroup.com
@Burp_Suitewww.portswigger.net
37