running a comprehensive application security program with checkmarx and threadfix
TRANSCRIPT
© 2016 Denim Group – All Rights Reserved
Running a Comprehensive Application Security Program with
Checkmarx and ThreadFixSeptember 15, 2016
1
Matt$RoseGlobal'Director'of'Application'Security'Strategy,Checkmarx
Dan$CornellCTO,'Denim'Group
© 2016 Denim Group – All Rights Reserved
Agenda
• State of Application Security• Checkmarx Overview• ThreadFix Overview• ThreadFix / Checkmarx Integration
2
Checkmarx Secure SDLC with ThreadFix
Matt Rose – Global Director Application Security Strategy, Checkmarx
Dan Cornell – CTO, Denim Group
WHAT ACTUALLY MATTERS IN APPLICATION SECURITY TESTING?
SECURITY PROFESSIONALS WANT TO TEST, DEVELOPERS WANT TO CODE
Proprietary and Confidential | All Rights Reserved
Test
CHECKMARX CREATES YOUR SDLC A SECURE SDLC
Ticketing/Bug
Tracking Systems
Build(self test)
ReleaseDecision
Backlog
Design
Develop
Security GateScanning
Developer IDE Plugins
Trending and Reporting
Data Export API
Scan Automation
SVN TFS
CLI, Web Services API
TFS
Bamboo
Web Service API
CLI
Build Servers
Proprietary and Confidential | All Rights Reserved
The Software you sell or develop for your customers needs to be secure. Be proactive and use your Application Security program as a differentiatorThis leads to:
Less vulnerabilitiesLower costsFar more secure applicationsSatisfied Customers
BOTTOM LINE
Proprietary and Confidential | All Rights Reserved
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
3
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
4
© 2016 Denim Group – All Rights Reserved
Create a consolidated view of your
applications and vulnerabilities
5
© 2016 Denim Group – All Rights Reserved
Application Portfolio Tracking
6
© 2016 Denim Group – All Rights Reserved
Easy Checkmarx CxSAST Import
© 2016 Denim Group – All Rights Reserved
Vulnerability Consolidation
8
© 2016 Denim Group – All Rights Reserved
Prioritize application risk decisions based on
data
9
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization
10
© 2016 Denim Group – All Rights Reserved
Prioritization with Hotspot
© 2016 Denim Group – All Rights Reserved
Reporting and Metrics
12
© 2016 Denim Group – All Rights Reserved
Translate vulnerabilities to developers in the
tools they are already using
13
© 2016 Denim Group – All Rights Reserved
Defect Tracker Integration
14
© 2016 Denim Group – All Rights Reserved
Questions and Contact
ThreadFixwww.threadfix.it
Checkmarxwww.checkmarx.com