threadfix 2.5 webinar
TRANSCRIPT
© 2017 Denim Group – All Rights Reserved
Building a world where technology is trusted. ThreadFix 2.5Application Security at DevOps SpeedApril 18th, 2017
Dan Cornell, CTOKyle Pippin, Product Manager
© 2017 Denim Group – All Rights Reserved
Agenda
© 2017 Denim Group – All Rights Reserved
Agenda• Application Security and DevOps• ThreadFix Background• ThreadFix 2.5 Release• Coming Up in the 2.5 Series
2
© 2017 Denim Group – All Rights Reserved
Application Security and DevOps
© 2017 Denim Group – All Rights Reserved
DevOps Is Coming
© 2017 Denim Group – All Rights Reserved
Some Security Teams Will Adapt
(Others Will Not)
5
© 2017 Denim Group – All Rights Reserved
Use This Transition to Your Advantage
6
© 2017 Denim Group – All Rights Reserved
Move Security to the Left and Get Buy-In
7
© 2017 Denim Group – All Rights Reserved
Better Security Insight, More Often
8
© 2017 Denim Group – All Rights Reserved
What Does Application Security Want
• Reduce Risk Exposure
• Introduce Fewer Vulnerabilities
• Find Vulnerabilities Early
• Fix Vulnerabilities Quickly
9
© 2017 Denim Group – All Rights Reserved
What Do DevOps Teams Want?
10
© 2017 Denim Group – All Rights Reserved
How Do We Make This a Reality?
11
© 2017 Denim Group – All Rights Reserved
Application Security Testing in CI/CD Pipelines
12
© 2017 Denim Group – All Rights Reserved
AppSec Testing Policies for DevOps
13
© 2017 Denim Group – All Rights Reserved
Testing Tradeoffs
14
© 2017 Denim Group – All Rights Reserved
Decision-Making Factors
15
© 2017 Denim Group – All Rights Reserved
Reporting Recommendations
(Hint: Not With These)
16
© 2017 Denim Group – All Rights Reserved
ThreadFix Background
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview• Create a consolidated view of your applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
18
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview
19
© 2017 Denim Group – All Rights Reserved
Create a consolidated view of your
applications and vulnerabilities
20
© 2017 Denim Group – All Rights Reserved
Application Portfolio Tracking
21
© 2017 Denim Group – All Rights Reserved
Vulnerability Consolidation
22
© 2017 Denim Group – All Rights Reserved
Prioritize application risk decisions based on
data
23
© 2017 Denim Group – All Rights Reserved
Vulnerability Prioritization
24
© 2017 Denim Group – All Rights Reserved
Prioritization with Hotspot
© 2017 Denim Group – All Rights Reserved
Reporting and Metrics
26
© 2017 Denim Group – All Rights Reserved
Translate vulnerabilities to developers in the tools they are already
using
27
© 2017 Denim Group – All Rights Reserved
Defect Tracker Integration
28
© 2017 Denim Group – All Rights Reserved
ThreadFix 2.5 Release
© 2017 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
© 2017 Denim Group – All Rights Reserved
AppSec Testing for DevOps
• Configuring Testing Policies
• AppSec Testing for DevOps in Action
© 2017 Denim Group – All Rights Reserved
Policy Configuration• Testing• Synchronous• Asynchronous
• Decision• Reporting
32
Blog Post: Effective Application Security Testing in DevOps Pipelineshttp://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
https://www.denimgroup.com/resources/effective-application-security-for-devops/
© 2017 Denim Group – All Rights Reserved
Testing Configuration
33
© 2017 Denim Group – All Rights Reserved
Testing Configuration
34
© 2017 Denim Group – All Rights Reserved
Decision Configuration
35
© 2017 Denim Group – All Rights Reserved
Decision Configuration
36
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
37
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
38
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
39
© 2017 Denim Group – All Rights Reserved
Reporting Configuration
40
© 2017 Denim Group – All Rights Reserved
Testing in Action
41
© 2017 Denim Group – All Rights Reserved
Testing in Action
42
© 2017 Denim Group – All Rights Reserved
Testing in Action
43
© 2017 Denim Group – All Rights Reserved
Testing in Action
44
© 2017 Denim Group – All Rights Reserved
Testing in Action
45
© 2017 Denim Group – All Rights Reserved
Testing in Action
46
© 2017 Denim Group – All Rights Reserved
Testing in Action
47
© 2017 Denim Group – All Rights Reserved
Coming Up in the 2.5 Series
© 2017 Denim Group – All Rights Reserved
Coming Soon• Support for more SAST and DAST tools
• “Easy Mode” for CI/CD plugins
© 2017 Denim Group – All Rights Reserved
Building a world where technology is trusted.
@denimgroupwww.denimgroup.com
50
www.threadfix.it