appsec at high speed and scale - micro focus€¦ · appsec at high speed and scale scott johnson,...
TRANSCRIPT
#MicroFocusCyberSummit
AppSec at High Speed and Scale
Scott Johnson, Fortify GM
Agility, Integration & Automation
This document contains forward looking statements regarding future operations, product
development, product capabilities and availability dates. This information is subject to
substantial uncertainties and is subject to change at any time without prior notification.
Statements contained in this document concerning these matters only reflect Micro Focus's
predictions and / or expectations as of the date of this document and actual results and future
plans of Micro Focus may differ significantly as a result of, among other things, changes in
product strategy resulting from technological, internal corporate, market and other changes.
This is not a commitment to deliver any material, code or functionality and should not be relied
upon in making purchasing decisions.
2
Forward Looking Statements: Legal DisclaimerThis document contains forward looking statements
AppSec trends
Today’s trend is tomorrow’s challenge
Meeting the challenge, accelerating for tomorrow
Roadmap
3
Agenda
AppSec Trends
Tsunami of Apps
5
1000 applications and counting…
Speed vs Depth
6
“I want 5 minute scans with no false positives.”
Developer User Story
7
We have seen the AppSec team AND IT IS YOU! (the developer)
More Code, More Problems …
More code…
9
More code,more vulns …
10
More vulns …
11
More vulns,more risk …
12
More risk, more pressure!
13
Solutions and Examples
You need an AppSecpressure relief valve!
15
Innovation/Roadmap Themes
16
Integration Automation Agility
On-premise / On Demand
Fortify Ecosystem
Software Security Research
Static Analysis – SCA
Scan and Assess Source Code
Dynamic Analysis – WebInspect
Web Application Vuln Scanning
Runtime Analysis – App Defender
Application Protection & Monitoring
Fortify Integration Fortify Ecosystem
17
JS Sandbox Project
Jenkins Plugin
Bug Tracker Tools
Swagger supported RestAPIs
SSC Parser Sample
Fortify Integration
18
https://fortify.github.io/
Bamboo Plugin
Fortify Integration
19
https://marketplace.atlassian.com/plugins/com.fortify.plugins.atlassian.bamboo.sca.bamboo-fortify-sca-plugin/server/overview
VSTS Extension
https://marketplace.visualstudio.com/items?itemName=fortifyvsts.hpe-security-fortify-vsts
Fortify IntegrationSnyk Integration
20
Fortify AutomationAudit Assistant
21
Auto-train
Auto-predict
Auto-tag
Unauditedresults enter
SSC
Auditedissues arrivein SSC
Audit assistantderives anonymousissue metrics andsecurely sends to
scan analytics Classifiers reportverified
vulnerabilitieswith up to
98% accuracy
Fortify AutomationCentralized Translation & Scanning
22
Light weight utility for Devs
No need to install SCA on build server
Payload automatically transferred to controller
Smart control queueing & monitoring
Automated scan results submission
Benefits Cross language support
Removes dependency issues
Reduced infrastructure costs
Centrally managed
Designed for Enterprise Dev enablement
Slack Enabled FoD!
Release updates
Applications changes
Reports and scan status
23
Fortify Automation
Fortify AgilitySecurity Assistant for Visual Studio
24
Swift Language Support
SCA 18.10 has support for:
Swift 4
Xcode 9, 9.1, 9.2
Latest Obj-C
SCA 18.11 has support for:
Swift 4.1.x
Xcode 9.3, 9.4
Latest Obj-C
Fortify Agility
25
Support within 3 to 6 weeks of Apple updates!
Fortify Roadmap
Q118 Q218
28
Fortify RoadmapFortify- SCA / SSC / WebInspect / Fortify on Demand
This is a rolling (up to three year) Roadmap and is subject to change without notice
TargetedAvailable
Application issue templates
“Your Scans” page view
Nexgen Open Source integration with Sonatype
Tools update: IntelliJ audit
Delivery optimization
FoD 18.1
Audit assistant prediction automation (analytics built-in)
Languages updates: ECMA 2016/2017, Swift 4/4.1,Xcode 9.x, Python 3.x, Xamarin, Scala- Play
SSC scalability and token management
SSC UX refresh and branding
Tools update: Security Assistant for Visual Studio, Bamboo plugin
Headless dynamic architecture
Dynamic setup simplification and dockerized deployment
On-Premise 18.1
Nexgen dynamic scanning automation
Tools update: Security Assistant for Visual Studio, Bamboo plugin
Dashboarding & analytics
Delivery optimization
Dynamic automation
Performance & scalability
Faster remediation
Improved new user UX
Improved open source analysis (JS support)
FoD Upcoming
Dynamic automation (WI + nexgen platform)
Performance & scalability
Integrations (API v4, DevOps toolchain)
False positive reduction
Dashboarding & analytics
Static automation
FoD Future
‒ High level themesOn-Premise Upcoming
Continued focus on customer driven innovation features for:
Integration / Automation / Agility
Examples include: Plugin consolidation, Angular, Java 11, Python- Django, Swift 5, Go, Ruby on Rails, centralized scanning and dependency orchestration, dynamic shift left
Licensing simplification
On-Premise Future
FoD 18.2
SSC Audit page redesign, SSC scalability
Centralized scanning phase 1
Languages updates: TypeScript, Swift 4.2/Xcode 10, Python 2 update, Obj-C, .NET MSBuild, SCA logging enhancements, C/C++
New Jenkins plugin with pipelines and build fail support
Dynamic headless tech preview
WI Firefox update, extended crawling support w/Angular 4+, REST API improvements, sensor management
Thanks!
#MicroFocusCyberSummit
#MicroFocusCyberSummit