![Page 1: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/1.jpg)
FORTIFY
FORTIFY
Automating application security with Fortify
Frans van Buul, Micro Focus
![Page 2: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/2.jpg)
FORTIFYFORTIFY
About me
Presales for the Micro Focus Fortify application security testingportfolio, since 2014.
Based in the Netherlands, leading the Fortify presales practice acrossEMEA and LATAM.
Background in security consulting/auditing and (Java) software development.
Contact me: [email protected]
2
![Page 3: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/3.jpg)
FORTIFY
Agenda
3
Introduction to Application Security – what is and why care?
Core appsec techniques: DAST and SAST
Fortify products and implementation examples
Want to learn more after this?
Come to our booth, drop me an email, or visithttps://www.microfocus.com/en-us/solutions/application-security
![Page 4: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/4.jpg)
FORTIFY
Introduction to Application Security – what is and why care?
![Page 5: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/5.jpg)
FORTIFY5
The security of controlled access
The security of notbypassing security
functionality.
Required for
![Page 6: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/6.jpg)
FORTIFY
A security quadrant
6
Application Security
Security Functionality
Firewalls, IDS/IPS, SIEM, patching, anti-malware, etc.
Identity & Access
Management
Infra level
Application level
Controlled accessAvoiding bypassing
![Page 7: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/7.jpg)
FORTIFY
OWASP Top-10 2017
7
InjectionBroken
AuthenticationSensitive Data
ExposureXML External
Entities
Broken Access Control
Security Misconfiguration
Cross-Site ScriptingInsecure
Deserialization
Using Componentswith Known
Vulnerabilities
Insufficient Logging& Monitoring
![Page 8: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/8.jpg)
FORTIFY8
Application Security
Security Functionality
Firewalls, IDS/IPS, SIEM, patching, anti-malware, etc.
Identity & Access
Management
Infra-level security measures do not
protect against thistype of problem!
Testing for security functionality is different from
testing for applicationsecurity!
AppSec needs specific attention
![Page 9: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/9.jpg)
FORTIFYFORTIFY
Factors making AppSec a big current issue
Historically, most security investments have gone into infra. Remaining weak spots are in applications.
Growing application portfolios and application connectivity.
Lack of developer training and awareness.
Rapid release cycles.
9
![Page 10: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/10.jpg)
FORTIFY
Manual pentesting and code reviews don’t offer neededscale and are too slow
10
d
AppApp
2010
Release Frequency
Number of Applications
2020+
App App
2015
![Page 11: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/11.jpg)
FORTIFY
Core appsec techniques:DAST and SAST
![Page 12: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/12.jpg)
FORTIFYFORTIFY
Dynamic Application Security Testing (DAST)
Automatically testing a running application for security vulnerabilities.
“Automated hacker”
Usually done on test/QA environment, occassionally also done on production.
12
![Page 13: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/13.jpg)
FORTIFYFORTIFY
DAST process
13
Target webapplication
DAST Tool(Micro Focus case: WebInspect)
VulnerabilityInformation
Config Crawl Audit
Report
Usually operated by security tester; sometimes run automatically from cmd
line or API
![Page 14: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/14.jpg)
FORTIFYFORTIFY
IAST: Interactive Application Security Testing
14
Target webapplication
DAST Tool(Micro Focus case: WebInspect)
Config Crawl Audit
DAST/IAST Agent “A helper behind enemy lines”. Provides detailed info to the
DAST tool to optimize its attacks.
![Page 15: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/15.jpg)
FORTIFY
DAST pros and cons
Pros
Independent of programming language.
In a way, similar to functional testing.
Few “false positives”
Can be done both manually and automatedas part of a build pipeline.
Can be integrated with functional testingtools and issue trackers.
Cons
Still relatively slow (several hours to days) andlate in the cycle.
Feedback in terms of behaviour – not super actionable for developers.
Limited to web-based (HTTP) systems
Needs to have the application running.
Sensitive to configuration (log-in scripts, avoiding being hit by security controls).
Prone to “false negatives” if configuration notcorrect.
15
![Page 16: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/16.jpg)
FORTIFYFORTIFY
Static Application Security Testing (SAST)
Automatically analyzing the source code of an application for security vulnerabilities.
“Automated code reviewer”
Done based on code in the code repository; usually running automated every night.
16
![Page 17: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/17.jpg)
FORTIFYFORTIFY
SAST process
17
Source code(Java,
JavaScript, C#, ABAP, …)
SAST tool(Micro Focus: Fortify SCA)
VulnerabilityInformation
May be invoked fromcommand line, IDE, Jenkins,
etc.
![Page 18: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/18.jpg)
FORTIFY
SAST versus static analysis for quality:Complementary solutions
SAST
Fortify, Checkmarx, Veracode, Coverity, …
Test for security, not for general quality.
Slow, complex flow-analysis algorithms plus pattern-matching algorithms.
Static Analysis for Quality
SonarQube, FxCop, CheckStyle, …
Check for quality, with a bit of security.
Fast, simple pattern-matching algorithms.
18
![Page 19: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/19.jpg)
FORTIFY
SAST pros and cons
Pros
Fast (minutes to hours in extreme cases)
Very detailed feedback to developers, easy to address issues.
Web, mobile, desktop, embedded, ….
Can find things that DAST cannot find.
Cons
Prone to false positives.
Requires that the programming language is supported by the SAST tool.
Requires that the programming framework is understood by the SAST tool.
Misses certain things that DAST can find.
Fast, but still not real time.
Not a good solution for 3rd party dependencies.
19
![Page 20: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/20.jpg)
FORTIFY
Two modern SAST developments
Software Composition Analysis (SCA)
For most business apps, the custom code is just the tip of the iceberg: the majority of code is open source libraries!
SCA is about testing the versions of thelibraries against known vulnerable versions, and recommending patching.
Micro Focus: integration with Sonatype, Snykand others.
Real-time feedback
Full SAST can’t be done in real-time.
Part of the SAST scanning can be done in real-time, providing immediate feedback tothe dev inside the IDE.
Micro Focus: Security Assistant
20
![Page 21: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/21.jpg)
FORTIFY
Fortify products andimplementation examples
![Page 22: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/22.jpg)
FORTIFY
Fortify is the most flexible, end-to-end AppSec solution
Web Dynamic Testing(DAST)
Runtime Protection(RASP)
Static Code Analysis(SAST)
Production
Fortify on Demand (FOD)
On Premise App Defender
Application Development
Test, Integration& Staging
CodeDesign
IT Operations
Cloud Managed Service
WebInspect
Software Security Center
Static Code Analyzer (SCA)
App Defender
![Page 23: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/23.jpg)
FORTIFY23
Fortify = Seamless Application Security
• Get scan results in minutes
• Adjust scans to achieve desired coverage for both SAST and DAST
• Apply machine learning to identify and prioritize the most relevant issues with Audit Assistant
Fast
• Start in a day with Fortify on Demand with actionable results
Easy to Get Started
• Real-time security in the IDE for developers with Security Assistant
• Robust integration ecosystem
Easy to Use
• OWASP Benchmark: Fortify SCA true positive rate is 100%
Accurate
• SaaS, on-premise, or hybrid
• Flexible to grow
Scalable
![Page 24: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/24.jpg)
FORTIFY
Fortify is recognized for delivering value
24
• Leader in Gartner MQ, and has been a leader in all editions of this MQ since theystarted it.
• Thousands of customers globally.
• Strong in financial services, independent software vendors, public sector, energy, automotive, telecommunications, consumergoods, and many other industries.
2019 Gartner Magic Quadrant for AST
Fortify
![Page 25: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/25.jpg)
FORTIFY
Imagine the following prospect
100 employees
Sells technical equipment to healthcare industry customers
Has 4 web applications (public website, support portal, …)
IT manager is conscious about security, because their customers are as well. Hiresexternal agency for pentesting once a year.
Example scenario 1: Small supplier to healthcareindustry
![Page 26: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/26.jpg)
FORTIFY
Typical pain pointsScenario 1: Small supplier to healthcare industry
Penetration testing is expensive.
Quality of penetration testing report is highly variable.
They really want to do it more often, but at the present cost level this is not feasible.
They expect to launch 2 more applications next year, so getting a practical, scalablesolution is important.
26
![Page 27: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/27.jpg)
FORTIFY
Fortify solution: FoD dynamicScenario 1: Small supplier to healthcare industry
27
![Page 28: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/28.jpg)
FORTIFY
Imagine the following prospect
Bank with 5.000 employees, of which 400 software developers
Maintain 50 applications (web, mobile apps, internal systems, etc.)
Have an application security department.
- Regularly perform code reviews
- Run dynamic testing tools themselves and hire 3rd party experts for additional testing.
Currently in the process of introducing DevOps for quicker time-to market.
Example scenario 2: A bank introducing DevOps
![Page 29: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/29.jpg)
FORTIFY
Typical pain pointsScenario 2: A Bank introducing DevOps
The current security process will become the bottleneck in the DevOps process. Something needs to be done.
Regulatory pressure to maintain a high level of security.
Developers are under a lot of pressure to deliver functionality for the business. Theydislike the security processes.
Code review is important, but at the same time the code is a strategic asset not to beshared with 3rd parties.
29
![Page 30: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/30.jpg)
FORTIFY
Fortify solution: SAST on-premiseScenario 2: A Bank introducing DevOps
30
![Page 31: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/31.jpg)
FORTIFY
Typical architectureScenario 2: A Bank introducing DevOps
31
![Page 32: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/32.jpg)
FORTIFY
Application Security as a topic cannot be ignored by organizations that operate customsoftware.
Manual approaches to the problem exist but are painful in terms of cost, scalability andthe delays they introduce.
Fortify is Micro Focus’ market-leading appsec automation portfolio.
With SAST/DAST/RASP available on-prem and as-a-service, there’s an effective solution for any type of situation.
Conclusion
![Page 33: Presentation Title Second Linemicrofocus.fundorfina.pl/wp-content/uploads/2019/10/... · 2019-10-22 · IDS/IPS, SIEM, patching, anti-malware, etc. Identity & Access Management Infra-level](https://reader034.vdocuments.mx/reader034/viewer/2022042407/5f22a719bf292e3b5d18b064/html5/thumbnails/33.jpg)
FORTIFY
FORTIFY
Thank you!