SlideShare a Scribd company logo

Bridging the Security Testing Gap in Your CI/CD Pipeline

DevOps.com, profile picture
DevOps.com

The document discusses the increasing importance of cybersecurity in the context of accelerated digital transformation and the challenges organizations face in integrating security testing within CI/CD pipelines. It introduces 'Seeker', an Interactive Application Security Testing (IAST) tool designed to automate security assessments, improve vulnerability detection, and facilitate seamless integration into development workflows. Seeker aims to enhance application security through real-time testing, verification of vulnerabilities, and ongoing developer education, making it suitable for organizations at various stages of their security journey.

Technology
Related topics:
CI/CD
1 of 28
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
© 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
© 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
© 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
© 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
© 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
© 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
© 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
© 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
© 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
© 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
© 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
© 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
© 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
© 2019 Synopsys, Inc.15 Introducing Seeker IAST
© 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
© 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
© 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
© 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
© 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
© 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
© 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
© 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
© 2019 Synopsys, Inc.24 Seeker In Action Demonstration
© 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
© 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
© 2019 Synopsys, Inc.27 Q & A
Thank You Follow us on twitter : @zubaira, @kimm_yeo

More Related Content

PDF
Introduction to CICD
Knoldus Inc.
 
PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
DevSecOps What Why and How
NotSoSecure Global Services
 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
Introduction to CICD
Knoldus Inc.
 
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps What Why and How
NotSoSecure Global Services
 
Introduction to DevSecOps
abhimanyubhogwan
 
DevSecOps and the CI/CD Pipeline
James Wickett
 

What's hot (20)

PDF
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
Practical DevSecOps - Arief Karfianto
idsecconf
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
PDF
DevSecOps
Tomas Honzak
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PPTX
DEVSECOPS.pptx
MohammadSaif904342
 
PPTX
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PPTX
Secure SDLC Framework
Rishi Kant
 
PPTX
DevOps to DevSecOps Journey..
Siddharth Joshi
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PPT
DevSecOps Singapore introduction
Stefan Streichsbier
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PDF
DevOps and AWS
Shiva Narayanaswamy
 
PDF
Building an API Security Strategy
SmartBear
 
PPTX
DevOps Monitoring and Alerting
Khairul Zebua
 
PPTX
SonarQube: Continuous Code Inspection
Michael Jesse
 
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevSecOps reference architectures 2018
Sonatype
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Practical DevSecOps - Arief Karfianto
idsecconf
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
DevSecOps
Tomas Honzak
 
Introduction to DevSecOps
Setu Parimi
 
DEVSECOPS.pptx
MohammadSaif904342
 
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
2019 DevSecOps Reference Architectures
Sonatype
 
Secure SDLC Framework
Rishi Kant
 
DevOps to DevSecOps Journey..
Siddharth Joshi
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
DevSecOps Singapore introduction
Stefan Streichsbier
 
Demystifying DevSecOps
Archana Joshi
 
DevOps and AWS
Shiva Narayanaswamy
 
Building an API Security Strategy
SmartBear
 
DevOps Monitoring and Alerting
Khairul Zebua
 
SonarQube: Continuous Code Inspection
Michael Jesse
 
Ad

Similar to Bridging the Security Testing Gap in Your CI/CD Pipeline (20)

PDF
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
PDF
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
PDF
Ast in CI/CD by Ofer Maor
DevSecCon
 
PDF
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
PDF
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
PDF
Datasheet app vulnerability_assess
Birodh Rijal
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PPTX
IAST Tools POC Report for interactive testing
HareeshNani5
 
PDF
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PPTX
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
PDF
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
PDF
Secure software chapman
AdaCore
 
PDF
The Future of DevSecOps
Stefan Streichsbier
 
PDF
Embedded world 2017
ChantalWauters
 
PPTX
How to Get the Most Out of Security Tools
Security Innovation
 
PDF
Web Application Security Testing (1).pptx.pdf
apurvar399
 
PDF
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
PDF
Procuring an Application Security Testing Partner
HCLSoftware
 
PDF
Analyst Resources for Chief Information Security Officers (CISOs)
Synopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Ast in CI/CD by Ofer Maor
DevSecCon
 
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Datasheet app vulnerability_assess
Birodh Rijal
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
IAST Tools POC Report for interactive testing
HareeshNani5
 
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps Powerpoint Presentation for Students
poonawala2303
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
Secure software chapman
AdaCore
 
The Future of DevSecOps
Stefan Streichsbier
 
Embedded world 2017
ChantalWauters
 
How to Get the Most Out of Security Tools
Security Innovation
 
Web Application Security Testing (1).pptx.pdf
apurvar399
 
Selecting an App Security Testing Partner: An eGuide
HCLSoftware
 
Procuring an Application Security Testing Partner
HCLSoftware
 
Analyst Resources for Chief Information Security Officers (CISOs)
Synopsys Software Integrity Group
 
Ad

More from DevOps.com (20)

PDF
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
DevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
PDF
A New Year’s Ransomware Resolution
DevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
PDF
Don't Panic! Effective Incident Response
DevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
DevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
PPTX
Securing medical apps in the age of covid final
DevOps.com
 
PDF
How to Build a Healthy On-Call Culture
DevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
DevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
DevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
DevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
DevOps.com
 
Vulnerability Discovery in the Cloud
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
A New Year’s Ransomware Resolution
DevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
DevOps.com
 
Don't Panic! Effective Incident Response
DevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
DevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
DevOps.com
 
Monitoring Serverless Applications with Datadog
DevOps.com
 
Deliver your App Anywhere … Publicly or Privately
DevOps.com
 
Securing medical apps in the age of covid final
DevOps.com
 
How to Build a Healthy On-Call Culture
DevOps.com
 
The Evolving Role of the Developer in 2021
DevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
DevOps.com
 
Secure Data Sharing in OpenShift Environments
DevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
DevOps.com
 

Recently uploaded (20)

DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Teaching material agriculture food technology
LiaRayya
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 

Bridging the Security Testing Gap in Your CI/CD Pipeline

  • 1. © 2019 Synopsys, Inc.1 Bridging the security testing gap in CI/CD pipeline Kimm Yeo and Asma Zubair SIG Product Marketing and Management
  • 2. © 2019 Synopsys, Inc.2 Agenda Market trends and challenges App security gap in CI/CD and IAST Introducing Seeker IAST Seeker demonstration Q & A
  • 3. © 2019 Synopsys, Inc.3 The pace of digital transformation today Source: Accenture 2019 executive technology vision study 94%enterprises have accelerated or significantly accelerated pace of innovations1 Sources: 1. Accenture 2019 report (link) 2. 451 DevSecOps research report2
  • 4. © 2019 Synopsys, Inc.4 What’s next? Accenture 2019 executive vision: One of the top five trends for next three years Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Importance of cybersecurity One of top 5 trends for next 3years source: Accenture 2019 Technology Vision survey with over 6k business and IT execs Source: Accenture 2019 tech vision report (link)
  • 5. © 2019 Synopsys, Inc.5 The pace of digital transformation today Increased risks and complexity Enterprises are not just potential victims, but others’ vectors Source: Accenture 2019 Technology Vision survey with over 6k business and IT execs With digital transformation becoming an even playing field, new challenges arised
  • 6. © 2019 Synopsys, Inc.6 Current state of cybersecurity State of software security in financial services 2 62% Do not have necessary cybersecurity skills2 Only 23% Perform security assessment of third party directly 2 74% Concern with software and systems supplied by third party2 76% Difficulty with vulnerability detection in software systems before release2 11B records breached 1 (and still counting...) Sources: 1. Privacy rights data breaches (link) 2. Ponemon state of security in financial services industry report2
  • 7. © 2019 Synopsys, Inc.7 Third party penetration testing Fuzz testing Softw are com position analysisD ynam ic analysis Static analysis 57% 31% 61% 59% 51% Source: 451 DevSecOps Research Application security tools in CI/CD workflows Question: What are the critical app sec testing tools to add to CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 8. © 2019 Synopsys, Inc.8 Application security gap in SDLC Code development Code commit Build Test Deploy Production Release SCA, SAST, (Deeper level) Lightweight IDE SAST tools Monitoring Pen testing Red Teaming TM, SAST Manual code review DAST Fuzz testing Pen testing Load/Performance test Hardening checks How do you take siloed, disparate development, operations and security processes and transform to an integrated tool chain?
  • 9. © 2019 Synopsys, Inc.9 35% 36% 46% 48% 56% 61% Compliance Developer resistance False positives Security testing slows things down Inconsistent approach Lack of automated, integrated security testing tools Source: 451 DevSecOps Research, 2018 Security testing challenges in CI/CD workflows What are the most significant app security testing challenges inherent in CI/CD workflows? Examining DevSecOps Realities & Opportunities (link)
  • 10. © 2019 Synopsys, Inc.10 The challenges of building security into modern application development and delivery How do we integrate and automate dynamic security testing into our CI/CD? How do we minimize the effort for developers to find and fix vulnerabilities? Sec How do we maximize application security AND development velocity? How do we identify and prioritize the most severe vulnerabilities?
  • 11. © 2019 Synopsys, Inc.11 Interactive Application Security Testing (IAST)
  • 12. © 2019 Synopsys, Inc.12 Continuous security testing with IAST Code development Code commit Build Test Deploy Production Release Functional Non- FunctionalSCA, SAST, (Deeper level) IAST (Continuous run-time text) Lightweight IDE SAST tools DAST Fuzz testing Pen testing Load/Performance test Hardening checks Monitoring Pen testing Red Teaming IAST (Continuous runtime security test) TM, SAST Manual code review
  • 13. © 2019 Synopsys, Inc.13 IAST runtime testing & analysis • Analysis of code execution using runtime monitors • Visibility into executed code and runtime data, such as: • HTTP Requests – End to End • Parameter Propagation • HTTP Response Writing • Database Calls • Database Responses • File System Calls (& Content) • String Manipulations • Memory (Like Debugger “Watch”) • Usage of 3rd Party Libraries • Web Services Calls • On-the-fly Code Generation • More… …
  • 14. © 2019 Synopsys, Inc.14 Comparison of SAST, IAST, and DAST SAST IAST DAST Typically used in Development Integration and QA QA or production Usually requires Source code Functional app and test suite Functional app Integrates in CI/CD Yes Yes No, not really Capabilities • Finds vulnerabilities earliest in the SDLC • Gives fast line of code insights • Finds vulnerabilities during functional test (no scans required) • Gives runtime and line of code insights in real time • Finds vulnerabilities w/o source code or test suite • Requires expertise and time to triage and prioritize findings
  • 15. © 2019 Synopsys, Inc.15 Introducing Seeker IAST
  • 16. © 2019 Synopsys, Inc.16 Seeker Seeker is our interactive application security testing tool – Performs run time security testing Seeker performs security testing on: – Web apps – Web APIs, or services – Mobile application back-end (where a mobile app’s critical functionality resides) – Detects vulnerabilities in custom code as well as 3rd party code Applications can be: – on-premises, in the cloud, containerized Seeker detects – Injection flaws – Security misconfigurations – Sensitive data leakage – and many more types of vulnerabilities
  • 17. © 2019 Synopsys, Inc.17 Seeker - Automated security testing made easy • Automatically verifies vulnerabilities • Creates specific Jira tickets for developers • Instant notification to developers via slack or email Automated Verification Easy for Development • ANY functional test becomes a security test • Continuous security testing with results in real time Automated Testing Easy for QA • Deploy and run via CI/CD • Compatible with existing automation tools • On-premises and cloud- based apps Automated Deployment Easy for DevOps
  • 18. © 2019 Synopsys, Inc.18 http://... How Seeker works Your Application Seeker Enterprise Server vulnerabilities 2 3 1 Application receives HTTP request. Agent analyzes code and memory, focusing on security-related activities like encryption, SQL, file access, LDAP, XPath, etc. Results are actively verified and reported along with vulnerable lines of code, runtime data, and verification proof. 2 3 1 Seeker Agent
  • 19. © 2019 Synopsys, Inc.19 Seeker integrates seamlessly into the DevOps toolchain Connect directly to Jira and your CI/CD tools with APIs and integrations testcode operatebuild deploy Developer commits the code Functional testing done Build pass/fail decision (based on testing status) App and Seeker are deployed in test environment The build is made Vulnerabilities pushed in
  • 20. © 2019 Synopsys, Inc.20 Active verification provides accurate and real time results Patented active verification engine minimizes false positives • Automatically re-tests detected vulnerabilities to verify that they are real and can be exploited • Quickly processes hundreds of thousands of HTTP(S) requests • Provides risk-prioritized list of verified vulnerabilities to fix immediately
  • 21. © 2019 Synopsys, Inc.21 Configurable sensitive data tracking • Define parameters and patterns to identify sensitive data in your application • Track exposure and leakage through URLs, logs, UI, DB, etc. • Verify compliance with standards including PCI, HIPAA, and GDPR Verify security and data protection compliance by tracking leakage of any type of sensitive data
  • 22. © 2019 Synopsys, Inc.22 Integrated eLearning • Seeker is now integrated with Synopsys eLearning. – Requires eLearning account/contract • Contextual online training helps developers understand and remediate vulnerabilities.
  • 23. © 2019 Synopsys, Inc.23 Insight into third party, open source use and risks • Get visibility into supply chain risks • Comprehensive bill of materials • Vulnerable components • Risk-ranked vulnerabilities • Open source licenses Integrated Binary Software Composition Analysis identifies vulnerable components used in code
  • 24. © 2019 Synopsys, Inc.24 Seeker In Action Demonstration
  • 25. © 2019 Synopsys, Inc.25 Why Seeker ? Designed for seamless integration • Easy to automate or integrate into CI/CD pipeline • Easy to deploy and configure • Optimized for security, development and DevOps teams Privacy and compliance • Only AST tools with complete sensitive data tracking • Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC • Integrated Binary Software Composition Analysis for OSS dependencies Developer empowerment • Accurate findings with real-time verification to help prioritize remediation • Integrated eLearning gives developers contextual learning on the job • Instant alert (slack, email, webhooks) and remediation advice Designed for scale • Support large-scale, modern app deployments • Framework agnostic with broad language coverage • Comprehensive checkers
  • 26. © 2019 Synopsys, Inc.26 Seeker helps organizations with their application security testing needs No security testing in place • Seeker is perfect as a starting tool for automated security testing • Security expertise not needed Ad-hoc security testing Start using Seeker during functional testing to find vulnerabilities early and cut down on pen-testing resources/cost Ready to integrate security in CI/CD Integrate Seeker in CI/CD pipeline and automatically fail the build if critical security vulnerabilities are detected Regardless of their maturity in application security risk management process
  • 27. © 2019 Synopsys, Inc.27 Q & A
  • 28. Thank You Follow us on twitter : @zubaira, @kimm_yeo