Abstract image of a woman sitting on books and studying on a laptop

Security Automation: Easy or Cheese

Download as PPTX, PDF
K
Karen Florykian

The document outlines security automation practices including application security testing, vulnerability scanning, and automation techniques to enhance code integrity and visibility. It discusses the prevalence of false positives in security findings and the need for effective analysis methods, as well as tools and resources for static and dynamic application security testing. Additionally, it emphasizes integrating these practices into existing CI pipelines and offers links to relevant tools and documentation.

Engineering
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
1 Skype: florykian.karen EPAM Kharkiv Security Automation Easy or cheese by Karen Florykian Lead Performance Analyst
2 Application Security Testing Security assessment for routers, firewall, load balancers, switches, find network misconfiguration Infrastructure Scanning OS vulnerabilities, known vulnerabilities in images, evaluate the image against policies to check for security compliance. Container Scanning Dynamic application security testing Find security vulnerabilities in a running application, typically web apps. DAST Static Application Security Testing Catch security issues on early stages of code development, allows developers to find bugs in code SAST Many types of security vulnerabilities are difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. Functional Security Automation
3 Security Automation 03 01 04 02 Speed Integrity Availability Visibility
4 Real Life 68 % False positive analysis 25 % 29 % 39 % 7 %
5 Real Life 85 % of findings are not real issues 25 % 29 % 39 % 7 %
6 Vision
7 Proof Of Concept • Integrated in existing CI pipeline or configured to be ran on self- service basis • Traffic created using existing tests • False Positives analysis can be partially automated using DefectDojo or ReportPortal capabilities
8 Project Pipeline
9 Under The SAST Hood
10 Grouping Jira service ReportPortal Jira Service Junit XML
11 Spidergetti Or Rainboweb Jira service ReportPortal Jira Service Junit XML
12 Canonical Data Model Jira service ReportPortal Jira Service Junit XML CDM
13 Auto-Analysis • Validate capabilities • Identify parameters to reduce duplicates • Create service with equals strategy • Contact to ReportPortal team to create custom analyzer service with equals strategy
14 Issue #1
15 Issue #2
16 We All Are Lazy VS OPEN FOR WEEKS BECAUSE IT IS NOT ACTIONABLE FIXED WITHIN THE WEEK IT APPEARED IN BACKLOG
17 Carrier carrier-io/sast: Tools for SAST Demo
18 Useful Links • SAST: https://github.com/carrier-io/sast • Docker Hub: https://hub.docker.com/r/getcarrier/sast • DAST: https://github.com/carrier-io/dast • Docker Hub: https://hub.docker.com/r/getcarrier/dast • DASTY : https://github.com/carrier-io/dusty Library to execute various security tools and convert output to common unified format • Carrier: https://hub.docker.com/u/getcarrier • ReportPortal Auto-Analysis equals service: https://github.com/reportportal/service-analyzer-equals
19 Thank You!Florykian Karen Lead Performance Analyst

More Related Content

PPTX
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
PPTX
OTG - Practical Hands on VAPT
shiriskumar
 
PDF
Is av dead or just missing in action - avar2016
rajeshnikam
 
PPTX
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Rogue Wave Software
 
PDF
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
PDF
we45 - Web Application Security Testing Case Study
we45
 
PDF
Web Application Security Testing Tools
Eric Lai
 
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
OTG - Practical Hands on VAPT
shiriskumar
 
Is av dead or just missing in action - avar2016
rajeshnikam
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Rogue Wave Software
 
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
we45 - Web Application Security Testing Case Study
we45
 
Web Application Security Testing Tools
Eric Lai
 

What's hot (19)

PPTX
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
PPTX
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
PPS
Security testing
Tabăra de Testare
 
PDF
Sast 2021
Felix Dobslaw
 
PPTX
Security Testing
Qualitest
 
PPTX
Security testing fundamentals
Cygnet Infotech
 
PDF
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
PDF
Testing Web Application Security
Ted Husted
 
PPTX
Inside forti os-v524-r5
Lan & Wan Solutions
 
PPT
Zap attack proxy
Artem Vasilenko
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PDF
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
PPTX
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
PDF
Innovating Faster with Continuous Application Security
Jeff Williams
 
PPSX
CTAP
Lan & Wan Solutions
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
PPT
Get Ready for Web Application Security Testing
Alan Kan
 
PDF
Echelon_Sibcon-2016
Alexander Barabanov
 
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Security testing
Tabăra de Testare
 
Sast 2021
Felix Dobslaw
 
Security Testing
Qualitest
 
Security testing fundamentals
Cygnet Infotech
 
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Testing Web Application Security
Ted Husted
 
Inside forti os-v524-r5
Lan & Wan Solutions
 
Zap attack proxy
Artem Vasilenko
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
Innovating Faster with Continuous Application Security
Jeff Williams
 
CTAP
Lan & Wan Solutions
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Get Ready for Web Application Security Testing
Alan Kan
 
Echelon_Sibcon-2016
Alexander Barabanov
 
Ad

Similar to Security Automation: Easy or Cheese (20)

PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PPTX
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 
PDF
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
Melissa Kaulfuss
 
PPTX
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
David Brossard
 
PPTX
Web applications security conference slides
Bassam Al-Khatib
 
PDF
CODE INSPECTION VIMRO 2015 MHF
FitCEO, Inc. (FCI)
 
PDF
NSA and PT
Rahmat Suhatman
 
PPT
Code Quality - Security
sedukull
 
PPTX
Security by the numbers
Eoin Keary
 
PPT
IBM AppScan - the total software security solution
hearme limited company
 
PDF
Is Your Business Safe from Cyber Threats? VAPT Can Help!
ESDS Software Solution Limited
 
PDF
Cyber security series Application Security
Jim Kaplan CIA CFE
 
PPTX
Security Testing.pptx
osandadeshan
 
PDF
Using Analyzers to Resolve Security Problems
kiansahafi
 
PPTX
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
PDF
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
PPTX
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
PDF
Quantstamp Report - LINKSWAP
Roy Blackstone
 
PPTX
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
DOCX
Demand for Penetration Testing Services.docx
Aardwolf Security
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
Melissa Kaulfuss
 
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Id...
David Brossard
 
Web applications security conference slides
Bassam Al-Khatib
 
CODE INSPECTION VIMRO 2015 MHF
FitCEO, Inc. (FCI)
 
NSA and PT
Rahmat Suhatman
 
Code Quality - Security
sedukull
 
Security by the numbers
Eoin Keary
 
IBM AppScan - the total software security solution
hearme limited company
 
Is Your Business Safe from Cyber Threats? VAPT Can Help!
ESDS Software Solution Limited
 
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Security Testing.pptx
osandadeshan
 
Using Analyzers to Resolve Security Problems
kiansahafi
 
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
Penetration Testing Services_ Comprehensive Guide 2024.pdf
qualysectechnology98
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
Quantstamp Report - LINKSWAP
Roy Blackstone
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Demand for Penetration Testing Services.docx
Aardwolf Security
 
Ad

Recently uploaded (20)

PDF
UEFA_Carbon_Footprint_Calculator_Methology_2.0.pdf
tuchinad02
 
PDF
August -2025_Top10 Read_Articles_ijait.pdf
ijait
 
PPTX
Information Storage and Retrieval Techniques Unit III
jeyamohan2519
 
PDF
Applications of Equal_Area_Criterion.pdf
Puja Gurav
 
PPTX
Chapter 2 -Technology and Enginerring Materials + Composites.pptx
garciajeremiah070
 
PDF
Design of Material Handling Equipment Lecture Note
Barsena
 
PPTX
wireless networks, mobile computing.pptx
DayaFlorance
 
PDF
distributed database system" (DDBS) is often used to refer to both the distri...
Hemlathadhevi Annadhurai
 
PPTX
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
PPTX
Software Engineering and software moduleing
deepikame6
 
PDF
August 2025 - Top 10 Read Articles in Network Security & Its Applications
IJNSA Journal
 
PDF
Prof. Dr. KAYIHURA A. SILAS MUNYANEZA, PhD..pdf
Rutherford University of Science and Technology, Rwanda
 
PPTX
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
PDF
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
PPTX
A Brief Introduction to IoT- Smart Objects: The "Things" in IoT
KeerthanaSahadevan1
 
PPTX
Feature types and data preprocessing steps
deepalishinkar1
 
PDF
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
PPTX
ai_satellite_crop_management_20250815030350.pptx
kathiravanh1919
 
PDF
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
PPTX
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 
UEFA_Carbon_Footprint_Calculator_Methology_2.0.pdf
tuchinad02
 
August -2025_Top10 Read_Articles_ijait.pdf
ijait
 
Information Storage and Retrieval Techniques Unit III
jeyamohan2519
 
Applications of Equal_Area_Criterion.pdf
Puja Gurav
 
Chapter 2 -Technology and Enginerring Materials + Composites.pptx
garciajeremiah070
 
Design of Material Handling Equipment Lecture Note
Barsena
 
wireless networks, mobile computing.pptx
DayaFlorance
 
distributed database system" (DDBS) is often used to refer to both the distri...
Hemlathadhevi Annadhurai
 
AUTOMOTIVE ENGINE MANAGEMENT (MECHATRONICS).pptx
joanaabban6
 
Software Engineering and software moduleing
deepikame6
 
August 2025 - Top 10 Read Articles in Network Security & Its Applications
IJNSA Journal
 
Prof. Dr. KAYIHURA A. SILAS MUNYANEZA, PhD..pdf
Rutherford University of Science and Technology, Rwanda
 
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
A Brief Introduction to IoT- Smart Objects: The "Things" in IoT
KeerthanaSahadevan1
 
Feature types and data preprocessing steps
deepalishinkar1
 
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
ai_satellite_crop_management_20250815030350.pptx
kathiravanh1919
 
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 

Security Automation: Easy or Cheese