Application Security Testing as a Foundation for Secure DevOps



Similar documents
Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

A Strategic Approach to Web Application Security

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

HP Fortify Software Security Center

Application Security Center overview

Development Testing for Agile Environments

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify application security

Improving Network Security Change Management Using RedSeal

Leveraging Network and Vulnerability metrics Using RedSeal

Big Data Services From Hitachi Data Systems

Secure Development Lifecycle. Eoin Keary & Jim Manico

ESKISP Manage security testing

how can I deliver better services to my customers and grow revenue?

Whitepaper: How to Add Security Requirements into Different Development Processes. Copyright 2013 SD Elements. All rights reserved.

Increasing Business Efficiency and Agility for ATGbased. Systems. the business challenge: upgrading the development pipeline

Security Patch Management

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

HP Application Security Center

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Continuous Network Monitoring

Organizational Intelligence, Scalability, and Agility

Optimizing Network Vulnerability

Total Protection for Compliance: Unified IT Policy Auditing

Addressing Security for Hybrid Cloud

Requirements Management im Kontext von DevOps

Enterprise Cloud Management: Drive business value by balancing speed, cost and risk

Cisco Virtual Desktop Infrastructure Strategy Service

A Hyperion System Overview. Hyperion System 9

Centralized Secure Vault with Serena Dimensions CM

Orchestrated. Release Management. Gain insight and control, eliminate ineffective handoffs, and automate application deployments

Talent & Organization. Change Management. Driving successful change and creating a more agile organization

AGILE SOFTWARE TESTING

Agile Development for Application Security Managers

The Value of Vulnerability Management*

IBM Rational AppScan: Application security and risk management

Web Application Security Roadmap

DevOps for CA Plex Automated Testing

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

FIVE PRACTICAL STEPS

Data Governance Implementation

Managed Hosting: Best Practices to Support Education Strategy in the Career College Sector

Application Security Manager ASM. David Perodin F5 Engineer

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

Realizing business flexibility through integrated SOA policy management.

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

WhiteHat Security White Paper Things That Undermine A Web Application Security Program

Redefining Agile to Realize Continuous Business Value

The Prevalence of Flash Vulnerabilities on the Web

FUJITSU Transformational Application Managed Services

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Data Governance Implementation

Achieving Business Agility Through An Agile Data Center

Global Delivery Excellence Best Practices for Improving Software Process and Tools Adoption. Sunil Shah Technical Lead IBM Rational

White Paper The Dynamic Nature of Virtualization Security

How To Achieve Continuous Delivery

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Five Reasons why Agile Won t Scale Without Automation

Why you need an Automated Asset Management Solution

Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA

IBM SECURITY QRADAR INCIDENT FORENSICS

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

Securing the Cloud infrastructure with IBM Dynamic Cloud Security

Altiris Asset Management Suite 7.1 from Symantec

Symantec Control Compliance Suite. Overview

Intel Security Software / Product Security Practices

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

Key Benefits of Microsoft Visual Studio Team System

Crossing the DevOps Chasm

Managing the Shadow Cloud

Business Process Management In An Application Development Environment

Simplify Your Windows Server Migration

Leveraging a Maturity Model to Achieve Proactive Compliance

Organization Transformation for Network Function Virtualization Infrastructure As A Service (NFVIaaS)

Test Management Tools

FireScope + ServiceNow: CMDB Integration Use Cases

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Coverity White Paper. Effective Management of Static Analysis Vulnerabilities and Defects

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Transcription:

Application Security Testing as a Foundation for Secure DevOps White Paper - April 2016

Introduction Organizations realize that addressing the risk of attacks on their Website applications is critical. Given the growing number of Website applications that businesses now must manage in a highly competitive environment, organizations are quickly trying to evaluate how to deploy software faster to meet or exceed company goals. It is imperative for Information Security teams to realize that aligning to a rapidly changing business is now part of their requirement to be competitive and successful in today s digital world. Because web application security programs are rapidly transitioning from focusing on a few key critical applications to identifying all applications across an enterprise, both the number of applications and the number of discovered vulnerabilities have grown exponentially. But the number of security professionals to manage this growth and the number of development resources required to fix vulnerabilities have largely remained the same. This discrepancy leads to longer time-to-resolution of open vulnerabilities, and increased risk for the business. Additional complexities with application security arise when organizations move towards Agile environments automating as much functionality as possible. Because automation and/or Agile efforts are top of mind for most engineers and information security practitioners, organizations are attempting to identify ways to integrate application security within their DevOps model. To improve the protection of applications from vulnerabilities and potential attacks, the DevOps efforts must be extended to include information security to become DevSecOps. Despite making major investments to address application security vulnerabilities, many organizations find themselves still unable to defend their Web application infrastructure. Instead of focusing on just a few applications, attacks now target all Internet facing applications. Information security teams find themselves facing more vulnerabilities than they can feasibly manage and fix. Sadly, while businesses move to support Agile functionality and the more rapid release of projects, traditional security processes may not be incorporated or simply overlooked altogether. WhiteHat Security has developed the WhiteHat Sentinel platform to assist CISOs and engineering teams in automating their application security efforts while embedding application security into the DevSecOps model. The WhiteHat Sentinel platform allows organizations to incorporate application security throughout the software development lifecycle (SDLC) with complete transparency to engineering, information security, and operations teams. 2

The Application Security Challenge The graphic below provides a summary of the application security challenge all organizations face. DevSecOps Overview Figure 1. Source: WhiteHat Security Statistics Report 2016 (preliminary) DevSecOps origins are embedded as part of the core foundation of an Agile environment, which includes the following phases. Figure 2. 3

Application security must be incorporated into all supporting business processes and a dedicated security team must establish alignment with the business, automating the discovery of vulnerabilities, and providing 24x7x365 automatic application security testing. Application security components emerge in a number of areas to support automation through the process of DevSecOps. This approach is best visualized in the following diagram. Figure 3. Static Application Security Testing (SAST) and Source Code Analysis (SCA) functions are embedded as part of the Development and QA environments, while Dynamic Application Security Testing (DAST) functions are enabled to monitor production environments. Application Security Training is a core component to a successful foundation for DevSecOps. By adopting DevSecOps as an organizational goal, application security engineers are able to align with the DevSecOps vision, which increases the value of the application security engineer who realizes his/her efforts are embedded as part of the entire organization s platform and infrastructure. The additional value of adopting DevSecOps is that these functions are able to monitor, attack, simulate, and identify application security vulnerabilities throughout the continuous integration and continuous deployment environments. Another benefit of taking this approach is that your organization will be able to identify application security vulnerabilities before cyber criminals or cyber gangs discover issues with Internet-facing applications and supporting systems. 4

Agile Operational Efficiencies Automation of the DevSecOps solution has demonstrated that there are operational efficiencies that can be immediately recognized in engineering and application security environments. Organizations and teams that embrace DevSecOps are set up for recognizing business goals faster than traditional alternatives. Consider the following scenario for a Fortune 500 organization that evaluated these two options. The Risks of Not Moving to DevSecOps As more organizations embrace an Agile framework to realize faster deployments, the ability to incorporate DevSecOps will yield faster time-to-market while identifying risks within applications at a faster pace. The business impact of not integrating DevSecOps is best demonstrated in the following scenario. Before DevSecOps Approach is Implemented Figure 4. In organizations that have not embraced DevSecOps, software is released and scanned for vulnerabilities through a longer release cycle. Time to discover and resolve application security vulnerabilities may take longer than in an environment where there is constant iteration with smaller code releases. The risk with this approach is that cyber criminals and/or criminal gangs will leverage the potential vulnerabilities more frequently. 5

After DevSecOps Approach is Implemented Figure 5. For organizations that have embraced DevSecOps, software is released and scanned for vulnerabilities through a much shorter release cycle. Time to discover and resolve Application security vulnerabilities will be reduced because of the shorter sprints in the development process, coupled with the 24x7x365 application scanning and monitoring functions. This approach is critical in identifying and remediating application security vulnerabilities earlier in the process, which reduces the window of exposure if code is released to production. Recommendations DevSecOps is a cultural shift within the organization. Executive management should be involved in driving this change, and be provided the key metrics of how the business is operating with this new framework. DevSecOps is about collaboration. An effective enterprise information security program will require close cooperation among all business units, which will enable a successful DevSecOps program. Adopt an application security solution that can be leveraged as the foundational platform for a successful DevSecOps program. This means finding a platform that will integrate with existing development and QA tools and solutions through an open API. By embedding application security into the devops framework DevSecOps organizations will be able to deploy secure solutions much faster. Quantifying risks can help align security, operational and funding decisions across multiple teams and stakeholders by providing a common language for determining and discussing risk. Those discussions lead to alignment and mutually agreed-upon decisions, which serve as the foundation for a security program that successfully meets the needs of the business. 6

About WhiteHat Security WhiteHat Security has been in the business of securing web applications for 15 years. Combining advanced technology with the expertise of its global Threat Research Center (TRC) team, WhiteHat delivers application security solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and web sites. The company s flagship product, WhiteHat Sentinel, is a software-as-a-service platform providing dynamic application security testing (DAST), static application security testing (SAST), and mobile application security assessments. The company is headquartered in Santa Clara, Calif., with regional offices across the U.S. and Europe. For more information on WhiteHat Security, please visit www.whitehatsec.com. WHITEHAT SECURITY, INC. 3970 Freedom Circle Santa Clara, CA 95054 1.408.343.8300 www.whitehatsec.com 2016 WhiteHat Security, Inc. All rights reserved. WhiteHat Security and the WhiteHat Security logo are registered trademarks of WhiteHat Security, Inc. All other trademarks are the property of their respective owners. 041316

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information