Más contenido relacionado La actualidad más candente (20) Similar a Bridging the Security Testing Gap in Your CI/CD Pipeline (20) Bridging the Security Testing Gap in Your CI/CD Pipeline1. © 2019 Synopsys, Inc.1
Bridging the security testing gap in CI/CD
pipeline
Kimm Yeo and Asma Zubair
SIG Product Marketing and Management
2. © 2019 Synopsys, Inc.2
Agenda
Market trends and challenges
App security gap in CI/CD and IAST
Introducing Seeker IAST
Seeker demonstration
Q & A
3. © 2019 Synopsys, Inc.3
The pace of digital transformation today
Source: Accenture 2019 executive technology vision study
94%enterprises have accelerated or
significantly accelerated pace of innovations1
Sources:
1. Accenture 2019 report (link)
2. 451 DevSecOps research report2
4. © 2019 Synopsys, Inc.4
What’s next?
Accenture 2019 executive vision: One of the top five trends for next three years
Increased risks and complexity
Enterprises are not just potential
victims, but others’ vectors
Importance of cybersecurity
One of top 5 trends for next 3years
source: Accenture 2019 Technology Vision survey with over 6k business and IT execs
Source:
Accenture 2019 tech vision report (link)
5. © 2019 Synopsys, Inc.5
The pace of digital transformation today
Increased risks and complexity
Enterprises are not just potential
victims, but others’ vectors
Source: Accenture 2019 Technology Vision survey
with over 6k business and IT execs
With digital transformation becoming an even playing field, new challenges arised
6. © 2019 Synopsys, Inc.6
Current state of cybersecurity
State of software security
in financial services 2
62%
Do not have necessary
cybersecurity skills2
Only 23%
Perform security
assessment of third party
directly 2
74%
Concern with software and
systems supplied by third
party2
76%
Difficulty with vulnerability
detection in software
systems before release2
11B
records breached 1
(and still counting...)
Sources:
1. Privacy rights data breaches (link)
2. Ponemon state of security in financial services industry report2
7. © 2019 Synopsys, Inc.7
Third
party
penetration
testing
Fuzz
testing
Softw
are
com
position
analysisD
ynam
ic
analysis
Static
analysis
57%
31%
61% 59%
51%
Source: 451 DevSecOps Research
Application security tools in CI/CD workflows
Question: What are the critical app sec testing tools to add to CI/CD workflows?
Examining DevSecOps Realities & Opportunities (link)
8. © 2019 Synopsys, Inc.8
Application security gap in SDLC
Code
development
Code commit Build Test Deploy
Production
Release
SCA, SAST,
(Deeper level)
Lightweight IDE
SAST tools
Monitoring
Pen testing
Red Teaming
TM, SAST
Manual code
review
DAST
Fuzz testing
Pen testing
Load/Performance test
Hardening checks
How do you take siloed, disparate development, operations and
security processes and transform to an integrated tool chain?
9. © 2019 Synopsys, Inc.9
35%
36%
46%
48%
56%
61%
Compliance
Developer resistance
False positives
Security testing slows things down
Inconsistent approach
Lack of automated, integrated security testing tools
Source: 451 DevSecOps Research, 2018
Security testing challenges in CI/CD workflows
What are the most significant app security testing challenges inherent in CI/CD workflows?
Examining DevSecOps Realities & Opportunities (link)
10. © 2019 Synopsys, Inc.10
The challenges of building security into modern
application development and delivery
How do we integrate and
automate dynamic security
testing into our CI/CD?
How do we minimize
the effort for developers
to find and fix
vulnerabilities?
Sec
How do we maximize
application security
AND
development velocity?
How do we identify
and prioritize the most
severe vulnerabilities?
12. © 2019 Synopsys, Inc.12
Continuous security testing with IAST
Code
development
Code commit Build Test Deploy
Production
Release
Functional
Non- FunctionalSCA, SAST,
(Deeper level)
IAST
(Continuous run-time
text)
Lightweight IDE
SAST tools
DAST
Fuzz testing
Pen testing
Load/Performance test
Hardening checks
Monitoring
Pen testing
Red Teaming
IAST
(Continuous runtime
security test)
TM, SAST
Manual code
review
13. © 2019 Synopsys, Inc.13
IAST runtime testing & analysis
• Analysis of code execution using runtime monitors
• Visibility into executed code and runtime data,
such as:
• HTTP Requests – End to End
• Parameter Propagation
• HTTP Response Writing
• Database Calls
• Database Responses
• File System Calls (& Content)
• String Manipulations
• Memory (Like Debugger “Watch”)
• Usage of 3rd Party Libraries
• Web Services Calls
• On-the-fly Code Generation
• More…
…
14. © 2019 Synopsys, Inc.14
Comparison of SAST, IAST, and DAST
SAST IAST DAST
Typically used in Development Integration and QA QA or production
Usually requires Source code Functional app and test
suite
Functional app
Integrates in CI/CD Yes Yes No, not really
Capabilities • Finds vulnerabilities
earliest in the SDLC
• Gives fast line of code
insights
• Finds vulnerabilities
during functional test
(no scans required)
• Gives runtime and line
of code insights in real
time
• Finds vulnerabilities
w/o source code or
test suite
• Requires expertise
and time to triage and
prioritize findings
16. © 2019 Synopsys, Inc.16
Seeker
Seeker is our interactive application security testing tool
– Performs run time security testing
Seeker performs security testing on:
– Web apps
– Web APIs, or services
– Mobile application back-end (where a mobile app’s critical functionality
resides)
– Detects vulnerabilities in custom code as well as 3rd party code
Applications can be:
– on-premises, in the cloud, containerized
Seeker detects
– Injection flaws
– Security misconfigurations
– Sensitive data leakage
– and many more types of vulnerabilities
17. © 2019 Synopsys, Inc.17
Seeker - Automated security testing made easy
• Automatically verifies
vulnerabilities
• Creates specific Jira
tickets for developers
• Instant notification to
developers via slack or
email
Automated
Verification
Easy for Development
• ANY functional test
becomes a security test
• Continuous security testing
with results in real time
Automated
Testing
Easy for QA
• Deploy and run
via CI/CD
• Compatible with existing
automation tools
• On-premises and cloud-
based apps
Automated
Deployment
Easy for DevOps
18. © 2019 Synopsys, Inc.18
http://...
How Seeker works
Your
Application
Seeker Enterprise
Server
vulnerabilities
2
3
1 Application receives
HTTP request.
Agent analyzes code and
memory, focusing on
security-related activities
like encryption, SQL, file
access, LDAP, XPath, etc.
Results are actively
verified and reported
along with vulnerable lines
of code, runtime data, and
verification proof.
2
3
1
Seeker
Agent
19. © 2019 Synopsys, Inc.19
Seeker integrates seamlessly into the DevOps toolchain
Connect directly to Jira and your CI/CD tools with APIs and integrations
testcode operatebuild deploy
Developer
commits
the code
Functional
testing done
Build pass/fail
decision
(based on testing status)
App and Seeker
are deployed in
test environment
The build
is made
Vulnerabilities
pushed in
20. © 2019 Synopsys, Inc.20
Active verification provides accurate and real time results
Patented active verification engine minimizes false positives
• Automatically re-tests detected
vulnerabilities to verify that they
are real and can be exploited
• Quickly processes hundreds of
thousands of HTTP(S) requests
• Provides risk-prioritized list of verified
vulnerabilities to fix immediately
21. © 2019 Synopsys, Inc.21
Configurable sensitive data tracking
• Define parameters and patterns to identify
sensitive data in your application
• Track exposure and leakage through URLs,
logs, UI, DB, etc.
• Verify compliance with standards including
PCI, HIPAA, and GDPR
Verify security and data protection compliance by tracking leakage of any type of sensitive data
22. © 2019 Synopsys, Inc.22
Integrated eLearning
• Seeker is now integrated with Synopsys eLearning.
– Requires eLearning account/contract
• Contextual online training helps developers
understand and remediate vulnerabilities.
23. © 2019 Synopsys, Inc.23
Insight into third party, open source use and risks
• Get visibility into supply chain risks
• Comprehensive bill of materials
• Vulnerable components
• Risk-ranked vulnerabilities
• Open source licenses
Integrated Binary Software Composition Analysis identifies vulnerable components used in code
25. © 2019 Synopsys, Inc.25
Why Seeker ?
Designed for seamless integration
• Easy to automate or integrate into CI/CD pipeline
• Easy to deploy and configure
• Optimized for security, development and DevOps teams
Privacy and compliance
• Only AST tools with complete sensitive data tracking
• Provide results in compliance with OWASP Top 10, PCI DSS, GDPR, CAPEC
• Integrated Binary Software Composition Analysis for OSS dependencies
Developer empowerment
• Accurate findings with real-time verification to help prioritize remediation
• Integrated eLearning gives developers contextual learning on the job
• Instant alert (slack, email, webhooks) and remediation advice
Designed for scale
• Support large-scale, modern app deployments
• Framework agnostic with broad language coverage
• Comprehensive checkers
26. © 2019 Synopsys, Inc.26
Seeker helps organizations with their application security testing needs
No security testing
in place
• Seeker is perfect
as a starting tool for
automated security testing
• Security expertise
not needed
Ad-hoc security testing
Start using Seeker
during functional testing
to find vulnerabilities
early and cut down
on pen-testing
resources/cost
Ready to integrate
security in CI/CD
Integrate Seeker in
CI/CD pipeline and
automatically fail the
build if critical security
vulnerabilities are
detected
Regardless of their maturity in application security risk management process