Dynamically Controllable Dynamic Scanning
32
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Dynamically controllable dynamic scanning Jonathan Griggs – WebInspect Product Manager Brandon Spruth – Sr. Security Analyst, Morningstar Brooks Garrett – Manager Operations and Architecture, Fortify on Demand Jeremy Brooks – WebInspect Engineering @j_griggs3 #HPProtect
-
Upload
brooks-garrett -
Category
Technology
-
view
213 -
download
1
Transcript of Dynamically Controllable Dynamic Scanning
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Dynamically controllable dynamic scanning Jonathan Griggs WebInspect Product Manager Brandon Spruth Sr. Security Analyst, Morningstar Brooks Garrett Manager Operations and Architecture, Fortify on Demand Jeremy Brooks WebInspect Engineering @j_griggs3 #HPProtect
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
This is a rolling (up to three year) Roadmap and is subject to change without notice.
Forward-looking statements
This document contains forward looking statements regarding future operations, product development, product capabilities and availability dates. This information is subject to substantial uncertainties and is subject to change at any time without prior notification. Statements contained in this document concerning these matters only reflect Hewlett Packard's predictions and / or expectations as of the date of this document and actual results and future plans of Hewlett-Packard may differ significantly as a result of, among other things, changes in product strategy resulting from technological, internal corporate, market and other changes. This is not a commitment to deliver any material, code or functionality and should not be relied upon in making purchasing decisions.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
This is a rolling (up to three year) Roadmap and is subject to change without notice.
HP confidential information
This Roadmap contains HP Confidential Information. If you have a valid Confidential Disclosure Agreement with HP, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from HP and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with HPs prior written approval.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Dynamically controllable dynamic scanning
Introduction to the WebInspect API Jeremy Brooks Setup and configuration Current capabilities Current use cases
Dynamic scalability Brooks Garrett Jonathan Griggs Problem statement Our solution Creating the gold image The control server Demonstration
Integration with the SDLC Brandon Spruth Jeremy Brooks Mission statement Problems Solution Demonstration
Agenda
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Introduction to the WebInspect API Jeremy Brooks WebInspect Engineering
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Problem statement
Build integration Automation 3rd party integrations
Customers want a way to remotely control the WebInspect Scanner
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
WebInspect REST API
Remote control of WebInspect Easy to use RESTful interface
Automate control of WI via http Control a scan
Start a new scan, stop a scan in progress, and export to scan file or fpr format 13 Endpoints to control a scan
Control the WI proxy Start the proxy, shutdown the proxy, export the proxy results 11 Endpoints to control the proxy
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
WebInspect REST API
Remote control of WebInspect POST /webinspect/scanner/scan
Creates a new scan Additional parameters can be passed for additional configuration
GET /webinspect/scanner/scan
Retrieve a list of all scans Includes scan name, status and date
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Next release Whats next?
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
This is a rolling (up to 3 year) roadmap and is subject to change without notice
WebInspect BURP plugin
All product views are illustrations and might not represent actual product screens
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
This is a rolling (up to 3 year) roadmap and is subject to change without notice
All product views are illustrations and might not represent actual product screens
WebInspect BURP plugin
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Dynamic scalability Jonathan Griggs WebInspect Product Manager Brooks Garrett Manager Operations and Architecture, Fortify on Demand
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Problem statement
Machines cost money Physical hardware Virtual machines Cloud hosting
Time costs money Electricity Management Updates
Idle resources are wasted resources but demand is not consistent.
Demand is not consistent
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Vertical scalability via remote scanning engines
Scales horizontally by adding more FTEs Scales vertically by automating scan configurations
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Our solution
Users Command and control portal
Select WebInspect scan settings
Let the cloud handle the rest
Machines created and deleted as necessary
HP WebInspect
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Challenges
Sounds easy enough Generating and storing login macros Automating LIM server connection Building VM gold image Automating smartupdate Building the user portal to control scan machines Exporting and storing scan data and reports
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Demonstration
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Integration with the SDLC Brandon Spruth Sr. Security Analyst, Morningstar Jeremy Brooks WebInspect Engineering
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Agenda
Mission with a problem Where to start? Tipping the scales in our direction Making it work for you! Demos
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Your mission, should you choose to accept it
Develop an application security automation program to assist software development teams with iterative application security testing.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
Houston, we have a problem!
Hundreds to thousands of developers Too many applications with systemic issues There are not enough qualified application security professionals
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Houston, we have a problem!
Hundreds to thousands of developers Too many applications with systemic issues There are not enough qualified application security professionals
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
There are only solutions!
Self service model for Developers and QA to build more secure applications Iterative and collaborative security testing Effective at identifying Data-Handling and Code Quality vulnerabilities Enumerates vulnerabilities better than manual assessments.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Application Security Automation Stack
DAST & SAST Management
Portal
Dynamic Automation
Testing (DAST)
Static Automation
Testing (SAST)
Continuous Integration
HP Fortify
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
The holy grail of application security automation
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
Configuring WebInspect with Jenkins
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
Configuring your WebInspect Scan in Jenkins
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
For more information
Attend these sessions
Birds of a Feather lunch TT395 HP WebInspects New RESTful API BB3003 How HP Fortify Enables
Continuous Monitoring
After the event
Contact your sales rep Visit the website/Facebook/Twitter at:
http://www8.hp.com/us/en/software-solutions/application-security/index.html
Your feedback is important to us. Please take a few minutes to complete the session survey.
http://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.html
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session PN3002 Speaker Jonathan Griggs/ Brooks Garrett/ Brandon Spruth /Jeremy Brooks
Please give me your feedback
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Dynamically controllable dynamic scanningForward-looking statementsHP confidential informationDynamically controllable dynamic scanningIntroduction to the WebInspect APIJeremy Brooks WebInspect EngineeringProblem statementWebInspect REST APIWebInspect REST APINext releaseWhats next?WebInspect BURP pluginWebInspect BURP pluginDynamic scalabilityJonathan Griggs WebInspect Product ManagerBrooks Garrett Manager Operations and Architecture, Fortify on DemandProblem statementVertical scalability via remote scanning enginesOur solutionChallengesDemonstrationIntegration with the SDLCBrandon Spruth Sr. Security Analyst, MorningstarJeremy Brooks WebInspect EngineeringAgendaYour mission, should you choose to accept itHouston, we have a problem!Houston, we have a problem!There are only solutions!Application Security Automation StackThe holy grail of application security automationConfiguring WebInspect with JenkinsSlide Number 27Configuring your WebInspect Scan in JenkinsFor more informationPlease give me your feedbackThank youSlide Number 32
