ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for...
-
Upload
denim-group -
Category
Technology
-
view
122 -
download
0
Transcript of ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for...
© 2016 Denim Group – All Rights Reserved
ThreadFix and SD Elements:
Unifying Security Requirements and
Vulnerability Management for Applications
November 17th, 2016
Dan CornellCTO, Denim Group
Shane ParfittProduct Marketing Manager, Security Compass
© 2016 Denim Group – All Rights Reserved
Agenda
• State of Application Security
• Why Managed Security Requirements?
• SD Elements Overview/How it Works
• Business Value
• ThreadFix Overview
• ThreadFix / SD Elements Integration
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
S O F T W A R E D E V E L O P M E N T L I F E C Y C L EREQUIREMENTS
MANAGEMENT
AppSec Products/Tools
CODE REVIEW
(SAST)
PEN TESTING
(DAST)
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
0
20
40
60
80
100
120
1x6.5x
15x
100x
The later security vulnerabilities are found in the SDLC,
the greater is the cost and time required to remediate.
Source: IBM Systems Sciences Institute
Relative Cost of Fixing Defects
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
- STEP 1 -
Answer short
questionnaire
- STEP 2 -
Get threats relevant
and
countermeasures
- STEP 3 -
Deliver through your
development tools
- STEP 4 -
Build security in
- STEP 5 -
Verify Requirements
Repeatable. Scalable. Cost-Efficient.
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Application modeling
takes just 15 minutes.
Information is gathered
about language, platform,
features, compliance and
tools in order to determine
the relevant threats and
countermeasures…
Copyright © 2016 Security Compass. All rights reserved..
© 2016 Denim Group – All Rights Reserved
A list of potential vulnerabilities
is drawn from a large expert
database of security content,
providing a clear risk analysis
of the application.
The expert database is regularly
updated with the latest threats
and countermeasures
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
SD Elements painlessly fits
into existing development
processes.
Synchronization with ALM
tools such as HP ALM, IBM
Rational CLM, JIRA, and
Microsoft TFS pushes
security requirements directly
to developers as work
items/tickets.
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Seamless Integration
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Task prioritization helps
guide agile teams choose
what to work on first.
Code samples and
embedded training help
developers understand both
the “WHY” and “HOW” of
security requirements
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
AppScan: FailThreadFix: Fail
Test results are easily
imported from
ThreadFix and popular
scanning tools.
Imported data is matched
to requirements for
validation and compliance
reporting
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
ROI CalculationForrester Case Study of a Fortune 500 Financial Institution:
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
ROI via Vulnerability Reduction
Avg. # of Vulnerabilities
0
20
40
60
MEDIUMHIGH MEDIUMHIGH
32.8
013.2
0.40
5
10
15
20
25
30
35
No SDE Full SDE Usage
0
20
40
60
App1 App2 App3 App4 App5
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Risk Reduction
RISK
IDENTIFY MITIGATE VALIDATE
SDE PROJECT PROGRESS
10 1… Pass
DONE
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Large ISV Client Anecdote
• Attempted to build a similar tool internally and failed. Twice.
• Decided to adopt SD Elements, and realized immediate efficiencies.
Before
SDE
After
SDE
Time
Less than 1 hour!
5 – 10 days!
Time required for Threat Profiling and Requirements Generation:
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your applications and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to
developers in the tools they
are already using
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
ThreadFix Overview
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Create a consolidated
view of your
applications and
vulnerabilities
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Application Portfolio Tracking
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Vulnerability Import
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Vulnerability Consolidation
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Prioritize application
risk decisions based on
data
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Vulnerability Prioritization
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Reporting and Metrics
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Translate vulnerabilities
to developers in the
tools they are already
using
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Defect Tracker Integration
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
SD Elements HomePage
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Add Connection
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Add ThreadFix Credentials
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
ThreadFix Connection
Established!
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Add ThreadFix Integration to
Project (1)
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Add ThreadFix Integration to
Project (2)
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Add ThreadFix Integration to
Project (3)
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Import Results
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Track Results
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Without ThreadFix
CheckMarx: Partial Pass
Conflicting Results
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Report Results
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
Report Results
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Report Results
• Automatically generated compliance report showing Completion Status and Verification Status for each control.
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Summary
• SD Elements 4 manages security requirements across the entire
software development lifecycle, from planning through to release.
• Scalable automation capabilities culminate in more secure
applications that cost less to develop and test.
• ThreadFix integration with SD Elements allows organizations to
reduce risk by validating requirements using multiple scanner
results, while maintaining the same level of automation.
Copyright © 2016 Security Compass. All rights reserved
© 2016 Denim Group – All Rights Reserved
ThreadFix
www.threadfix.it
Security Compass SD Elements
www.securitycompass.com/sdelements
Questions and Contact
© 2016 Denim Group – All Rights Reserved
About Denim Group
Denim Group is the leading secure software development firm,
serving as a trusted advisor on matters of software risk and security.
Our flagship ThreadFix product accelerates the process of software
vulnerability remediation, reflecting the company's understanding of
what it takes to fix application vulnerabilities faster.
Copyright © 2016 Security Compass. All rights reserved.
© 2016 Denim Group – All Rights Reserved
Security Compass named as a Gartner Cool Vendor in
Application and Endpoint Security 2014bit.ly/securitycompass
Security Compass is a leading application security firm specializing in solving root
application security problems for Fortune 500 companies. Our goal is to help you
build secure software by seamlessly unifying your application security needs
through eLearning, Security Requirements and Verification.
About Security Compass
Copyright © 2016 Security Compass. All rights reserved.