#MicroFocusCyberSummit
Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results
Rick Smith, Senior Product Manager
Jimmy Rabon, Senior Product Manager
Automation – Static Analysis
Developer
Source CodeMgmt System
AutomatedIntegration Build / Analysis
Fortify SCA, Maven, Ant, Make, MSBuild, CI System)
Defect Mgmt System
Fortify SoftwareSecurity Center
Project TechnicalSecurity Leader
New / critical issuesexist alert
Triage &assign ALL
issues
Fortify SCAIDE Plug-in
Repair MY
issues
Build, scanCode
SecurityAnalysis
Defects
Audited scans mergedwith new scans
Prerequisites:
1) Base line scan performed
2) Report is triaged 100%
3) Filters created in project templates to be applied for future audits (applied by SSC)
Scan Server
TranslationServer
6
1
2
3
4
6
5
Place secure codein SCM
7
4
Automation – DevOps Tool Chain
IDEs Requirements & Issues Communication & ChatOps Containers
Code Repositories & Apps Build Servers & Tools Configuration Automation Cloud
Bitbucket
Git
Github
JIRA
Mercurial
Microsoft Team Foundation Server
Eclipse
IntelliJ
Microsoft Visual Studio
Apache Ant
AtlassianBamboo
Cucumber
Jenkins
Maven
Microsoft Powershell
Microsoft Team Foundation Server
TeamCity
AttlasianBamboo
Bugzilla
CA Service Desk Manager
Datadog
FogzBugz
JIRA
Junit
Micro Focus ALM Octane
Micro Focus Quality Center
Microsoft Team Foundation Server
Rally
Bladelogic
Chef
Puppet
HipChat
Microsoft SharePoint
Microsoft Team Foundation Server
Slack
Amazon Web Services
Cloudera
Microsoft Azure
Micro Focus Server Automation
Servicenow
Docker
AppSec integration specifically DAST has challenges
Dependency on App specific knowledge
Dependency on Tool specific knowledge
Process and configuration knowledge
Traditionally DAST is run as a gating process rather than an enabling process
Tension between feature release vs secure release
6
Breaking Barriers and Integrating DAST to SDLC
OpsDev
QA
Security
About Aaron’s
• Founded June 19, 1955
• ~10000 Employees
• ~1700 stores across the US and Canada
• $3+ billion in revenue
• Brick and mortar and online sales and leasing
• https://www.aarons.com
About Aaron’s Tech
• Culture
– Embrace & Drive Change
– Value Data Over Opinion
– Listen. Challenge. Commit.
– Think Two-Sided
– https://tech.aarons.com
• Solutions Delivery– Squad based delivery
teams• Omnichannel
• Store
• Payments
• Data analytics
– 40+ applications
– Multiple releases per day
Challenges For AppSec
• On-boarding new applications is time consuming– Authentication
– Business logic
– Coverage and Discoverability
• Scalability– New functionality
– New end points
– New applications
This feels like duplication of effort. Isn’t someone already testing these applications?
12
QA + Security = Better Together
• Aaron’s DAST Strategy
– Create a partnership with QA
– Deploy technologies that enable security
– Build DAST into the pipeline
– Multiply effort
13
Phalanx Overview
• Services to manage proxies and DAST scans
• Sandbox for manual scans
• Coordinates load across scan agents
14
WebInspect REST API + Phalanx
• Start capturing proxy
• Configure functional test to use proxy
• Run functional test and capture traffic
• Add scan to queue and test run completed
• Tear everything down
• Phalanx manages scan queue
17
QA Automation Pipeline
• Tests created using N-Unit
• Octopus deploys application
• Teamcity job polls Octopus Deploy
• Triggers test run on successful build
• Unit tests make calls to WI API and wire up proxy
• Functional tests run, proxy collects traffic
• Unit tests queues scan using proxy traffic
• Phalanx manages scan queue
18
Lessons Learned and Next Steps
• Test in QA– DAST scans can take systems down, trigger lockouts and cause other
undesirable side-effects
• Make sure you can revert your environment– WebInspect can add a lot of garbage data to your databases, file
systems, etc
• Make sure Dev, Ops, QA and CIRT are aware of your scan schedule– No one likes surprises!
• Include identifying attributes in your scan name– Make it easy to link a DAST scan back to a functional test run
• Close the feedback loop– Slack integration
19