#MicroFocusCyberSummit

#MicroFocusCyberSummit

Automate Static and Dynamic Scans, CI/CD Integrations and Auditing for Fast, Reliable Results

Rick Smith, Senior Product Manager

Jimmy Rabon, Senior Product Manager

Automation – Static Analysis

Developer

Source CodeMgmt System

AutomatedIntegration Build / Analysis

Fortify SCA, Maven, Ant, Make, MSBuild, CI System)

Defect Mgmt System

Fortify SoftwareSecurity Center

Project TechnicalSecurity Leader

New / critical issuesexist alert

Triage &assign ALL

issues

Fortify SCAIDE Plug-in

Repair MY

issues

Build, scanCode

SecurityAnalysis

Defects

Audited scans mergedwith new scans

Prerequisites:

1) Base line scan performed

2) Report is triaged 100%

3) Filters created in project templates to be applied for future audits (applied by SSC)

Scan Server

TranslationServer

6

1

2

3

4

6

5

Place secure codein SCM

7

4

Automation – DevOps Tool Chain

IDEs Requirements & Issues Communication & ChatOps Containers

Code Repositories & Apps Build Servers & Tools Configuration Automation Cloud

Bitbucket

Git

Github

JIRA

Mercurial

Microsoft Team Foundation Server

Eclipse

IntelliJ

Microsoft Visual Studio

Apache Ant

AtlassianBamboo

Cucumber

Jenkins

Maven

Microsoft Powershell

Microsoft Team Foundation Server

TeamCity

AttlasianBamboo

Bugzilla

CA Service Desk Manager

Datadog

FogzBugz

JIRA

Junit

Micro Focus ALM Octane

Micro Focus Quality Center

Microsoft Team Foundation Server

Rally

Bladelogic

Chef

Puppet

HipChat

Microsoft SharePoint

Microsoft Team Foundation Server

Slack

Amazon Web Services

Cloudera

Microsoft Azure

Micro Focus Server Automation

Servicenow

Docker

5

Pushing the Boundaries of Static Analysis with Automation

AppSec integration specifically DAST has challenges

Dependency on App specific knowledge

Dependency on Tool specific knowledge

Process and configuration knowledge

Traditionally DAST is run as a gating process rather than an enabling process

Tension between feature release vs secure release

6

Breaking Barriers and Integrating DAST to SDLC

OpsDev

QA

Security

Fortify DAST - Product Vision & Strategy

7

Integration Automation Agility

#MicroFocusCyberSummit

Customer Demo and Success Story –Aaron’sJeremy Brooks

DAST @Aaron’s

Jeremy Brooks

Application Security Lead

jeremy.brooks@aarons.com

About Aaron’s

• Founded June 19, 1955

• ~10000 Employees

• ~1700 stores across the US and Canada

• $3+ billion in revenue

• Brick and mortar and online sales and leasing

• https://www.aarons.com

About Aaron’s Tech

• Culture

– Embrace & Drive Change

– Value Data Over Opinion

– Listen. Challenge. Commit.

– Think Two-Sided

– https://tech.aarons.com

• Solutions Delivery– Squad based delivery

teams• Omnichannel

• Store

• Payments

• Data analytics

– 40+ applications

– Multiple releases per day

Challenges For AppSec

• On-boarding new applications is time consuming– Authentication

– Business logic

– Coverage and Discoverability

• Scalability– New functionality

– New end points

– New applications

This feels like duplication of effort. Isn’t someone already testing these applications?

12

QA + Security = Better Together

• Aaron’s DAST Strategy

– Create a partnership with QA

– Deploy technologies that enable security

– Build DAST into the pipeline

– Multiply effort

13

Phalanx Overview

• Services to manage proxies and DAST scans

• Sandbox for manual scans

• Coordinates load across scan agents

14

Phalanx Architecture

15

Web App for Manual Workflow

• Self guided

• Sandboxed

WebInspect REST API + Phalanx

• Start capturing proxy

• Configure functional test to use proxy

• Run functional test and capture traffic

• Add scan to queue and test run completed

• Tear everything down

• Phalanx manages scan queue

17

QA Automation Pipeline

• Tests created using N-Unit

• Octopus deploys application

• Teamcity job polls Octopus Deploy

• Triggers test run on successful build

• Unit tests make calls to WI API and wire up proxy

• Functional tests run, proxy collects traffic

• Unit tests queues scan using proxy traffic

• Phalanx manages scan queue

18

Lessons Learned and Next Steps

• Test in QA– DAST scans can take systems down, trigger lockouts and cause other

undesirable side-effects

• Make sure you can revert your environment– WebInspect can add a lot of garbage data to your databases, file

systems, etc

• Make sure Dev, Ops, QA and CIRT are aware of your scan schedule– No one likes surprises!

• Include identifying attributes in your scan name– Make it easy to link a DAST scan back to a functional test run

• Close the feedback loop– Slack integration

19

Special Thanks

• Edwin Deliz – QA Manager

• Anthony Burt – QA Engineer

Thank You.

#MicroFocusCyberSummit

#MicroFocusCyberSummit#MicroFocusCyberSummit