Presentation is loading. Please wait.

Presentation is loading. Please wait.

HPE Security Fortify on Demand

Published byMillicent Simon Modified over 7 years ago

Similar presentations

Presentation on theme: "HPE Security Fortify on Demand"— Presentation transcript:

1 HPE Security Fortify on Demand
V17.1 Release Training Carole Loomis, FoD Product Marketing Manager Intersections, March 20, 2017 HPE Confidential - Internal Use Only

2 Fortify on Demand Application Security Testing is at the core of what we do Does anyone recognize these three icons from 4+ years ago? You can see the same (updated) 3 steps on our current datasheet. Application Security Testing is at the core of what we do – it always has been. We still do the same thing today – we simplify application security for our customers. Nothing has changed in that regard. The difference is that we’re helping our customers beyond the scan – we help them manage risk across their software portfolio.

3 HPE Security Fortify Leadership
Over a decade of successful deployments backed by the largest security research team 2017 Gartner MQ for AST 10 out of 10 of the largest information technology companies 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors 5 out of 5 of the largest telecommunication companies Keeping up with the way our customers build applications today, we continue to strengthen and innovate our products and solutions – which is why we continue to be in the leader’s quadrant of the Gartner MQ. This is the new Gartner Magic Quadrant for If you look closely you can see that we slightly edge out Veracode in the ability to execute, but we are farther ahead in vision.

4 Fortify on Demand product strategy
The Product Roadmap, which Dylan may cover in more depth, focuses on the being the best we can be and Providing the kinds of tools our customers need to run their businesses (core), keeping up with the pace of development today (DevOps) and we also need to make sure our tools and teams can keep pace (delivery excellence) – the way we do business is a huge differentiator for us and the reason our customers renew. Crush the Core Be THE platform to manage a comprehensive application security program from inception to maturity Securing DevOps Enable customers to build security into the new SDLC through seamless integration and automation Delivery Excellence Provide scalable, comprehensive application testing at the speed of business with world-class support Rolling roadmap up to three years and is subject to change without notice

5 Integrate application security with DevOps
30% of respondents who said that their organization was not practicing DevOps were actually deploying some capabilities of DevOps I want to touch on DevOps for a moment here. There’s a lot to it. Similar to “the cloud” a few years ago, DevOps is somewhat of a buzzword that is seen as the next big thing, but most enterprises do not know exactly what it means to their organization. It is very common to selectively pick and choose processes that align to the distinct needs of the organization. Fortify recently conducted a study and we found that though some companies said they were not doing DevOps, they were in fact, employing practices that are considered characteristics of DevOps DevOps Survey Intersections with attached report:

6 Application Security and the new SDLC
Application security is not being integrated into DevOps processes but only Most believe downstream security technologies such as preproduction penetration testing and network security are adequate. are doing application security testing during development And, though 90% of organizations we surveyed are implementing or piloting some sort of DevOps changes or processes within their development. AND 99% agreed that these changes are an opportunity to improve application security. ONLY 20% are actually doing application security testing during development. Clearly, this is potentially a HUGE opportunity for us. A shocking are not using any security technologies to protect their applications. of surveyed organizations are implementing or piloting DevOps and agree DevOps is an opportunity to improve application security Application security is not being integrated into DevOps processes Source of data: HPE, “AppSec and DevOps research survey: What’s the true state of application security in DevOps environments?” October 2016.

7 Pain Points / Motivations
Key Customer Personas Function Titles Role Pain Points / Motivations Non-Security C-level Executive CEO, CIO, CTO, CFO Approver, Economic Buyer, Business Decision Maker; Monitors ROI Brand Protection, Business Growth, Competitiveness, Profitability and Efficiencies Head of Security CISO, Head of Security Economic Buyer, Business Decision Maker, Monitors Strategic Adoption, Manages Security Programs Business Continuity, Asset Protection, Security as a Value-Add Application Security Director / Manager Application Security Manager Primary Champion, Technical Decision Maker, builds and manages appsec program Policy Enforcement, Low Pain/Max Gain, Breach Prevention/Avoidance Application Security Practitioner IT Security, Security Analyst, Auditor User, Technical Decision Maker, Influencer; Uses Product, Enforces Security Initiatives Perception of Security and Security Staff, Application Development VP / Director of Engineering, Developer User, Technical Evaluator, Influencer; Use Product, Affected by Purchasing/Deployment Decisions Release Schedules & Deadlines, Product Ease-of-Use, Value to Developers, Perception of Product Quality

8 Fortify on Demand Release 17.1
Enabling the integration and automation of application security into the SDLC Seamless integration with Development Comprehensive IDE plugins for Eclipse and Visual Studio Integrations with GitHub and Bitbucket For Security Leads Improved policy management assign security policies based on business criticality, application type, or custom application attributes include compliance requirements like PCI or OWASP Top 10, require continuous application monitoring, and specify allowed assessment types. Reporting updates Added classifications and reporting for OWASP Mobile Top 10 and DISA STIG 4.1 Core Product Updates Enhanced static testing capabilities with SCA 16.2 extended support for Swift 2.2/Xcode 8.1 major .NET improvements with a brand new .NET front end. As more organizations embrace DevOps, our 17.1 release continues our focus on enabling the integration and automation of application security into the software development lifecycle. With this release you may have noticed that we are aligned with the rest of Fortify in naming our releases. First, the calendar year, then the release number. Since we have quarterly releases, you can expect 17.1 through 17.4. Dylan will go into more detail about the release, but here is a brief overview: Bringing tools to the developer is the only way to make security a natural part of the software development lifecycle. Comprehensive IDE plugins for Eclipse and Visual Studio provide a seamless, comprehensive workflow from initiating static assessments through remediating the results. And Integrations with GitHub and Bitbucket allow developers to easily pull down source code from those repositories. For Security Leads This first one, Improved policy management, gives security leads more control, making managing an application portfolio, identifying problem applications and tracking progress more powerful and flexible than ever. Security leads can now assign security policies based on business criticality, application type, or custom application attributes. Policies can also include compliance requirements like PCI or OWASP Top 10, require continuous application monitoring, and specify allowed assessment types. Showing the progress of a program – or meeting compliance requirements demands great reporting, something that we are always improving and updating. This time we’ve added classifications and reporting for OWASP Mobile Top 10 and DISA STIG 4.1. Core Product Updates As you are aware, updates to SCA and WebInspect are updates for Fortify on Demand. With this release we’ve enhanced static testing capabilities with their last release, which featured extended support for Swift 2.2/Xcode 8.1 and major .NET improvements

9 HPE Security Fortify on Demand
V17.1 Release Highlights Dylan Thomas, Senior Product Manager Intersections, March 20, 2017 HPE Confidential - Internal Use Only

10 HPE Confidential Information
INTERNAL USE ONLY This document contains Hewlett Packard Enterprise confidential information. If you have a valid Confidential Disclosure Agreement with Hewlett Packard Enterprise, disclosure of the Roadmap is subject to that CDA. If not, it is subject to the following terms: for a period of 3 years after the date of disclosure, you may use the Roadmap solely for the purpose of evaluating purchase decisions from Hewlett Packard Enterprise and use a reasonable standard of care to prevent disclosures. You will not disclose the contents of the Roadmap to any third party unless it becomes publically known, rightfully received by you from a third party without duty of confidentiality, or disclosed with Hewlett Packard Enterprise’s prior written approval. HPE Confidential - Internal Use Only

11 Fortify on Demand v17.1 highlights
New functionality Comprehensive IDE plugins with remediation Eclipse: Upload, download & audit Visual Studio: Upload & download (audit to follow)

12 Comprehensive plugins for Eclipse and Visual Studio
Initiate static scans and remediate identified vulnerabilities from the IDE

13 Comprehensive plugins for Eclipse and Visual Studio
Install directly from Visual Studio and hosted in the VS Marketplace

14 Comprehensive plugins for Eclipse and Visual Studio
Initiate static scans and remediate identified vulnerabilities from the IDE Navigate directly to vulnerability location Review vulnerability description and recommendations Synchronized tracking of remediation workflow

15 Fortify on Demand v17.1 highlights
New functionality Comprehensive IDE plugins with remediation Eclipse: Upload, download & audit Visual Studio: Upload & download (audit to follow) Policy management Configurable scope Allowed assessment types Compliance requirements

16 Policy management Configurable scope
Assign policies based on business criticality, application type or custom attributes Custom attributes details Picklists with < 10 values Can be required or security lead only attributes Transparent upgrade Existing policies by business criticality

17 Policy management Expanded policy customization
Choose a compliance requirement Vulnerabilities without a classification are not counted against pass / fail OWASP, PCI, FISMA, STIG, CWE Application monitoring can be required Applies to releases in production only Choose allowed assessment types Includes single scan vs subscription Enables more control over entitlement usage by distributed teams

18 Fortify on Demand v17.1 highlights
New functionality Comprehensive IDE plugins with remediation Eclipse: Upload, download & audit Visual Studio: Upload & download (audit to follow) Policy management Configurable scope Allowed assessment types Compliance requirements Source control integration Supports Github, Bitbucket New static scan settings page Use the two Source Control apps. Bitbucket for scanning.

19 Source control integration for static scans
Submit source, binary and bytecode directly from Github or Bitbucket

20 Source control integration for static scans
Additional details General details Authorize then configure team/organization and repository under Application Settings Don’t forget to save! New Static Scan Settings page replaces Build Server configuration page To provide source/binary payload, choose between Manual Upload (default) and Source Control (if configured) Supported languages: Java, Javascript, .NET, PHP, Python. When starting, choose the release or branch Dependencies and required files for language must be present in repository (ex: PDB for .NET) Github details Uses Github marketplace app (unique to datacenter) Bitbucket details Uses OAuth consumer with Key/Secret Callback URL = {datacenter URL}/Redirect/OAuth/ Team, project, repo read access required

21 Fortify on Demand v17.1 highlights
New functionality Comprehensive IDE plugins with remediation Eclipse: Upload, download & audit Visual Studio: Upload & download (audit to follow) Policy management Configurable scope Allowed assessment types Compliance requirements Source control integration Supports Github, Bitbucket New static scan settings page OWASP Mobile Top 10 classification DISA STIG 4.1 classification SCA 16.2

22 Fortify SCA 16.2 details Extended Swift Support
What are we announcing? What are the main benefits? Extended Swift Support Allows users to scan source code written in Swift 2.2 Features Supported: Data flow scan Semantic scan Control flow scan Better Object interoperability Higher Order Analysis .NET New .NET front end Eliminates the need for pre-compiled step Enables and expands new robust functionalities Language support improvements Objective C - Xcode 8.1 support ABAP Support Added support for several ABAP keywords and statements TSQL Support Improved support Quality Improvements Java Translator JavaScript Translator Dataflow Analyzer Extended Swift Support – (Phase 2 of 2) SCA allows cust to scan source code written in Swift 2.2 In the previous release we have limited Swift support, but in this release we have added new analyzers that greatly improve our ability to identify vuln in Swift code. Features supported: Data Flow Analysis Semantic Analysis –Detection of locally emerging events on massive test streams/Detect spatially compact events in text streams Control Flow Analysis Better Object interoperability – our interface allows better info exchange Higher Order Analysis – a func is higher order it if has one or more parameters that are functions &/or it rtns a function. Helps with data processing Benefit – Earlier release support sml portion of Swift now it great improved, comprehensive SWIFT scan. .NET – Long awaited. We’ve made our .NET support faster & more robust. Completely redesigned .NET translator We completely rewritten the .NET front end. Old frontend did not provide a good user experience, dreaded pre-compile step cust disliked & it was difficult to add new functionality or extend our .NET support b/c of limitations. W/ the new design we improved the user experience & eliminated the need to pre-compile (cust who want to scan binary code can still do it) These new advancements will enable us to expand w/ new functionalities in future releases by extending our .NET support to the most requested framework - .NET MVC- (model view controller) highly testable framework that is integrated with ASP.NET Presentation framework for creating web apps .NET core- cross platform, open source, platform for creating modern web apps Xamarin – cross platform dev sw which simplifies mobile app creation These frameworks have been requested from our cust which are heavily used in the industry. Benefits: .NET source code analysis is faster and more robust Continues to support binary scanning Cust can now scan Windows Azure apps Eliminate the need for the pre-compiled step which was required in previous versions Gradle Support – Gradle is Build tool used by DevOps people to continuously build programs. Open source build automation sys, designed for lge mulit-proj builds. Benefit: Having SCA support Gradle, we’ve made it easier to scan code through Gradle via an integrated plugin, making the build process run seamlessly. Workflow is similar to that w/ ant, make or maven SCA’s Grade Adapter supports the following lang/platform combos: Java/linux, Java/windows, Java/mac C/linux C++/linux Builds upon the concept of Apache Ant & Apache Maven & intro a Groovy-based domain-specific lang (DSL) Incremental Analysis (IA) –Apps are lge/complex ( you experiencing this now when you are interacting with apps) & scanning them can be time consuming (DevOps-accelerate SDLC & get sw into prod quickly). Org understand they must build-in sec into the SDLC but there’s not enough time to always run a full scan every time you change the code. Solution is IS. Before you can take advantage of IA, a full scan is needed to establish a baseline, then all subsequent scans can enable IA. SCA ID what is new /changed. Reducing the amt of time required to run successive scans. Phase 1 of 3 – Architectural phase, laying foundation, build a platform. 2 Analyzers - 1. Configuration Analyzer 2. Semantic Analyzer ID obvious mistakes in variables that are out of context. Does not look at the flow of data. Selling Points: Why customers care… Shortens scan times Support DevOps Improve productivity, giving time back to dev Value (stay competitive, get sw into prod faster)

23 Fortify on Demand v17.1 highlights
User experience improvements Continuous application monitoring Triaging discovery results: grouping, canned queries, new/existing status, last scan date Confirming and creating multiple applications Performance and flexibility Improved global search Improved trending engine Tracking pause reasons Scans page and exports Improved navigation Linked scan status icons Quick view security policy Left navigation panel FoD / SSC Link utility updates

24 FoD / SSC Link Utility updates
Customizable API URL built on the latest FoD API version

25 Fortify on Demand v17.1 highlights
User experience improvements Continuous application monitoring Triaging discovery results: grouping, canned queries, new/existing status, last scan date Confirming and creating multiple applications Performance and flexibility Improved global search Improved trending engine Tracking pause reasons Scans page and exports Improved navigation Linked scan status icons Quick view security policy Left navigation panel FoD / SSC Link utility updates Updated mobile scan settings page False positive challenge submission form Show/hide fix validated issues independently Specify on-premise App Defender URL Customer-specific Security Assistant license Static reporting of files scanned Removed “Other” static scan technology option API improvements Performance and stability

26 Learn more Detailed release notes available in the Fortify on Demand Help Center

Download ppt "HPE Security Fortify on Demand"

Similar presentations

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC

DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC
Chad Collins CEO Henry Chan CTO In Latin, nubifer means “bringing the clouds”

Chad Collins CEO Henry Chan CTO In Latin, nubifer means “bringing the clouds”
UNDERSTANDING YOUR OPTIONS FOR CLIENT-SIDE DEVELOPMENT IN OFFICE 365 Mark Rackley

UNDERSTANDING YOUR OPTIONS FOR CLIENT-SIDE DEVELOPMENT IN OFFICE 365 Mark Rackley
WEB API AND CLOUD DEVELOPMENT BY TRAWEX TECHNOLOGIES.

WEB API AND CLOUD DEVELOPMENT BY TRAWEX TECHNOLOGIES.
Azure Stack Foundation

Azure Stack Foundation
READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.

READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.
SAM Baseline Review Engagement

SAM Baseline Review Engagement
Making the Case for Business Intelligence

Making the Case for Business Intelligence
Deck Customization Checklist

Deck Customization Checklist
HP Fortify SCA & SSC WebInspect & WebInspect Enterprise 10

HP Fortify SCA & SSC WebInspect & WebInspect Enterprise 10
Agenda:- DevOps Tools Chef Jenkins Puppet Apache Ant Apache Maven Logstash Docker New Relic Gradle Git.

Agenda:- DevOps Tools Chef Jenkins Puppet Apache Ant Apache Maven Logstash Docker New Relic Gradle Git.
EI Architecture Overview/Current Assessment/Technical Architecture

EI Architecture Overview/Current Assessment/Technical Architecture
ESign365 Add-In Gives Enterprises and Their Users the Power to Seamlessly Edit and Send Documents for e-Signature Within Office 365 OFFICE 365 APP BUILDER.

ESign365 Add-In Gives Enterprises and Their Users the Power to Seamlessly Edit and Send Documents for e-Signature Within Office 365 OFFICE 365 APP BUILDER.
Continuous Delivery- Complete Guide

Continuous Delivery- Complete Guide
Partner Toolbox Cloud Infrastructure & Management

Partner Toolbox Cloud Infrastructure & Management
DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.

DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.
SAP SuccessFactors extension with SAP HANA Cloud Platform Innovation Use Case SAP & Partner Confidential

SAP SuccessFactors extension with SAP HANA Cloud Platform Innovation Use Case SAP & Partner Confidential
CIM Modeling for E&U - (Short Version)

CIM Modeling for E&U - (Short Version)

Similar presentations

Ads by Google