SlideShare a Scribd company logo

Application Asset Management with ThreadFix

Denim Group
Denim Group

Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.

Technology
1 of 45
Download to read offline
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO Application Asset Management with ThreadFix October 28, 2020
© 2020 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
© 2020 Denim Group – All Rights Reserved Agenda • Need for Application Asset Management • ThreadFix Overview • ThreadFix Application Asset Management • Automating the Process • nmap • OWASP Amass • Questions 2
© 2020 Denim Group – All Rights Reserved Need for Application Asset Management
© 2020 Denim Group – All Rights Reserved Attack Surface 4
© 2020 Denim Group – All Rights Reserved Attack Surface? 5
© 2020 Denim Group – All Rights Reserved Attack Surface • For the purposes of this presentation…talking about application attack surface • Web applications • Web services • Mobile applications • And so on… 6
© 2020 Denim Group – All Rights Reserved Other Materials 7 https://www.slideshare.net/denimgroup/monitoring-application-attack-surface-to-integrate-security-into-devops-pipelines Application Attack Surface https://www.slideshare.net/denimgroup/reducing-attack-surface-in-budget-constrained-environments Reducing Attack Surface
© 2020 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs • Resources • Raw budget and cost issues • Level of effort issues • Resistance: requires organizational change • Apparently people hate this • Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort • View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change 8
© 2020 Denim Group – All Rights Reserved But for many organizations, the first challenge they need to overcome is the reality that… 9
© 2020 Denim Group – All Rights Reserved 10 You can’t defend unknown attack surface If everything is important then nothing is important
© 2020 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 11
© 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 12 Software You Currently Know About Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an incident (oops) What? • Critical legacy systems • Notable web applications
© 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 13 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? • Forgot it was there • Line of business procured through non- standard channels • Picked it up through a merger / acquisition What? • Line of business applications • Event-specific applications
© 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 14 Add In the Software You Bought from Somewhere Why Did You Miss Them? • Most scanner only really work on web applications so no vendors pester you about your non-web applications • Assume the application vendor is handling security What? • More line of business applications • Support applications • Infrastructure applications
© 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 15 MOBILE! THE CLOUD! Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? • Support for line of business functions • Marketing and promotion
© 2020 Denim Group – All Rights Reserved First Decision • What is considered to be in scope? • Depends on how you want to manage vulnerabilities and manage risk 16
© 2020 Denim Group – All Rights Reserved Process • Identify Application “Homes” • Enumerate Applications • Collect Metadata • Repeat as Needed 17
© 2020 Denim Group – All Rights Reserved So Where Are These Applications? • Your Datacenters • 3rd Party Datacenters • Cloud Providers 18
© 2020 Denim Group – All Rights Reserved ThreadFix Overview
© 2020 Denim Group – All Rights Reserved ThreadFix Origin Story
© 2020 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using • Provide access to powerful analytics • Drive efficiency with automation and orchestration 21 44% Reduction in Time-To-Fix Vulnerabilities Up To 5x Increase in AppSec Assessment Productivity
© 2020 Denim Group – All Rights Reserved ThreadFix Data Flow 22
© 2020 Denim Group – All Rights Reserved ThreadFix Pipeline 23 i.o. SecurityCenter De-Dupe Merge Correlate History Settings Policy False Positives Risk Triage Consolidate Remediation Profiles Templates Actionable Tracked Insights Verification HotSpots Alerting Findings & Vulnerability Management Pipeline Automated/Orchestrated Pre-Processing Reduce Vulns to Manage Manage by Policy & Settings Single Portal for: ITAO’s Dev’s SME’s SecChamps Dev’s & SME’s Work in daily tools, and existing workflows Security Program & Policy Managemen t and reporting Tableau Business Object Power BI Archer Custom Reporting External System Integration Manua l
© 2020 Denim Group – All Rights Reserved Who Benefits and How? • Security Team • Run more efficient and effective application security programs (200-500% increase in testing throughput, up to 35% reduction in findings that require triage) • Development Teams • Direct testing and receive results via tools and platforms already in use (Jenkins, JIRA, etc) • Risk-management (GRC) Team • Faster resolution of key vulnerabilities (up to 44% reduction in mean- time-to-fix) 24
© 2020 Denim Group – All Rights Reserved Blog Posts on ThreadFix and Metrics • Value of secure coding training for your organization • https://threadfix.it/resources/applied-threadfix-fire-bullets-then-cannonballs- appsec-edition/ • xAST scanner rollouts • https://threadfix.it/resources/applied-threadfix-fire-bullets-then-cannonballs-part-2/ • Optimizing training investments • https://threadfix.it/resources/applied-threadfix-getting-the-most-out-of-your-training-investment/ • Automating vulnerability exception reporting • https://threadfix.it/resources/applied-threadfix-automated-vulnerability-exception-reporting/ 25
© 2020 Denim Group – All Rights Reserved ThreadFix Application Asset Management
© 2020 Denim Group – All Rights Reserved ThreadFix Asset Management • Licensing • Building Your Asset Portfolio • Structure – ThreadFix Teams • Collecting Application Metadata • Linking • Risk Characterization 27
© 2020 Denim Group – All Rights Reserved ThreadFix Licensing • Based on application asset count • BUT only those managing scan/test data • So you can load up as many application assets as you want • Only pay for those where you are tracking data 28
© 2020 Denim Group – All Rights Reserved ThreadFix Teams • Arbitrary container for application assets • Linked to permissions system • How to structure? • Line-of-business • Geography • Etc 29
© 2020 Denim Group – All Rights Reserved Application Metadata • Linking Fields • Unique ID • Source Code Information • IP Address Details • Risk Characterization • Criticality • Tag • Metadata Values 30
© 2020 Denim Group – All Rights Reserved Linking – Unique ID • Unique name for an application (within a Team) • Intended as a key to external systems 31
© 2020 Denim Group – All Rights Reserved Linking – Source Code • Link to application asset source code • Supports git and subversion • Used by Hybrid Analysis Mapping (HAM) • Can specify credentials, branch, revision 32
© 2020 Denim Group – All Rights Reserved Linking – IP Addresses • Linked to fixed infrastructure supporting the application asset • Can be linked to multiple IPs, ranges • Source for joint infrastructure/application asset reporting 33
© 2020 Denim Group – All Rights Reserved Characterization - Criticality • Raw score of how critical the application asset is • Critical, High, Medium, Low • Used by Relative Risks Portfolio view 34
© 2020 Denim Group – All Rights Reserved Characterization - Tags • Free-form way to tag applications • Environment, hosting arrangement, language/platform • Can attach risk ratings to tags • Used by Relative Risks Portfolio view 35
© 2020 Denim Group – All Rights Reserved Tagging Video Resources 36 https://threadfix.it/resources/introduction-to-tagging/ https://threadfix.it/resources/introduction-to-tagging-part-2/
© 2020 Denim Group – All Rights Reserved Characterization - Metadata • Key/value pairs stored for an application • Acceptable key values are managed by a ThreadFix administrator 37
© 2020 Denim Group – All Rights Reserved Blog on Application Portfolio Tracking 38 https://threadfix.it/resources/applied- threadfix-application-portfolio-tracking/
© 2020 Denim Group – All Rights Reserved Automating the Process
© 2020 Denim Group – All Rights Reserved Automation - nmap • nmap: https://nmap.org/ • Look for common web server ports: • 80, 443, 8000, 8008, 8080, 8443 • Others depending on your environment • nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24 • Great for dense environments you control • Largely datacenters https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/ 40
© 2020 Denim Group – All Rights Reserved Automation – OWASP Amass • OWASP Amass is a powerful tool for finding hosts associated with your organization • Home page: https://github.com/OWASP/Amass 41
© 2020 Denim Group – All Rights Reserved ThreadFix / Amass Automation 42 https://threadfix.it/resources/applied-threadfix-seeding- your-application-portfolio-with-owasp-amass/
© 2020 Denim Group – All Rights Reserved Questions
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com

Recommended

Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 

Recommended

Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 

More Related Content

What's hot

ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 

What's hot (20)

ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 

Similar to Application Asset Management with ThreadFix

Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsDenim Group
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsXebiaLabs
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'WHSZachJones
 

Similar to Application Asset Management with ThreadFix (20)

Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT SystemsDenim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
 

More from Denim Group (8)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Application Asset Management with ThreadFix

  • 1. © 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO Application Asset Management with ThreadFix October 28, 2020
  • 2. © 2020 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
  • 3. © 2020 Denim Group – All Rights Reserved Agenda • Need for Application Asset Management • ThreadFix Overview • ThreadFix Application Asset Management • Automating the Process • nmap • OWASP Amass • Questions 2
  • 4. © 2020 Denim Group – All Rights Reserved Need for Application Asset Management
  • 5. © 2020 Denim Group – All Rights Reserved Attack Surface 4
  • 6. © 2020 Denim Group – All Rights Reserved Attack Surface? 5
  • 7. © 2020 Denim Group – All Rights Reserved Attack Surface • For the purposes of this presentation…talking about application attack surface • Web applications • Web services • Mobile applications • And so on… 6
  • 8. © 2020 Denim Group – All Rights Reserved Other Materials 7 https://www.slideshare.net/denimgroup/monitoring-application-attack-surface-to-integrate-security-into-devops-pipelines Application Attack Surface https://www.slideshare.net/denimgroup/reducing-attack-surface-in-budget-constrained-environments Reducing Attack Surface
  • 9. © 2020 Denim Group – All Rights Reserved Challenges Rolling Out Software Security Programs • Resources • Raw budget and cost issues • Level of effort issues • Resistance: requires organizational change • Apparently people hate this • Open source tools • Can help with raw budget issues • May exacerbate problems with level of effort • View the rollout as a multi-stage process • Not one magical effort • Use short-term successes and gains to fuel further change 8
  • 10. © 2020 Denim Group – All Rights Reserved But for many organizations, the first challenge they need to overcome is the reality that… 9
  • 11. © 2020 Denim Group – All Rights Reserved 10 You can’t defend unknown attack surface If everything is important then nothing is important
  • 12. © 2020 Denim Group – All Rights Reserved [Translation] Find out what applications you have in your organization Decide the relative importance of applications and treat them differently based on this 11
  • 13. © 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 12 Software You Currently Know About Why? • Lots of value flows through it • Auditors hassle you about it • Formal SLAs with customers mention it • Bad guys found it and caused an incident (oops) What? • Critical legacy systems • Notable web applications
  • 14. © 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 13 Add In the Rest of the Web Applications You Actually Develop and Maintain Why Did You Miss Them? • Forgot it was there • Line of business procured through non- standard channels • Picked it up through a merger / acquisition What? • Line of business applications • Event-specific applications
  • 15. © 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 14 Add In the Software You Bought from Somewhere Why Did You Miss Them? • Most scanner only really work on web applications so no vendors pester you about your non-web applications • Assume the application vendor is handling security What? • More line of business applications • Support applications • Infrastructure applications
  • 16. © 2020 Denim Group – All Rights Reserved What Is Your Software Attack Surface? 15 MOBILE! THE CLOUD! Why Did You Miss Them? • Any jerk with a credit card and the ability to submit an expense report is now runs their own private procurement office What? • Support for line of business functions • Marketing and promotion
  • 17. © 2020 Denim Group – All Rights Reserved First Decision • What is considered to be in scope? • Depends on how you want to manage vulnerabilities and manage risk 16
  • 18. © 2020 Denim Group – All Rights Reserved Process • Identify Application “Homes” • Enumerate Applications • Collect Metadata • Repeat as Needed 17
  • 19. © 2020 Denim Group – All Rights Reserved So Where Are These Applications? • Your Datacenters • 3rd Party Datacenters • Cloud Providers 18
  • 20. © 2020 Denim Group – All Rights Reserved ThreadFix Overview
  • 21. © 2020 Denim Group – All Rights Reserved ThreadFix Origin Story
  • 22. © 2020 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using • Provide access to powerful analytics • Drive efficiency with automation and orchestration 21 44% Reduction in Time-To-Fix Vulnerabilities Up To 5x Increase in AppSec Assessment Productivity
  • 23. © 2020 Denim Group – All Rights Reserved ThreadFix Data Flow 22
  • 24. © 2020 Denim Group – All Rights Reserved ThreadFix Pipeline 23 i.o. SecurityCenter De-Dupe Merge Correlate History Settings Policy False Positives Risk Triage Consolidate Remediation Profiles Templates Actionable Tracked Insights Verification HotSpots Alerting Findings & Vulnerability Management Pipeline Automated/Orchestrated Pre-Processing Reduce Vulns to Manage Manage by Policy & Settings Single Portal for: ITAO’s Dev’s SME’s SecChamps Dev’s & SME’s Work in daily tools, and existing workflows Security Program & Policy Managemen t and reporting Tableau Business Object Power BI Archer Custom Reporting External System Integration Manua l
  • 25. © 2020 Denim Group – All Rights Reserved Who Benefits and How? • Security Team • Run more efficient and effective application security programs (200-500% increase in testing throughput, up to 35% reduction in findings that require triage) • Development Teams • Direct testing and receive results via tools and platforms already in use (Jenkins, JIRA, etc) • Risk-management (GRC) Team • Faster resolution of key vulnerabilities (up to 44% reduction in mean- time-to-fix) 24
  • 26. © 2020 Denim Group – All Rights Reserved Blog Posts on ThreadFix and Metrics • Value of secure coding training for your organization • https://threadfix.it/resources/applied-threadfix-fire-bullets-then-cannonballs- appsec-edition/ • xAST scanner rollouts • https://threadfix.it/resources/applied-threadfix-fire-bullets-then-cannonballs-part-2/ • Optimizing training investments • https://threadfix.it/resources/applied-threadfix-getting-the-most-out-of-your-training-investment/ • Automating vulnerability exception reporting • https://threadfix.it/resources/applied-threadfix-automated-vulnerability-exception-reporting/ 25
  • 27. © 2020 Denim Group – All Rights Reserved ThreadFix Application Asset Management
  • 28. © 2020 Denim Group – All Rights Reserved ThreadFix Asset Management • Licensing • Building Your Asset Portfolio • Structure – ThreadFix Teams • Collecting Application Metadata • Linking • Risk Characterization 27
  • 29. © 2020 Denim Group – All Rights Reserved ThreadFix Licensing • Based on application asset count • BUT only those managing scan/test data • So you can load up as many application assets as you want • Only pay for those where you are tracking data 28
  • 30. © 2020 Denim Group – All Rights Reserved ThreadFix Teams • Arbitrary container for application assets • Linked to permissions system • How to structure? • Line-of-business • Geography • Etc 29
  • 31. © 2020 Denim Group – All Rights Reserved Application Metadata • Linking Fields • Unique ID • Source Code Information • IP Address Details • Risk Characterization • Criticality • Tag • Metadata Values 30
  • 32. © 2020 Denim Group – All Rights Reserved Linking – Unique ID • Unique name for an application (within a Team) • Intended as a key to external systems 31
  • 33. © 2020 Denim Group – All Rights Reserved Linking – Source Code • Link to application asset source code • Supports git and subversion • Used by Hybrid Analysis Mapping (HAM) • Can specify credentials, branch, revision 32
  • 34. © 2020 Denim Group – All Rights Reserved Linking – IP Addresses • Linked to fixed infrastructure supporting the application asset • Can be linked to multiple IPs, ranges • Source for joint infrastructure/application asset reporting 33
  • 35. © 2020 Denim Group – All Rights Reserved Characterization - Criticality • Raw score of how critical the application asset is • Critical, High, Medium, Low • Used by Relative Risks Portfolio view 34
  • 36. © 2020 Denim Group – All Rights Reserved Characterization - Tags • Free-form way to tag applications • Environment, hosting arrangement, language/platform • Can attach risk ratings to tags • Used by Relative Risks Portfolio view 35
  • 37. © 2020 Denim Group – All Rights Reserved Tagging Video Resources 36 https://threadfix.it/resources/introduction-to-tagging/ https://threadfix.it/resources/introduction-to-tagging-part-2/
  • 38. © 2020 Denim Group – All Rights Reserved Characterization - Metadata • Key/value pairs stored for an application • Acceptable key values are managed by a ThreadFix administrator 37
  • 39. © 2020 Denim Group – All Rights Reserved Blog on Application Portfolio Tracking 38 https://threadfix.it/resources/applied- threadfix-application-portfolio-tracking/
  • 40. © 2020 Denim Group – All Rights Reserved Automating the Process
  • 41. © 2020 Denim Group – All Rights Reserved Automation - nmap • nmap: https://nmap.org/ • Look for common web server ports: • 80, 443, 8000, 8008, 8080, 8443 • Others depending on your environment • nmap -sS -p 80,443,8000,8008,8080,8443 x.y.z.0/24 • Great for dense environments you control • Largely datacenters https://www.denimgroup.com/resources/blog/2016/03/threadfix-in-action-discovering-your-organizations-software-attack-surface-web-app-edition/ 40
  • 42. © 2020 Denim Group – All Rights Reserved Automation – OWASP Amass • OWASP Amass is a powerful tool for finding hosts associated with your organization • Home page: https://github.com/OWASP/Amass 41
  • 43. © 2020 Denim Group – All Rights Reserved ThreadFix / Amass Automation 42 https://threadfix.it/resources/applied-threadfix-seeding- your-application-portfolio-with-owasp-amass/
  • 44. © 2020 Denim Group – All Rights Reserved Questions
  • 45. © 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com