Elevate Your Application Security Program with Burp Suite and ThreadFix
-
Upload
denim-group -
Category
Technology
-
view
178 -
download
1
Transcript of Elevate Your Application Security Program with Burp Suite and ThreadFix
© 2017 Denim Group – All Rights Reserved
Elevate Your Application Security Program with BurpSuite Pro and ThreadFix
July 18th, 2017
Dan Cornell, CTO, Denim Group
Dafydd Stuttard, Director, PortSwigger Web Security
© 2017 Denim Group – All Rights Reserved
Agenda
• BurpSuite Pro Background and Demo• ThreadFix Background• BurpSuite Pro and ThreadFix Together
2
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview• Create a consolidated view of your applications
and vulnerabilities
• Prioritize application risk decisions based on data
• Translate vulnerabilities to developers in the tools they are already using
5
© 2017 Denim Group – All Rights Reserved
Create a consolidated view of your applications
and vulnerabilities
7
© 2017 Denim Group – All Rights Reserved
Translate vulnerabilities to developers in the tools they are already using
14
© 2017 Denim Group – All Rights Reserved
Hybrid Analysis Mapping• Merge BurpSuite Pro scan results with the
results of SAST
• Soon: Better imports of Burp Infiltrator for IAST/HAM-like capabilities
17
© 2017 Denim Group – All Rights Reserved
ThreadFix ScanAgent
• Drive BurpSuite Pro automated scanning from ThreadFix• One-time scans• Scheduled scans• CI/CD integration
18
© 2017 Denim Group – All Rights Reserved
Secure DevOps with ThreadFix
• What does your pipeline look like?
http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu http://www.slideshare.net/denimgroup/rsa2015-blending-theautomatedandthemanualmakingapplicationvulnerabilitymanagementyourally
https://blog.samsungsami.io/development/security/2015/06/16/getting-security-up-to-speed.html
19
© 2017 Denim Group – All Rights Reserved
AppSec Testing for DevOps
• Configuring Testing Policies
• AppSec Testing for DevOps in Action
20
© 2017 Denim Group – All Rights Reserved
Policy Configuration• Testing
• Synchronous• Asynchronous
• Decision• Reporting
Blog Post: Effective Application Security Testing in DevOps Pipelineshttp://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/
https://www.denimgroup.com/resources/effective-application-security-for-devops/
21