ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications

© 2016 Denim Group – All Rights Reserved

ThreadFix and SD Elements:

Unifying Security Requirements and

Vulnerability Management for Applications

November 17th, 2016

Dan CornellCTO, Denim Group

Shane ParfittProduct Marketing Manager, Security Compass


Agenda

• State of Application Security

• Why Managed Security Requirements?

• SD Elements Overview/How it Works

• Business Value

• ThreadFix Overview

• ThreadFix / SD Elements Integration

Copyright © 2016 Security Compass. All rights reserved.

Why Manage Security Requirements?


S O F T W A R E D E V E L O P M E N T L I F E C Y C L EREQUIREMENTS

MANAGEMENT

AppSec Products/Tools

CODE REVIEW

(SAST)

PEN TESTING

(DAST)



0

20

40

60

80

100

120

1x6.5x

15x

100x

The later security vulnerabilities are found in the SDLC,

the greater is the cost and time required to remediate.

Source: IBM Systems Sciences Institute

Relative Cost of Fixing Defects


How it Works


- STEP 1 -

Answer short

questionnaire

- STEP 2 -

Get threats relevant

and

countermeasures

- STEP 3 -

Deliver through your

development tools

- STEP 4 -

Build security in

- STEP 5 -

Verify Requirements

Repeatable. Scalable. Cost-Efficient.



Application modeling

takes just 15 minutes.

Information is gathered

about language, platform,

features, compliance and

tools in order to determine

the relevant threats and

countermeasures…

Copyright © 2016 Security Compass. All rights reserved..


A list of potential vulnerabilities

is drawn from a large expert

database of security content,

providing a clear risk analysis

of the application.

The expert database is regularly

updated with the latest threats

and countermeasures

Copyright © 2016 Security Compass. All rights reserved


SD Elements painlessly fits

into existing development

processes.

Synchronization with ALM

tools such as HP ALM, IBM

Rational CLM, JIRA, and

Microsoft TFS pushes

security requirements directly

to developers as work

items/tickets.



Seamless Integration



Task prioritization helps

guide agile teams choose

what to work on first.

Code samples and

embedded training help

developers understand both

the “WHY” and “HOW” of

security requirements



AppScan: FailThreadFix: Fail

Test results are easily

imported from

ThreadFix and popular

scanning tools.

Imported data is matched

to requirements for

validation and compliance

reporting


Business Value


ROI CalculationForrester Case Study of a Fortune 500 Financial Institution:


https://prezi.com/tlfmlr7jdc6y/sde-roi/


ROI via Vulnerability Reduction

Avg. # of Vulnerabilities

0

20

40

60

MEDIUMHIGH MEDIUMHIGH

32.8

013.2

0.40

5

10

15

20

25

30

35

No SDE Full SDE Usage

0

20

40

60

App1 App2 App3 App4 App5



Risk Reduction

RISK

IDENTIFY MITIGATE VALIDATE

SDE PROJECT PROGRESS

10 1… Pass

DONE



Large ISV Client Anecdote

• Attempted to build a similar tool internally and failed. Twice.

• Decided to adopt SD Elements, and realized immediate efficiencies.

Before

SDE

After

SDE

Time

Less than 1 hour!

5 – 10 days!

Time required for Threat Profiling and Requirements Generation:


ThreadFix


ThreadFix Overview

• Create a consolidated view of your applications and vulnerabilities

• Prioritize application risk decisions based on data

• Translate vulnerabilities to

developers in the tools they

are already using



ThreadFix Overview



Create a consolidated

view of your

applications and

vulnerabilities



Application Portfolio Tracking



Vulnerability Import



Vulnerability Consolidation



Prioritize application

risk decisions based on

data



Vulnerability Prioritization



Reporting and Metrics



Translate vulnerabilities

to developers in the

tools they are already

using



Defect Tracker Integration


ThreadFix Integration


SD Elements HomePage



Add Connection



Add ThreadFix Credentials



ThreadFix Connection

Established!



Add ThreadFix Integration to

Project (1)




Project (2)




Project (3)



Import Results



Track Results



Without ThreadFix

CheckMarx: Partial Pass

Conflicting Results



Report Results



Report Results



Report Results

• Automatically generated compliance report showing Completion Status and Verification Status for each control.


Summary


Summary

• SD Elements 4 manages security requirements across the entire

software development lifecycle, from planning through to release.

• Scalable automation capabilities culminate in more secure

applications that cost less to develop and test.

• ThreadFix integration with SD Elements allows organizations to

reduce risk by validating requirements using multiple scanner

results, while maintaining the same level of automation.



ThreadFix

www.threadfix.it

Security Compass SD Elements

www.securitycompass.com/sdelements

Questions and Contact

http://www.threadfix.it/

https://www.securitycompass.com/sdelements


About Denim Group

Denim Group is the leading secure software development firm,

serving as a trusted advisor on matters of software risk and security.

Our flagship ThreadFix product accelerates the process of software

vulnerability remediation, reflecting the company's understanding of

what it takes to fix application vulnerabilities faster.


http://www.denimgroup.com/

http://www.denimgroup.com/application-development.html


Security Compass named as a Gartner Cool Vendor in

Application and Endpoint Security 2014bit.ly/securitycompass

Security Compass is a leading application security firm specializing in solving root

application security problems for Fortune 500 companies. Our goal is to help you

build secure software by seamlessly unifying your application security needs

through eLearning, Security Requirements and Verification.

About Security Compass


http://www.securitycompass.com/

http://www.securitycompass.com/training/

http://www.securitycompass.com/sdelements

http://www.securitycompass.com/advisory

Technology

ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Management for Applications