Scribd Logo
Upload

Welcome to Scribd!

  • Veracode Corporate vsh2 - 2020

    Uploaded by

    Ernesto Moreno
    3 views15 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views15 pages

    Veracode Corporate vsh2 - 2020

    Uploaded by

    Ernesto Moreno

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 15

    La Nube como plataforma

    para aplicaciones libres


    de vulnerabilidades

    DevSecOps
    With Veracode

    04.30.20

    1 © Veracode, Inc. 2020 Confidential


    Software
    Define la Entidad
    Moderna

    Transformación del
    La Tecnología Abstracción de la
    Proceso de
    Domina el Negocio Infraestructura
    Desarrollo

    Un Mundo Dominado por Aplicaciones


    esxpuestas al Internet
    Software, tanto Fuente de Valor como foco del Riesgo.
    Las Aplicaciones son el nuevo ‘Attack Surface’
    Considerations for
    Scanning in Pipeline
    Speed

    Pre-commit scans 1. Shift left: Scan early to catch


    (SAST) issues while cheap to fix
    2. Scan again at the end to capture
    full scope of application for
    Build scans
    auditors
    (SAST, SCA, IAST)
    3. Cover all types of security issues by
    combining several analysis types
    Deploy scans
    (SAST, SCA, DAST, pen testing) • Where are you scanning today?
    • What analysis types are you using?

    Completeness of findings Scope

    3 © Veracode, Inc. 2020 Confidential


    Common Obstacles
    in AppSec Programs
    Developers not empowered
    1 & focus on finding, not fixing

    AppSec tools are hard


    2 to manage and scale

    Security teams lack


    3 bandwidth for AppSec
    Too often, Security teams
    dictate rather than partner with
    development teams and have
    4 unrealistic expectations.
    © Veracode, Inc. 2020 Confidential
    Better Service Power of
    at Lower Cost Collective Learning
    Economies of scale Instant accuracy without tuning based
    on 14+ trillion lines of code scanned
    Fast start
    Best practices and industry
    Scalability & high availability benchmarks from running
    2,500 AppSec programs
    Always up to date
    More effective collaboration through
    Easy to use centralized workflows and analytics

    SaaS delivers better service at a lower cost, It enables you to scan from day one,
    How do you calculate the cost of your on-premise deployment?
    5 © Veracode, Inc. 2020 Confidential How have you built in high availability into your on-premise deployment?
    The Veracode Approach

    Focus on fixing, not just finding


    Reduce introduction of new flaws
    Provide hands-on trainingVeracode
    Security Labs + E-Learning

    Integrate security into the pipeline


    Cover all application types
    Consolidate AppSec solutions

    Define program to achieve goals


    Scale through best practices
    Sell value of AppSec

    6 © Veracode, Inc. 2020 Confidential


    Application Analysis
    Integrate security into the pipeline
    Automated scanning through integrations with
    popular systems, plus APIs and code samples

    Cover all application types


    Support for web, mobile, microservices in all
    major programming languages and frameworks

    Consolidate AppSec solutions


    Simplify vendor management and reporting by
    combining five analysis types in one solution

    7 © Veracode, Inc. 2020 Confidential


    Veracode Platform

    Code Commit Build Test Release Deploy Operate

    Greenlight/IDE SCAN Static Static Policy


    Sandbox/PIPELINE
    SCAN

    SCA Dynamic Analysis

    File or Small Package Component or Application Complete Application Deployed Application

    Developer View Team View Assurance View Assurance View

    Is My Code Secure? Is Our Combined Code Secure? Is the Application Secure? Is the Deployed Application
    Secure?
    Veracode through all SDLC
    Code Commit Build Integrate Test Stage Deploy Operate
    Development Testing Security Assurance Operational Security

    Cost to Fix

    Veracode Platform
    Veracode Greenlight

    Veracode SCA/SourceClear

    Veracode Static Analysis

    Veracode Dynamic Analysis

    Veracode Manual Penetration Testing

    Veracode Security Services Consulting


    Developer Training, Program Management, Application Security Consulting, Third Party Security

    Veracode APIs & Integrations

    Enterprise Agile Planning Build System GRC


    IDE

    SIEM
    Ticketing & Bug Tracking

    WAF
    Mayor Frecuencia de Escaneo = Superior Efectividad contra
    amenazas y mejora en tiempos de remediación. Veracode
    permite ejecutar cientos de escaneos a lo largo del Ciclo de
    desarrollo.

    DevSecOps
    Escaneos lanzados
    automáticamente a través de APIs
    y integraciones en los CI/CD

    Remediación
    Clientes Veracode resuelven unos
    70% de las vulnerabilidades
    identificadas, una mejora de 12%

    Source: Veracode State of Software Security, Vol 9


    Veracode
    Liberar el Desarollador de Up-load y analisis basado
    ser Experto en Seguridad en binarios (si el lenguaje
    lo permite).

    Open Cloud – AI Report


    Code Binary
    Source
    Static False/Pos.
    Analysis Remediate
    Reduccion
    (patente
    Legacy API Veracode)
    a 1.2%

    Policy

    Forman la ‘Aplicación’ Politicas y Resultados


    Uniformes
    How Is Each Scan Type Priced?

    Scan Name Scan Pricing


    IDE Scan Per Developer
    Pipeline Scan Included in Per MB or Per App

    Policy Scan Per MB or Per App

    Under Demand: ONE SHOT STATIC AND DYNAMIC


    12 © Veracode 2020
    Enfoques:

    Y VERACODE SECURITY LABS


    Analisys : Easy to do. Quick Tour
    Thank You

    15 © Veracode, Inc. 2020 Confidential

    You might also like