Managing Application Security Risks the Smart Way

Managing Application Security Risks the Smart Way

Micro Focus Frequent Contributor

Even the casual observer sees the headlines which now highlight cybercrimes and cyber security risks. Cyber security risks are increasing and causing more damage to businesses globally. Breach Level Index says security incidents are getting faster and larger in scope, with a headline-shattering 2.6 billion data records compromised in 2017. Our friends at SANS Institute say that the biggest sources of breaches in 2017 continued to be public-facing web applications and Windows OS, closely followed by legacy applications (which are often left untested). 

Managing Application Security Risks the Smart Way2.jpgFor those in the AppSec trenches, big challenges include getting 1) faster scan results, 2) reduced false positives, and 3) actionable and automated results. 

Fortify has been one of the leaders in appsec for more than a decade and it has a plan to address the new challenges. Fortify General Manager, Scott Johnson recently did a great presentation about new and smart ways to tackle appsec challenges at the FSISAC Summit at Boca Raton, FL. This post aims to cover some of the topics Scott mentioned during his session. 

AppSec requires being more agile to provide faster support for the new development landscape. This means more programming languages, tools and platforms, and ultimately faster scans with better results. 

We have two good news stories for how we are helping our customers’ need for speed: 

1. Making Security Available to Developers via IDE Integrations 

This enables earlier and faster issue identification and helps resolve vulnerabilities in real time. Fortify supports developers with the tools they use and are comfortable with, and provides IDE errors that developers understand easily. 

Security Assistant provides real-time, as-you-type code, security analysis and results. Leveraging the Visual Studio native interface, Security Assistant displays security errors alongside Visual Studio errors and provides Details, Recommendations, from our rich Fortify ruleset shared also by Fortify Static Code Analyzer (SCA). If you haven’t seen Fortify's Security Assistant for Visual Studio 2017, check out the demo on our Fortify Unplugged channel

2. Use Automation by Leveraging Machine Learning for Auditing Issues 

A fundamental problem with static code analysis has always been that it requires human auditing before the results are actionable. Since it is a labor intensive and meticulous process, manual auditing can become the bottleneck in the appsec and dev cycles. 

Machine-assisted auditing provides faster audit turnaround time (results can be delivered in minutes) and is a relieving speed improvement for AppSec. This enables more applications & releases with faster results that are actionable. 

Fortify’s Audit Assistant delivers machine-learning–assisted auditing of Fortify Static Code Analyzer (SCA) results. Fortify now unlocks and reproduces contextual awareness and security expertise from SCA results for the first time in the history of application security testing. Now that’s innovation! 

Audit Assistant takes raw scan results and leverages scan result meta data and anonymized issue metrics with data classifiers for high accuracy in vulnerability predictions. 

Our customers see a lot of value in:

  • Reduced number of issues that need deep manual examination
  • Relevant issues being identified earlier in the SDLC
  • The ability to scale application security with existing resources
  • Maintaining consistency in auditing and reporting
  • Increased ROI on existing Fortify products

 Smart AppSec is developer-friendly and utilizes automation to deliver speed. If you haven’t already, check out how Micro Focus maintains a leader position in the Gartner 2018 Magic Quadrant for Application Security Testing based on Fortify’s completeness of vision and ability to execute. Then contact sales to set up a time to talk to a Fortify specialist.

0 Kudos