ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.

Key AppSec Takeaways from the Micro Focus Cybersecurity Summit!

Micro Focus Expert
Micro Focus Expert
0 0 2,340

The Micro Focus Cybersecurity Summit was last week, in Washington D.C. at the historic Omni Hotel & Resort. The Cybersecurity Summit is our customers’ chance to interact face-to-face with our product managers, security leaders and other customers to share best practices and solution roadmaps. 

Key AppSec Takeaways from the Micro Focus Cybersecurity Summit!.pngIf you missed the event, there is still a chance to register for the Digital Summit, which begins October 30th with recordings of all the sessions and keynotes. Between now and then however, I wanted to share some of my favorite nuggets from a few of the Fortify presentations throughout an incredible three days, and hopefully give you some insight and motivation to check out the full sessions once they are available! 

Application Security As a Service: Start your application initiative in less than a day

David Harper - Practice Principal, Fortify on Demand 

In this presentation, David talks about 4 main topics, which are:

  • The Application Security Problem
  • Security Gates
  • Secure DevOps
  • Best Practice Approaches

In the first section, David discusses how 80% of breaches today are from application vulnerabilities, which are only growing due to the fact companies continue to have more and more applications, along with shorter and shorter release cycles. Along with that growing issue, he also addresses how applications are driven by business, instead of IT, and then touches on some of the key challenges for companies with application security such as lack of expertise and resources, compliance requirements and securing outsourced, 3rd party and open source code.  

In the next section, David discusses one approach companies can take which is a security gate. Along with discussing the functionality of a security gate, he also discusses how to implement one with Fortify on Demand. The challenge, however, is even though a security gate may work for your organization now, can it keep up with DevOps?

This brings us to the third section of the presentation where David discusses securing DevOps. Along with discussing what exactly DevOps is and how it means different things to different companies, we also get to hear some great advice on building security into the software development lifecycle (SDLC) and addressing it early on. David also touches on some built-in role-based secure DevOps training that is offered in Fortify on Demand, as well.  

Finally, the best practice approach section ties the entire presentation together. We hear a fairly detailed plan of creating an application security program by implementing a security gate first, then securing the DevOps lifecycle with compensating control. 

Not only does David Harper’s presentation have tons of fantastic information on utilizing Fortify on Demand to its fullest, but also you will leave with plenty of best practice advice to assist your organization in its Application Security journey.  

Shifting Security Left: Bringing security into continuous integration and delivery

Lucas von Stockhausen - Fortify, along with guest Fortify customers

This presentation covers 3 simple questions; What shifting security left means, Why you should shift left, and finally How to shift left. While discussing What shifting security left means, the team points out that it’s NOT about moving current activities left, changing the location of the stop, or controlling development, but more about changing how you do security, compromising in order to reduce risk, and finally, becoming a part of development.  

One of the biggest challenges today is Application Security teams not only feel frustrated, ignored and left out, but are looked at as roadblocks, extra work and being anti-business. During this presentation, however, the team discusses how shifting left correctly can change all of that. Finally, they give some real-world examples of how a few companies have achieved this, some challenges they faced along the way, and how they overcame those challenges. I don’t want to give too much away here, you’ll just have to watch the presentation to get the real meat of the presentation! 

Beyond these two presentations, we got to hear about some topics such as

  • Prioritizing risk relative to mitigating vulnerabilities 
  • Preparing for when your organization will be breached: prioritizing and protecting
  • AppSec at high speed and scale: agility, integration and automation
  • Automate static and dynamic scans, CI/CD integrations and auditing for fast, reliable results
  • Using automatic and manual tests for static, dynamic and mobile with Fortify on Demand
  • Building an AppSec practice in a fast-moving environment: the power of on-premise and as a service
  • And many, many more!

To add even more incentive to register for the Digital Summit and make plans to attend next year, the Micro Focus Cybersecurity Summit gives you a chance to hear from product development leaders about key trends and planned enhancements for our other industry-leading cybersecurity products, including ArcSight, Identity & Access, Voltage and ZENworks. 

Finally, Fortify will be at OWASP AppSec USA, October 8-12. Register now and get $100 off an Unlimited Ticket with this Discount Code: USA18MCROFCS100. Be sure to stop by booth P1 to get your own #Fortify demo....

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.