Denim Group, profile picture
Uploaded byDenim Group
PDF, PPTX314 views

Using Collaboration to Make Application Vulnerability Management a Team Sport

Denim Group focuses on enhancing application vulnerability management through collaboration between security and development teams. They promote the Threadfix platform, which streamlines vulnerability assessment and resolution, achieving significant improvements in efficiency and communication. The document discusses challenges in vulnerability management and emphasizes teamwork to create a more effective security environment.

Embed presentation

Download as PDF, PPTX
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO Kyle Pippin | ThreadFix Product Manager Using Collaboration to Make Application Vulnerability Management a Team Sport May 28, 2020
© 2020 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
© 2020 Denim Group – All Rights Reserved Agenda • Application Vulnerability Management Challenges • ThreadFix Overview • Security Team Collaboration • Security and Development Team Collaboration • Questions 2
© 2020 Denim Group – All Rights Reserved Application Vulnerability Management Challenges
© 2020 Denim Group – All Rights Reserved An Observation • Traditional vulnerability management seems to do this better • Organizations more mature • Server patches are typically more straightforward than custom software changes [But lots of servers still don’t get patched…] 4
© 2020 Denim Group – All Rights Reserved This is Hard • Lots of players involved • Application Security • Development • GRC 5
© 2020 Denim Group – All Rights Reserved This is Hard • Everyone has different incentives and goals • Development: Features, functions, timelines • Application Security: address risk • GRC: Address risk, reach/maintain compliance, implement controls 6
© 2020 Denim Group – All Rights Reserved This is Hard • Access to Developers’ time is a zero-sum game • If you’re fixing security bugs, you’re not developing features • If you’re developing features, you’re not fixing security bugs • Viewing it like this creates winners. And losers… 7
© 2020 Denim Group – All Rights Reserved Typical Outcome • Application security “requires” that certain vulnerabilities get fixed • Development teams try to put this off as long as possible • The group with the best executive support gets their way • But everyone is actually a loser 8
© 2020 Denim Group – All Rights Reserved Stop Fighting 9
© 2020 Denim Group – All Rights Reserved Start Playing on the Same Team 10
© 2020 Denim Group – All Rights Reserved Critical Elements of Teamwork • Respect • Roles • Communication 11
© 2020 Denim Group – All Rights Reserved Critical Elements of Teamwork • Respect • Roles • Communication (and Collaboration) 12
© 2020 Denim Group – All Rights Reserved ThreadFix Overview
© 2020 Denim Group – All Rights Reserved ThreadFix Origin Story
© 2020 Denim Group – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using • Provide access to powerful analytics • Drive efficiency with automation and orchestration 15 44% Reduction in Time-To-Fix Vulnerabilities Up To 5x Increase in AppSec Assessment Productivity
© 2020 Denim Group – All Rights Reserved ThreadFix Data Flow 16
© 2020 Denim Group – All Rights Reserved ThreadFix Pipeline 17 i.o. SecurityCenter De-Dupe Merge Correlate History Settings Policy False Positives Risk Triage Consolidate Remediation Profiles Templates Actionable Tracked Insights Verification HotSpots Alerting Findings & Vulnerability Management Pipeline Automated/Orchestrated Pre-Processing Reduce Vulns to Manage Manage by Policy & Settings Single Portal for: ITAO’s Dev’s SME’s SecChamps Dev’s & SME’s Work in daily tools, and existing workflows Security Program & Policy Managemen t and reporting Tableau Business Object Power BI Archer Custom Reporting External System Integration Manua l
© 2020 Denim Group – All Rights Reserved Who Benefits and How? • Security Team • Run more efficient and effective application security programs (200-500% increase in testing throughput, up to 35% reduction in findings that require triage) • Development Teams • Direct testing and receive results via tools and platforms already in use (Jenkins, JIRA, etc) • Risk-management (GRC) Team • Faster resolution of key vulnerabilities (up to 44% reduction in mean- time-to-fix) 18
© 2020 Denim Group – All Rights Reserved Security Team Collaboration
© 2020 Denim Group – All Rights Reserved Security Decisions • Which vulnerabilities will you fix? • Hard enough for an application • Even harder across your portfolio • What is your remediation “budget?” • How do you justify more? 20
© 2020 Denim Group – All Rights Reserved Critical Decisions • Is this vulnerability a true or false positive? • How serious is this vulnerability, actually? • Which of these do we need to fix? 21
© 2020 Denim Group – All Rights Reserved Critical Communications • “This is better/worse than it seems (and why)” • “This has an impact on GRC concerns” • “I need help making a decision about this issue” 22
© 2020 Denim Group – All Rights Reserved ThreadFix Demo • Vulnerability comments for triage • Vulnerability comments for compliance • Vulnerability statuses for workflow
© 2020 Denim Group – All Rights Reserved Additional Resources • Blog post: Effective Security Team Collaboration https://threadfix.it/resources/applied-threadfix- effective-security-team-collaboration/ 24
© 2020 Denim Group – All Rights Reserved Security and Development Team Collaboration
© 2020 Denim Group – All Rights Reserved Developers Don’t Speak PDF
© 2020 Denim Group – All Rights Reserved (They Don’t Speak Excel Either) 27
© 2020 Denim Group – All Rights Reserved Effective Dev/Sec Collaboration • Talk to developers in the tools they’re already using: Defect Trackers (ALM, etc) • Empathy and understanding • Take advantage of sunk-cost investments • 44% reduction in Mean-Time-To-Fix 28
© 2020 Denim Group – All Rights Reserved Bundling Strategies • Turning vulnerabilities into defects • 1:1 approach? • More time spent administering defects than fixing issues • Bundling • By vulnerability type • By severity (more mature applications) • Other approaches 29
© 2020 Denim Group – All Rights Reserved ThreadFix Demo • Bundling vulnerabilities to create defects • Tracking development team progress
© 2020 Denim Group – All Rights Reserved Additional Resources • Blog post: Security Teams Collaborating with Development Teams https://threadfix.it/resources/applied- threadfix-effective-security-team- collaboration/ 31
© 2020 Denim Group – All Rights Reserved Additional Resources • Videos: Introduction to ThreadFix Tagging https://threadfix.it/resources/introduction-to-tagging/ https://threadfix.it/resources/introduction-to-tagging-part-2/ 32
© 2020 Denim Group – All Rights Reserved Questions
© 2020 Denim Group – All Rights Reserved Additional Resources
© 2020 Denim Group – All Rights Reserved Security Champions Webinar • When champions spend time on security stuff they’re not doing development stuff • Pushing security expertise out into development teams helps https://www.denimgroup.com/resources/webinar/security-champions-pushing-security-expertise-to-the-edges-of-your-organization/
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com

More Related Content

PDF
SecDevOps: Development Tools for Security Pros
byDenim Group
 
PDF
Security Champions: Pushing Security Expertise to the Edges of Your Organization
byDenim Group
 
PDF
Managing Your Application Security Program with the ThreadFix Ecosystem
byDenim Group
 
PDF
Application Asset Management with ThreadFix
byDenim Group
 
PDF
Running a Software Security Program with Open Source Tools
byDenim Group
 
PDF
ThreadFix 2.2 Preview Webinar with Dan Cornell
byDenim Group
 
PDF
OWASP San Antonio Meeting 10/2/20
byDenim Group
 
PDF
ThreadFix 2.1 and Your Application Security Program
byDenim Group
 
SecDevOps: Development Tools for Security Pros
byDenim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
byDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
byDenim Group
 
Application Asset Management with ThreadFix
byDenim Group
 
Running a Software Security Program with Open Source Tools
byDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
byDenim Group
 
OWASP San Antonio Meeting 10/2/20
byDenim Group
 
ThreadFix 2.1 and Your Application Security Program
byDenim Group
 

What's hot

PDF
An Updated Take: Threat Modeling for IoT Systems
byDenim Group
 
PDF
Structuring and Scaling an Application Security Program
byDenim Group
 
PDF
How-To-Guide for Software Security Vulnerability Remediation
byDenim Group
 
PPTX
Building a Mobile Security Program
byDenim Group
 
PDF
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
byDenim Group
 
PDF
Securing Voting Infrastructure before the Mid-Term Elections
byDenim Group
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
PDF
The Magic of Symbiotic Security
byDenim Group
 
PDF
Using ThreadFix to Manage Application Vulnerabilities
byDenim Group
 
PDF
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
byDenim Group
 
PDF
Secure DevOps with ThreadFix 2.3
byDenim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
PDF
Running a Software Security Program with Open Source Tools (Course)
byDenim Group
 
PDF
Monitoring Attack Surface to Secure DevOps Pipelines
byDenim Group
 
PDF
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
byDenim Group
 
PDF
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
byDenim Group
 
PDF
Mobile Application Assessment - Don't Cheat Yourself
byDenim Group
 
PDF
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
byDenim Group
 
PDF
Real Cost of Software Remediation
byDenim Group
 
PDF
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
byDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
byDenim Group
 
Structuring and Scaling an Application Security Program
byDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
byDenim Group
 
Building a Mobile Security Program
byDenim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
byDenim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
byDenim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
The Magic of Symbiotic Security
byDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
byDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
byDenim Group
 
Secure DevOps with ThreadFix 2.3
byDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
byDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
byDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
byDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
byDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
byDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
byDenim Group
 
Real Cost of Software Remediation
byDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
byDenim Group
 

Similar to Using Collaboration to Make Application Vulnerability Management a Team Sport

PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
PPTX
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
byDenim Group
 
PDF
A New View of Your Application Security Program with Snyk and ThreadFix
byDenim Group
 
PDF
Running a Comprehensive Application Security Program with Checkmarx and Threa...
byDenim Group
 
PDF
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
byDenim Group
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
PDF
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
byDenim Group
 
PPT
Cyber Security integration
byCarlo Dapino
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
PDF
Assessing Business Operations Risk With Unified Vulnerability Management in T...
byDenim Group
 
PDF
The savvy security leader final dg ppt issa_la
byISSA LA
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PDF
Application Security Testing for a DevOps Mindset
byDenim Group
 
PPTX
Thread Fix Tour Presentation Final Final
byRobin Lutchansky
 
PDF
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
byDenim Group
 
PDF
Optimize Your Security Program with ThreadFix 2.7
byDenim Group
 
PDF
The Permanent Campaign
byDenim Group
 
PDF
Software Security for Project Managers: What Do You Need To Know?
byDenim Group
 
PDF
ThreadFix 2.5 Webinar
byDenim Group
 
PDF
Service now vulnerability patching_move
bySubrat Kumar Dash
 
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
byDenim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
byDenim Group
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
byDenim Group
 
ThreadFix and SD Elements Unifying Security Requirements and Vulnerability Ma...
byDenim Group
 
Why Security Engineer Need Shift-Left to DevSecOps?
byNajib Radzuan
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
byDenim Group
 
Cyber Security integration
byCarlo Dapino
 
Enabling Developers in Your Application Security Program With Coverity and Th...
byDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
byDenim Group
 
The savvy security leader final dg ppt issa_la
byISSA LA
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
Application Security Testing for a DevOps Mindset
byDenim Group
 
Thread Fix Tour Presentation Final Final
byRobin Lutchansky
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
byDenim Group
 
Optimize Your Security Program with ThreadFix 2.7
byDenim Group
 
The Permanent Campaign
byDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
byDenim Group
 
ThreadFix 2.5 Webinar
byDenim Group
 
Service now vulnerability patching_move
bySubrat Kumar Dash
 

More from Denim Group

PDF
Threat Modeling for IoT Systems
byDenim Group
 
PDF
Reducing Attack Surface in Budget Constrained Environments
byDenim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
Long-term Impact of Log4J
byDenim Group
 
PDF
How to Integrate AppSec Testing into your DevOps Program
byDenim Group
 
PDF
Enumerating Enterprise Attack Surface
byDenim Group
 
PDF
Enumerating Enterprise Attack Surface
byDenim Group
 
PDF
AppSec in a World of Digital Transformation
byDenim Group
 
PDF
AppSec in a World of Digital Transformation
byDenim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
PDF
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
byDenim Group
 
PDF
An OWASP SAMM Perspective on Serverless Computing
byDenim Group
 
PDF
Elevate Your Application Security Program with Burp Suite and ThreadFix
byDenim Group
 
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
byDenim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Threat Modeling for IoT Systems
byDenim Group
 
Reducing Attack Surface in Budget Constrained Environments
byDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Long-term Impact of Log4J
byDenim Group
 
How to Integrate AppSec Testing into your DevOps Program
byDenim Group
 
Enumerating Enterprise Attack Surface
byDenim Group
 
Enumerating Enterprise Attack Surface
byDenim Group
 
AppSec in a World of Digital Transformation
byDenim Group
 
AppSec in a World of Digital Transformation
byDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
byDenim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
byDenim Group
 
An OWASP SAMM Perspective on Serverless Computing
byDenim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
byDenim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
byDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 

Recently uploaded

PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
PDF
FastTrack CISSP Reference By Jobyer Ahmed
bysocial72
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PPTX
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
Manage Logical Volume in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
PDF
Manage Basic Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Managing SELinux Security - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Digital Garage Certification - Google - Viktor Huszag - Online Marketing Fund...
byViktor Huszag
 
PDF
Create or Remove files and directories - RHCE.pdf
byLinuxCert Guru
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Agile Trailblazers (Scrum Masters, Product Owners, Coaches, Project Managers,...
byScott M. Graffius
 
PDF
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
FastTrack CISSP Reference By Jobyer Ahmed
bysocial72
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Manage Logical Volume in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
Manage Basic Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Managing SELinux Security - RHCSA (RH134).pdf
byLinuxCert Guru
 
Digital Garage Certification - Google - Viktor Huszag - Online Marketing Fund...
byViktor Huszag
 
Create or Remove files and directories - RHCE.pdf
byLinuxCert Guru
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Agile Trailblazers (Scrum Masters, Product Owners, Coaches, Project Managers,...
byScott M. Graffius
 
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 

Using Collaboration to Make Application Vulnerability Management a Team Sport

  • 1.
    © 2020 DenimGroup – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO Kyle Pippin | ThreadFix Product Manager Using Collaboration to Make Application Vulnerability Management a Team Sport May 28, 2020
  • 2.
    © 2020 DenimGroup – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
  • 3.
    © 2020 DenimGroup – All Rights Reserved Agenda • Application Vulnerability Management Challenges • ThreadFix Overview • Security Team Collaboration • Security and Development Team Collaboration • Questions 2
  • 4.
    © 2020 DenimGroup – All Rights Reserved Application Vulnerability Management Challenges
  • 5.
    © 2020 DenimGroup – All Rights Reserved An Observation • Traditional vulnerability management seems to do this better • Organizations more mature • Server patches are typically more straightforward than custom software changes [But lots of servers still don’t get patched…] 4
  • 6.
    © 2020 DenimGroup – All Rights Reserved This is Hard • Lots of players involved • Application Security • Development • GRC 5
  • 7.
    © 2020 DenimGroup – All Rights Reserved This is Hard • Everyone has different incentives and goals • Development: Features, functions, timelines • Application Security: address risk • GRC: Address risk, reach/maintain compliance, implement controls 6
  • 8.
    © 2020 DenimGroup – All Rights Reserved This is Hard • Access to Developers’ time is a zero-sum game • If you’re fixing security bugs, you’re not developing features • If you’re developing features, you’re not fixing security bugs • Viewing it like this creates winners. And losers… 7
  • 9.
    © 2020 DenimGroup – All Rights Reserved Typical Outcome • Application security “requires” that certain vulnerabilities get fixed • Development teams try to put this off as long as possible • The group with the best executive support gets their way • But everyone is actually a loser 8
  • 10.
    © 2020 DenimGroup – All Rights Reserved Stop Fighting 9
  • 11.
    © 2020 DenimGroup – All Rights Reserved Start Playing on the Same Team 10
  • 12.
    © 2020 DenimGroup – All Rights Reserved Critical Elements of Teamwork • Respect • Roles • Communication 11
  • 13.
    © 2020 DenimGroup – All Rights Reserved Critical Elements of Teamwork • Respect • Roles • Communication (and Collaboration) 12
  • 14.
    © 2020 DenimGroup – All Rights Reserved ThreadFix Overview
  • 15.
    © 2020 DenimGroup – All Rights Reserved ThreadFix Origin Story
  • 16.
    © 2020 DenimGroup – All Rights Reserved ThreadFix Overview • Create a consolidated view of your applications and vulnerabilities • Prioritize application risk decisions based on data • Translate vulnerabilities to developers in the tools they are already using • Provide access to powerful analytics • Drive efficiency with automation and orchestration 15 44% Reduction in Time-To-Fix Vulnerabilities Up To 5x Increase in AppSec Assessment Productivity
  • 17.
    © 2020 DenimGroup – All Rights Reserved ThreadFix Data Flow 16
  • 18.
    © 2020 DenimGroup – All Rights Reserved ThreadFix Pipeline 17 i.o. SecurityCenter De-Dupe Merge Correlate History Settings Policy False Positives Risk Triage Consolidate Remediation Profiles Templates Actionable Tracked Insights Verification HotSpots Alerting Findings & Vulnerability Management Pipeline Automated/Orchestrated Pre-Processing Reduce Vulns to Manage Manage by Policy & Settings Single Portal for: ITAO’s Dev’s SME’s SecChamps Dev’s & SME’s Work in daily tools, and existing workflows Security Program & Policy Managemen t and reporting Tableau Business Object Power BI Archer Custom Reporting External System Integration Manua l
  • 19.
    © 2020 DenimGroup – All Rights Reserved Who Benefits and How? • Security Team • Run more efficient and effective application security programs (200-500% increase in testing throughput, up to 35% reduction in findings that require triage) • Development Teams • Direct testing and receive results via tools and platforms already in use (Jenkins, JIRA, etc) • Risk-management (GRC) Team • Faster resolution of key vulnerabilities (up to 44% reduction in mean- time-to-fix) 18
  • 20.
    © 2020 DenimGroup – All Rights Reserved Security Team Collaboration
  • 21.
    © 2020 DenimGroup – All Rights Reserved Security Decisions • Which vulnerabilities will you fix? • Hard enough for an application • Even harder across your portfolio • What is your remediation “budget?” • How do you justify more? 20
  • 22.
    © 2020 DenimGroup – All Rights Reserved Critical Decisions • Is this vulnerability a true or false positive? • How serious is this vulnerability, actually? • Which of these do we need to fix? 21
  • 23.
    © 2020 DenimGroup – All Rights Reserved Critical Communications • “This is better/worse than it seems (and why)” • “This has an impact on GRC concerns” • “I need help making a decision about this issue” 22
  • 24.
    © 2020 DenimGroup – All Rights Reserved ThreadFix Demo • Vulnerability comments for triage • Vulnerability comments for compliance • Vulnerability statuses for workflow
  • 25.
    © 2020 DenimGroup – All Rights Reserved Additional Resources • Blog post: Effective Security Team Collaboration https://threadfix.it/resources/applied-threadfix- effective-security-team-collaboration/ 24
  • 26.
    © 2020 DenimGroup – All Rights Reserved Security and Development Team Collaboration
  • 27.
    © 2020 DenimGroup – All Rights Reserved Developers Don’t Speak PDF
  • 28.
    © 2020 DenimGroup – All Rights Reserved (They Don’t Speak Excel Either) 27
  • 29.
    © 2020 DenimGroup – All Rights Reserved Effective Dev/Sec Collaboration • Talk to developers in the tools they’re already using: Defect Trackers (ALM, etc) • Empathy and understanding • Take advantage of sunk-cost investments • 44% reduction in Mean-Time-To-Fix 28
  • 30.
    © 2020 DenimGroup – All Rights Reserved Bundling Strategies • Turning vulnerabilities into defects • 1:1 approach? • More time spent administering defects than fixing issues • Bundling • By vulnerability type • By severity (more mature applications) • Other approaches 29
  • 31.
    © 2020 DenimGroup – All Rights Reserved ThreadFix Demo • Bundling vulnerabilities to create defects • Tracking development team progress
  • 32.
    © 2020 DenimGroup – All Rights Reserved Additional Resources • Blog post: Security Teams Collaborating with Development Teams https://threadfix.it/resources/applied- threadfix-effective-security-team- collaboration/ 31
  • 33.
    © 2020 DenimGroup – All Rights Reserved Additional Resources • Videos: Introduction to ThreadFix Tagging https://threadfix.it/resources/introduction-to-tagging/ https://threadfix.it/resources/introduction-to-tagging-part-2/ 32
  • 34.
    © 2020 DenimGroup – All Rights Reserved Questions
  • 35.
    © 2020 DenimGroup – All Rights Reserved Additional Resources
  • 36.
    © 2020 DenimGroup – All Rights Reserved Security Champions Webinar • When champions spend time on security stuff they’re not doing development stuff • Pushing security expertise out into development teams helps https://www.denimgroup.com/resources/webinar/security-champions-pushing-security-expertise-to-the-edges-of-your-organization/
  • 37.
    © 2020 DenimGroup – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com