-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Dynamically controllable dynamic scanning Jonathan Griggs
WebInspect Product Manager Brandon Spruth Sr. Security Analyst,
Morningstar Brooks Garrett Manager Operations and Architecture,
Fortify on Demand Jeremy Brooks WebInspect Engineering @j_griggs3
#HPProtect
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
2
This is a rolling (up to three year) Roadmap and is subject to
change without notice.
Forward-looking statements
This document contains forward looking statements regarding
future operations, product development, product capabilities and
availability dates. This information is subject to substantial
uncertainties and is subject to change at any time without prior
notification. Statements contained in this document concerning
these matters only reflect Hewlett Packard's predictions and / or
expectations as of the date of this document and actual results and
future plans of Hewlett-Packard may differ significantly as a
result of, among other things, changes in product strategy
resulting from technological, internal corporate, market and other
changes. This is not a commitment to deliver any material, code or
functionality and should not be relied upon in making purchasing
decisions.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
3
This is a rolling (up to three year) Roadmap and is subject to
change without notice.
HP confidential information
This Roadmap contains HP Confidential Information. If you have a
valid Confidential Disclosure Agreement with HP, disclosure of the
Roadmap is subject to that CDA. If not, it is subject to the
following terms: for a period of 3 years after the date of
disclosure, you may use the Roadmap solely for the purpose of
evaluating purchase decisions from HP and use a reasonable standard
of care to prevent disclosures. You will not disclose the contents
of the Roadmap to any third party unless it becomes publically
known, rightfully received by you from a third party without duty
of confidentiality, or disclosed with HPs prior written
approval.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
4
Dynamically controllable dynamic scanning
Introduction to the WebInspect API Jeremy Brooks Setup and
configuration Current capabilities Current use cases
Dynamic scalability Brooks Garrett Jonathan Griggs Problem
statement Our solution Creating the gold image The control server
Demonstration
Integration with the SDLC Brandon Spruth Jeremy Brooks Mission
statement Problems Solution Demonstration
Agenda
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Introduction to the WebInspect API Jeremy Brooks WebInspect
Engineering
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
6
Problem statement
Build integration Automation 3rd party integrations
Customers want a way to remotely control the WebInspect
Scanner
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
7
WebInspect REST API
Remote control of WebInspect Easy to use RESTful interface
Automate control of WI via http Control a scan
Start a new scan, stop a scan in progress, and export to scan
file or fpr format 13 Endpoints to control a scan
Control the WI proxy Start the proxy, shutdown the proxy, export
the proxy results 11 Endpoints to control the proxy
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
8
WebInspect REST API
Remote control of WebInspect POST /webinspect/scanner/scan
Creates a new scan Additional parameters can be passed for
additional configuration
GET /webinspect/scanner/scan
Retrieve a list of all scans Includes scan name, status and
date
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Next release Whats next?
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
10
This is a rolling (up to 3 year) roadmap and is subject to
change without notice
WebInspect BURP plugin
All product views are illustrations and might not represent
actual product screens
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
11
This is a rolling (up to 3 year) roadmap and is subject to
change without notice
All product views are illustrations and might not represent
actual product screens
WebInspect BURP plugin
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Dynamic scalability Jonathan Griggs WebInspect Product Manager
Brooks Garrett Manager Operations and Architecture, Fortify on
Demand
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
13
Problem statement
Machines cost money Physical hardware Virtual machines Cloud
hosting
Time costs money Electricity Management Updates
Idle resources are wasted resources but demand is not
consistent.
Demand is not consistent
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
14
Vertical scalability via remote scanning engines
Scales horizontally by adding more FTEs Scales vertically by
automating scan configurations
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
15
Our solution
Users Command and control portal
Select WebInspect scan settings
Let the cloud handle the rest
Machines created and deleted as necessary
HP WebInspect
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
16
Challenges
Sounds easy enough Generating and storing login macros
Automating LIM server connection Building VM gold image Automating
smartupdate Building the user portal to control scan machines
Exporting and storing scan data and reports
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Demonstration
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Integration with the SDLC Brandon Spruth Sr. Security Analyst,
Morningstar Jeremy Brooks WebInspect Engineering
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
19
Agenda
Mission with a problem Where to start? Tipping the scales in our
direction Making it work for you! Demos
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
20
Your mission, should you choose to accept it
Develop an application security automation program to assist
software development teams with iterative application security
testing.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
21
Houston, we have a problem!
Hundreds to thousands of developers Too many applications with
systemic issues There are not enough qualified application security
professionals
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
22
Houston, we have a problem!
Hundreds to thousands of developers Too many applications with
systemic issues There are not enough qualified application security
professionals
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
23
There are only solutions!
Self service model for Developers and QA to build more secure
applications Iterative and collaborative security testing Effective
at identifying Data-Handling and Code Quality vulnerabilities
Enumerates vulnerabilities better than manual assessments.
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
24
Application Security Automation Stack
DAST & SAST Management
Portal
Dynamic Automation
Testing (DAST)
Static Automation
Testing (SAST)
Continuous Integration
HP Fortify
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
25
The holy grail of application security automation
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
26
Configuring WebInspect with Jenkins
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
28
Configuring your WebInspect Scan in Jenkins
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
29
For more information
Attend these sessions
Birds of a Feather lunch TT395 HP WebInspects New RESTful API
BB3003 How HP Fortify Enables
Continuous Monitoring
After the event
Contact your sales rep Visit the website/Facebook/Twitter
at:
http://www8.hp.com/us/en/software-solutions/application-security/index.html
Your feedback is important to us. Please take a few minutes to
complete the session survey.
http://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.htmlhttp://www8.hp.com/us/en/software-solutions/application-security/index.html
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
30
Please fill out a survey. Hand it to the door monitor on your
way out.
Thank you for providing your feedback, which helps us enhance
content for future events.
Session PN3002 Speaker Jonathan Griggs/ Brooks Garrett/ Brandon
Spruth /Jeremy Brooks
Please give me your feedback
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Thank you
-
Copyright 2014 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without
notice.
Dynamically controllable dynamic scanningForward-looking
statementsHP confidential informationDynamically controllable
dynamic scanningIntroduction to the WebInspect APIJeremy Brooks
WebInspect EngineeringProblem statementWebInspect REST
APIWebInspect REST APINext releaseWhats next?WebInspect BURP
pluginWebInspect BURP pluginDynamic scalabilityJonathan Griggs
WebInspect Product ManagerBrooks Garrett Manager Operations and
Architecture, Fortify on DemandProblem statementVertical
scalability via remote scanning enginesOur
solutionChallengesDemonstrationIntegration with the SDLCBrandon
Spruth Sr. Security Analyst, MorningstarJeremy Brooks WebInspect
EngineeringAgendaYour mission, should you choose to accept
itHouston, we have a problem!Houston, we have a problem!There are
only solutions!Application Security Automation StackThe holy grail
of application security automationConfiguring WebInspect with
JenkinsSlide Number 27Configuring your WebInspect Scan in
JenkinsFor more informationPlease give me your feedbackThank
youSlide Number 32