1. Look at your application inventory to determine the language and framework coverage.
2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's
3. Do I have the security team to support it? Helps determine vendor and approach. I say Fortify as they are the only Hybrid (Cloud and OnPremise) approach.
4. Does this need to be Cloud or On-Premise?
My most successful customers have used the following:
SAST - Hybrid of Fortify on-premise and Fortify on Demand, if support is needed for Perl or Groovy, buy some CheckMarx to cover that gap and Correlate findings with Saltworks SaltMiner.
DAST - WebInspect/ScanCentral & Fortify on Demand
Component Scanning - The most successful deployments have been with SonaType due to the Fortify integration. Blackduck, WhiteSource, and Snyk also manage plugins to Fortify SSC. If there is no budget, use OWASP Dependency Track to build your use case for a more robust Composition Analysis tool.
Vulnerability auditing - Done within Fortify SSC or Fortify OnDemand
Mitigation - Your Team, but if consulting is needed I would recommend Saltworks Security, Deloitte, Accenture & Cigital which have a reputation for managing Fortify programs.
Ping me if you need further guidance.
Search for a product comparison in Application Security Testing (AST)
The best application security testing platforms include GitHub, GitLab, HCL AppScan, Netsparker, Acunetix Vulnerability Scanner, Pentest-Tools.com, Detectify Deep Scan, Appknox, Checkmarx, and Micro Focus Fortify On Demand.
A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details
1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have 4 products as part of their SaaS platform. It's commercial and has an open-source version with limited capabilities. Their on-premises scanner is in private beta
2. Clouddefense.AI: It can do SAST, DAST, SCA, etc. Commercial SaaS Platform. Uses ZAP rules behind the scenes for DAST
3. Synopsys: Great product, the leader in Gartner MQ 2021. Can do IAST as well.
4. SonarQube Enterprise Licensed Deployment is an excellent product for SAST. It supports 27+ languages including SQL, strong reporting capabilities, trend analysis.
If you need to do CSPM (Cloud Security Posture Management), you will need to look at others like Prisma Cloud.
Hi my name is Rogerio from Xmart Solutions Brazil (we are an independent consultancy that represents several AST solutions). Some factors are important to be evaluated such as:
How many SAST applications (static analysis) and how often will you do the analysis? How many analyzes (URLs) will you do dynamically?
What are your sprints? Do you have internal development or third parties?
Which languages from your legacy? How will you implement integrations? What tools?
Incident Manager at a tech services company with 1,001-5,000 employees
User
2021-04-22T14:46:43Z
Apr 22, 2021
I suggest go for a Secure SDLC approach by integrating security at each level of the development life cycle. If you are constrained to select just one from the above then start with DAST. As it helps simulate realtime attacks on your production application and thus helps you address the most glaring issues.
I would like you to buy CHECKMARX as a SAST TOOL and have a look to KONDUKTO which embeds security tests into DevOps pipelines in an automated fashion using both open source and commercial security tools. Vulnerabilities coming from different sources, be it from penetration tests, bug bounty programs or automated tools can be managed in a single platform to provide a unified view. With its unique process automation and CI/CD integration capabilities, Kondukto helps to scale AppSec effort and paves the way for DevSecOps. My advice to pay attention the Visibility into vulnerabilities in native environments leads to improved security awareness among developers.
✔ Custom-tailored training programs based on the vulnerabilities created by each developer and team increase the ROI of training.
✔ Remediation database allows developers to benefit from the know-how accumulated in the company and fix vulnerabilities faster.
Getting visibility into and control of complex or distributed cloud environments is not only a matter of investing in a CSPM (although that can be part of the answer). There are a number of additional approaches that can help. Let's look at a number of possibilities.
The most obvious step is using a CSPM to view and manage resources in a centralized location. There's no doubt that having everything in one place makes it easier to monitor and control your cloud environment. And a CSPM can scale as your environment changes, while helping to automate processes. CSPMs are a maturing technology that can be very effective in bringing a complex environment into compliance and the alerts and remediation offered help to harden security posture. The CSPM market includes Prisma Cloud by Palo Alto Networks, Microsoft Defender for Cloud, Orca Security, Check Point CloudGuard Posture Management, Lacework, and Wiz, among others.
On the visibility front, cloud monitoring tools like Auvik, Datadog, Centreon, or Amazon CloudWatch and Azure Monitor provide metrics and logs that can be used to identify issues and optimize performance. They can alert you to potential problems before they become critical.
As noted, leveraging automation is going to be important when dealing with complex cloud estates. Automating common tasks will reduce the time and effort required to manage your cloud environment and can help create consistency across your systems. Tools like AWS CloudFormation, Google Cloud Deployment Manager, or Azure Resource Manager can automate the deployment and management of cloud resources.
But beyond the tools are the security best practices that can also help bring things under control and help narrow down the search for issues when they occur. They include role-based access control, network segmentation, and encryption and they should help reduce the risk of unauthorized access and data breaches.
Tried and true architectural approaches can also help, including containerization and microservices. These approaches simplify the management of complex or distributed cloud environments and break down applications into smaller, independent services, making issues easier to manage.
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Feb 19, 2023
Hi, some of the best cloud compliance reporting tools are as below-
* Checkpoint CloudGuard Dome9
* Nutanix Xi Beam
* Qualys Cloud Platform
* Sophos Cloud Optix
* Symantec Control Compliance Suite
There is probably no single tool that can completely unify cloud compliance reporting across all cloud providers and compliance frameworks. That's a pretty big ask (but a good one).
But there are, of course, tools that streamline compliance reporting and make the process easier to manage across multiple cloud environments and compliance standards. These compliance management platforms can help identify compliance gaps, enforce policies, and generate compliance reports.
Prisma Cloud enables you to monitor, view, and report on cloud infrastructure health and your compliance posture. You can create reports with both summary and detailed findings of security and compliance risks and it also offers a Compliance Dashboard and the ability to create custom compliance standards.
Check Point CloudGuard Posture Management looks to automate conformance to regulatory requirements and security best practices. It provides compliance posture management for AWS, Azure, Google Cloud, Alibaba Cloud, and Kubernetes and claims to reference over 50 compliance frameworks. It also enables customization of cloud compliance with its proprietary Governance Specification Language.
Touting 65 out-of-the-box frameworks, CIS Benchmarks, and custom compliance checks, Orca Security is an agentless solution that works across multiple cloud platforms. It exposes and prioritizes issues so that compliance gaps can be addressed strategically.
Another option is Chef Compliance, which leverages certified, curated audit and remediation content and aims to make sure assets are always in compliance with CIS benchmarks and DISA STIGs. It supports multiple cloud providers and compliance frameworks.
Perhaps lesser-known, CloudCheckr helps maintain security and compliance in the cloud and monitors cloud infrastructure against dozens of standards including PCI DSS, HIPAA, CIS, and NIST.
Cloud One - Conformity, from Trend Micro, works toward security, compliance, and governance of cloud infrastructure with real-time monitoring and auto-remediation features for AWS, Microsoft Azure, and Google Cloud.
Dear professionals,
Welcome back to PeerSpot's Community Spotlight! Below you can find the latest hot topics posted by your fellow PeerSpot Community members. Read articles, answer questions, and contribute to discussions that are relevant to you and your expertise. Or ask your peers for insight on topics that interest you!
Trending
Here are some topics that your peers are discussi...
Director of Community at PeerSpot (formerly IT Central Station)
Aug 2, 2022
@Chris Childerhose, @PraveenKambhampati, @Deena Nouril, @Shibu Babuchandran and @reviewer1925439,
Thank you for contributing your articles and sharing your professional knowledge with 618K PeerSpot community members around the globe as well as with a much bigger readers audience!
What is OWASP?
The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
The first thing you'd want to do is:
1. Look at your application inventory to determine the language and framework coverage.
2. The following would be what has the developer integrations with my current and future state CI/CD toolset, Developer IDE's
3. Do I have the security team to support it? Helps determine vendor and approach. I say Fortify as they are the only Hybrid (Cloud and OnPremise) approach.
4. Does this need to be Cloud or On-Premise?
My most successful customers have used the following:
Ping me if you need further guidance.
The best application security testing platforms include GitHub, GitLab, HCL AppScan, Netsparker, Acunetix Vulnerability Scanner, Pentest-Tools.com, Detectify Deep Scan, Appknox, Checkmarx, and Micro Focus Fortify On Demand.
SAST - Veracode, goes well with integration
DAST - Either Microfocus Webinspect or Burp Suite Professional or OWASP ZAP (Open Source)
Component Scanning - Blackduck or Sonatype Nexus Platform or Whitesource Bolt
Vulnerability Auditing - Nessus & CIS - CAT ( Assessor Pro) or Qualys
Mitigation - Team effort, for Security Orchestration - Threadfix or ZeroNorth
Hello @Charles Race,
A lot of responses already on this one. Considerations will include on-premises vs SaaS, one tool vs modular approach to using different tools. I will share some additional details
1. Snyk: It can do SAST, SCA, Containers, IaaC scripts - all 4. They have 4 products as part of their SaaS platform. It's commercial and has an open-source version with limited capabilities. Their on-premises scanner is in private beta
2. Clouddefense.AI: It can do SAST, DAST, SCA, etc. Commercial SaaS Platform. Uses ZAP rules behind the scenes for DAST
3. Synopsys: Great product, the leader in Gartner MQ 2021. Can do IAST as well.
4. SonarQube Enterprise Licensed Deployment is an excellent product for SAST. It supports 27+ languages including SQL, strong reporting capabilities, trend analysis.
If you need to do CSPM (Cloud Security Posture Management), you will need to look at others like Prisma Cloud.
Hope this helps.
Hi my name is Rogerio from Xmart Solutions Brazil (we are an independent consultancy that represents several AST solutions). Some factors are important to be evaluated such as:
How many SAST applications (static analysis) and how often will you do the analysis? How many analyzes (URLs) will you do dynamically?
What are your sprints? Do you have internal development or third parties?
Which languages from your legacy? How will you implement integrations? What tools?
Would you like to have everything automated?
These are just a few questions for your decision.
I hope I've contributed.
I suggest go for a Secure SDLC approach by integrating security at each level of the development life cycle. If you are constrained to select just one from the above then start with DAST. As it helps simulate realtime attacks on your production application and thus helps you address the most glaring issues.
Kiuwan - scan for 3rd party libs
SonarQube - CD\CI integration with low price
I would like you to buy CHECKMARX as a SAST TOOL and have a look to KONDUKTO which embeds security tests into DevOps pipelines in an automated fashion using both open source and commercial security tools. Vulnerabilities coming from different sources, be it from penetration tests, bug bounty programs or automated tools can be managed in a single platform to provide a unified view. With its unique process automation and CI/CD integration capabilities, Kondukto helps to scale AppSec effort and paves the way for DevSecOps. My advice to pay attention the Visibility into vulnerabilities in native environments leads to improved security awareness among developers.
✔ Custom-tailored training programs based on the vulnerabilities created by each developer and team increase the ROI of training.
✔ Remediation database allows developers to benefit from the know-how accumulated in the company and fix vulnerabilities faster.