Overview:
Find and fix all types of application security issues within your DevOps CI/CD cycle
FortiDevSec automates application security testing to detect and remediate security vulnerabilities in applications' source code, included open-source and third-party libraries, container images, and Infrastructure-as-Code files early during the development stages of the application lifecycle, without requiring much security expertise from the developers or DevOps.
The comprehensive SaaS-based continuous application testing solution enables developers to detect and remediate security vulnerabilities within the DevOps continuous integration/continuous delivery/deployment (CI/CD) lifecycle.
Features and Benefits
- BUILD AND DEPLOY SECURE APPLICATIONS FortiDevSec offers a comprehensive continuous application testing solution to detect and remediate vulnerabilities, empowering software developers and devops to build and deploy secure applications
- INTELLIGENT SECURITYFortiDevSec utilizes advanced threat detection capabilities to prioritize critical threats and reduce false positives
- SEAMLESS INTEGRATION FortiDevSec easily integrates into most major CI/CD platforms and bug trackers like JIRA
- UNIFIED DASHBOARD FortiDevSec’s visual reporting tool aggregates and correlates all scan results across scan types, languages and platforms, and provides uniform risk ratings to assess the overall security posture
- EASY TO DEPLOY FortiDevSec can be deployed in 3 simple steps to quickly respond to critical threats
- SECURITY FABRIC INTEGRATION Integration with Fortinet’s Security Fabric to offer an enhanced solution to secure the CI/CD pipeline
FortiDevSec: Continuous Application Security Testing Use Cases
SIMPLIFIES SECURITY FOR APPLICATION DEVELOPMENT
Easily integrates into most major CI/CD platforms to detect and remediate software vulnerabilities, enabling developers to rapidly build, test and deploy software applications
COMPREHENSIVE VULNERABILITY MANAGEMENT
Automates deployment of application security scanners in the DevOps lifecycle to extend security across the entire vulnerability landscape
RISK MANAGEMENT
Consolidated dashboard aggregates and correlates scan results with intelligent risk scoring to prioritize critical threats
Applications:
FortiDevSec is designed to deploy the appropriate application security test based on the attributes and settings of the application. These testing technologies will analyze and detect software vulnerabilities throughout the different stages of the software development life cycle (SDLC) to secure the CI/CD pipeline.
Software Composition Analysis (SCA) also known as Open Source Software (OSS)
- Identifies all open-source components in the application software
- Validates dependencies across the integrated software
- Ensures vulnerable versions are not being used in the application
- Checks for license policies and organizational mandate
- Verifies applications live on secure infrastructure components
Secrets
-
Scans source code and all previous builds for unsecure confidential data
-
Static Application Security Testing (SAST)
- “White box security testing”
- Detects security issues in the application source code
- Ensures application is compliant with secure coding guidelines
- Detects and remediates bugs introduced by Developers
- Complements SCA/OSS and infrastructure vulnerability testing
Dynamic Application Security Testing (DAST)
- “Black box security testing”
- Detects run-time application security issues
- Ensures application is compliant with secure coding guidelines
- Detects bugs that only emerge during run-time
- Complements SAST, SCA/OSS and infrastructure vulnerability testing
Containers
- Detects software vulnerabilities in container images that are built in the application's CI/CD pipeline
Infrastructure as Code (IaC)
-
Scans Infrastructure as Code (IaC) files such as Terraform, Dockerfile, and Kubernetes to detect potential configuration issues that expose your deployments to the risk of attack
Features:
Innovative Product Offering
AppSec testing is also very fragmented. There are many types
of AppSec scans that need to be done on an application to
figure out all its vulnerabilities, and these are usually offered
by separate products. A multi-product solution creates
fragmentation and hinders DevSecOps enablement of
AppSec.
The industry needs an innovative AppSec product that has
DevSecOps in its DNA. It should be easy to use by developers
and DevOps without requiring specialized security expertise.
It should also be a comprehensive offering covering all types
of AppSec scans, including SAST, DAST, SCA, Secrets, and
more.
Simple Security for Modern App Development
Modern application development is a combination of rapid
application development using agile methodologies, being
cloud-native, using microservices and container-based
architectures, using CI/CD to automate build and deployment,
and the need to automate application security testing in CI/
CD.
FortiDevSec orchestrates and automates continuous
application security testing for developers and DevOps
directly into the application CI/CD DevOps lifecycle. DevOps
can integrate FortiDevSec just by copying a few lines of code
into their CI/CD and without requiring any AppSec expertise.
This feature allows AppSec to work at the speed of DevOps.
FortiDevSec supports all major CI/CD tools, languages, and
frameworks.
Comprehensive Vulnerability Management
Applications need to be secured from multiple attack vectors,
and in order to do that, they need to be security tested using
many types of scanners.
Static or source code testing (SAST) scans the application’s
own source code, SCA/OSS scans the third-party libraries
(typically open-source libraries) included in the application,
Secrets scans for open password texts in the code, DAST or
dynamic testing analyzes a web application through the frontend to find vulnerabilities through simulated attacks.
Consolidated Dashboard
FortiDevSec offers an easy-to-use portal where users can
log in and view all the issues across all their applications
and all the different scan types. There is no more need to
use multiple portals for numerous different and fragmented
scanners
Scan results are first normalized across multiple scan
types. The risk rating, risk category, and descriptions are all
normalized. The results are then aggregated and presented
with various filters so the user can prioritize on fixing the
most critical items first.