Slide 1

Download Report

Transcript Slide 1

HP Fortify Software Security

Claudio Merloni

Software Security Solution Architect

HP Enterprise Security Products

The Adversary Marketplace

Research Infiltration

Their ecosystem

Discovery Capture

Our enterprise

Organize our capability to disrupt the market

Educating users

Research

Their ecosystem

Capture

target access Planning

Exfiltration

Our enterprise

Organize our capability to disrupt the market

Educating users

Research • •

TippingPoint Solutions

Intrusion Prevention Network Security, Digital Vaccine

Their ecosystem

Capture

target access Planning

Exfiltration

Fortify Solutions

Our

• • • Software security assessment Software security assurance

enterprise

• •

ArcSight Solutions

HP Security Research

Ecosystem Partner HP Global Research

FSRG

ESS

• • • SANS, CERT, NIST, OSVDB, software & reputation vendors 2650+ Researchers 2000+ Customers sharing data • • • www.hp.com/go/HPSRblog 6X the Zero Days than the next 10 competitors combined. Top security vulnerability research organization for the past three years —Frost & Sullivan • • HP Security Research Teams: DV Labs, ArcSight, Fortify, HPLabs, Application Security Center and Enterprise Security Services Collect network and security data from around the globe 5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The problem

Cyber attackers are targeting applications

Applications Hardware Networks

• • • • • • • • • •

Security Measures Property

Switch/Router security Firewalls NIPS/NIDS

Customer Data

VPN Net-Forensics Anti-Virus/Anti-Spam DLP

Processes

Host FW Host IPS/IDS

Trade

of breaches occur at the application layer

9/10

mobile applications are vulnerable to attack

What’s the Worst that Could Happen?

• • • • •

The Incident

PlayStation Network breach reported April 2011

77M

customer accounts compromised PS Network completely offline for

25 days

Total cost of damages / loss

> $171M …could be as high as $24B …

• • • • •

The Attack

DDoS attack followed by

SQL Injection

130+ servers completely compromised Account data, credit cards, email addresses stolen Required full network shutdown to contain More than just PlayStation Network… 9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Application security challenges

Monitoring / Protecting Production Software Securing legacy applications Existing Software Demonstrating compliance Procuring secure software Certifying new releases In-house development Outsourced Commercial

Open source

Today’s approach > expensive, reactive

Somebody builds bad software 1 IT deploys the bad software 2 We convince & pay the developer to fix it 4 We are breached or pay to have someone tell us our code is bad 3

Why it doesn’t work

30x more costly to secure in production

30X 15X 10X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into Production, it costs 30x more than during design.

Source: NIST

Application Security Testing Techniques

RASP

30X

IAST DAST SAST

15X 10X 5X 2X

Requirements SAST: Coding Integration/ component testing Static Application Security Testing IAST: Interactive Application Security Testing RASP: System testing Production DAST: Dynamic Application Security Testing Runtime Application Security Protection

Source: NIST

Application Security Testing Fortify Solutions

RTA WebInspect / WebInspect Agent

30X

SCA

15X

Education

10X 5X 2X Requirements Coding Integration/ component testing System testing Production

SCA: Static Code Analyzer RTA: RunTime Analyzer (AppDefender/AppView)

Source: NIST

The right approach > systematic, proactive

In-house Embed security into SDLC development process Outsourced Commercial Open source 1 Improve SDLC policies Leverage Security Gate to validate resiliency of internal or external code before Production 2 Monitor and protect software running in Production 3

This is application security

The solution

Fortify’s Software Security Vision 1 2 Application Assessment Software Security Assurance (SSA) 3 Application Protection Assess

Find security vulnerabilities in any type of software

Mobile, Web, Infrastructure

In-house Outsourced Commercial Open source

Assure

Fix security flaws in source code before it ships

Secure SDLC

Protect

Fortify applications against attack in production

Logging, Threat Protection

HP Fortify – Software Security Assurance

Fortify on Demand Security Gate

• •

Secure ALL your applications before deployment

Web, Facebook, Mobile In-house, out-sourced, third-party

on Demand Security Testing Service

Code Test Contract/Outsource Procure

Security Gate

Deploy

HP Fortify on Demand

Get results fast with security testing software-as-a-service

Simple

• •

Launch your application security initiative in <1 day

No hardware or software investments No security experts to hire, train and retain

Fast

• •

Scale to test all applications in your organization

1 day turn-around on application security results Support 1000s of applications for the desktop, mobile or cloud

Flexible

• •

Test any application from anywhere

Secure commercial, open source and 3 rd party applications Test applications on-premise or on demand, or both 20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify on Demand at a glance

Comprehensive and accurate

Static Testing HP Fortify SCA Dynamic Testing HP WebInspect Audit & Analysis Manual

Powerful remediation

Analysis & Reports Online Collaboration • • • • • • • ABAP C/C++ Cold Fusion Java Objective C Python VB6 • • • • • • •

Broad support

ASP.NET

Classic ASP Flex JavaScript/AJAX PHP T-SQL VBScript • • • • • • • C# COBOL HTML JSP PL/SQL VB.NET

XML • •

Mobile Security Testing All platforms

• Apple iOS • Android •

Multiple analysis types

• Windows, Blackberry Source Code Client Network Running Application Protocol Analysis Server 1 Day Static Turnaround • • • • • • 21 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Fast, secure & scalable

Virtual Scan Farm Encryption

Breadth of testing

10,000+ applications 18 different industries represented 5 Continents Civilian and Defense Agencies across US Government Vendor Management and Internal Management Development teams from 1 to 10,000s Third Party Reviews

Thank you

Security Testing

HP Fortify Static Code Analyzer (SCA)

Static analysis – find and fix security issues in your code during development • • • •

Features:

Automate static application security testing to identify security vulnerabilities in application source code during development Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance Prioritize all application vulnerabilities by severity and importance Supports 21 languages, 500+ vulnerability categories 24 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP WebInspect

Dynamics analysis – find critical security issues in running applications • • • •

Features:

Quickly identify risk in existing applications Automate dynamic application security testing of any technology, from development through production Validate vulnerabilities in running applications, prioritizing the most critical issues for root cause analysis Streamline the process of remediating vulnerabilities 25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Secure Development

HP Fortify Software Security Center server

Management, tracking and remediation of enterprise software risk • • • •

Features:

Specify, communicate and track security activities on software projects Role-based, process-driven management of software security program Integrations into key development environments • • • Build integration, defect tracking, source control, 3rd party analysis engines Flexible repository and reporting platform for security status, trending and compliance Normalized, correlated vulnerability repository Aggregated risk metrics 27 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Secure Development Tools

Manage remediation and audit workflows •

Online collaboration

• Reduce overhead of engaging development • • Easy web-based, IDE-like navigation Consistent Presentation & Auditing • Defect-Tracking Integration • • One-click integration Deep link back for details

Developer IDE plug-ins

• View results and manage remediation

Audit Workbench

Protect

Fortify Runtime Technology

An

action

can change the state of the target program. It could throw an exception, show a message, or modify variable values.

Target Program Monitor Event Program Point Event Handler Application Server Action 30 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Event Handler Chain Log

Application Visibility is Limited

OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking Application Logs:

• • • Few or uninteresting details No logs at all Require custom connectors

Applications

IT SOC

ArcSight ESM with Application View

Introducing Application View Know you apps. Know your users. Know your data!

OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking

• • • Retro-fits applications with security event logs No change to application required Out-of-box ready for ArcSight ESM

Applications

IT SOC

Application View: What is it?

Application View provides software application log visibility for security event analysis and correlation to help you:

Know your apps

1010101001010101101 0101001010101001010 1101010100101011010

Know your users

1010101001010101101 0101001010101001010 1101010100101011010 • • • • Remove the blind spot Application intelligence Application monitoring Out of the box views • • • • Monitor user access Identity fraud Track user activity Protect against ID theft 33 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Know your data

1010101001010101101 0101001010101001010 1101010100101011010 • • • • Track resource access Identify data leakage Review security forensics Identify application errors

Application View: How does it work?

Apps Application Events

10101010010101011010 10100101010100101011 01010100101011010101 00101011010101001010 110101010011001

Users

Runtime Agent installed on App Server Java & .Net Apps Security events are logged and sent to ESM CEF format via syslog connector ArcSight ESM gathers, correlates and reports on triggered events Out-of-the-box dashboards and reports 34 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Application Defender – Application Security Simplified

Visibility

Actionable information through interactive dashboards and alerts

HP Application Defender

1,2,3

Simplicity

Install quickly and easily with a three-step deployment, get protection up and running in minutes

Protection

Stop attacks from inside the application.

HP Application Defender Solution

Simplicity Visibility Secure Command/Event Channel (443) Applications 36 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Protection

Simplicity

• • •

Quick

Installation •

Easy

“In Service” Updates • • Up and running in less than 5 minutes 3 easy steps Rulepack • Agent Binary

Accurate

Visibility

• • •

Quick

access to specific vulnerability events

Easy

filtering of real time and historical data

Accurate

Protection

• • •

Quick

protection against attacks from within your application

Easy

identification of top vulnerability events by criticality

Accurate

Summary

Summary: Find, Fix and Fortify

HP Fortify Software Security Center

1 Find & Fix security issues

in development

2 Fortify applications

against attack

3 Save money

in development

4 Reduce risk

Slide 1

Transcript Slide 1

HP Fortify Software Security

The Adversary Marketplace

Organize our capability to disrupt the market

Organize our capability to disrupt the market

TippingPoint Solutions

Fortify Solutions

ArcSight Solutions

HP Security Research

The problem

Cyber attackers are targeting applications

of breaches occur at the application layer

mobile applications are vulnerable to attack

What’s the Worst that Could Happen?

Application security challenges

Today’s approach > expensive, reactive

Why it doesn’t work

Application Security Testing Techniques

Application Security Testing Fortify Solutions

The right approach > systematic, proactive

This is application security

The solution

Fortify’s Software Security Vision 1 2 Application Assessment Software Security Assurance (SSA) 3 Application Protection Assess

Assure

Protect

HP Fortify – Software Security Assurance

Fortify on Demand Security Gate

Code Test Contract/Outsource Procure

Deploy

HP Fortify on Demand

Simple

Fast

Flexible

HP Fortify on Demand at a glance

Thank you

Security Testing

HP Fortify Static Code Analyzer (SCA)

HP WebInspect

Secure Development

HP Fortify Software Security Center server

Secure Development Tools

Protect

Fortify Runtime Technology

An

action

can change the state of the target program. It could throw an exception, show a message, or modify variable values.

Application Visibility is Limited

ArcSight ESM with Application View

Application View: What is it?

Application View: How does it work?

HP Application Defender – Application Security Simplified

1,2,3

HP Application Defender Solution

Simplicity

Visibility

Protection

Summary

Summary: Find, Fix and Fortify

Thank you

Directory