Transcript Slide 1
HP Fortify Software Security
Claudio Merloni
Software Security Solution Architect
HP Enterprise Security Products
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Adversary Marketplace
Research Infiltration
Their ecosystem
Discovery Capture
Our enterprise
Exfiltration 2 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Organize our capability to disrupt the market
Educating users
Research
Their ecosystem
Capture
target access Planning
Exfiltration
Our enterprise
3 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Organize our capability to disrupt the market
Educating users
Research • •
TippingPoint Solutions
Intrusion Prevention Network Security, Digital Vaccine
Their ecosystem
Capture
target access Planning
Exfiltration
Fortify Solutions
Our
• • • Software security assessment Software security assurance
enterprise
• •
ArcSight Solutions
Real-time security Intelligence SIEM, Logger 4 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Security Research
Ecosystem Partner HP Global Research
FSRG
ESS
• • • SANS, CERT, NIST, OSVDB, software & reputation vendors 2650+ Researchers 2000+ Customers sharing data • • • www.hp.com/go/HPSRblog 6X the Zero Days than the next 10 competitors combined. Top security vulnerability research organization for the past three years —Frost & Sullivan • • HP Security Research Teams: DV Labs, ArcSight, Fortify, HPLabs, Application Security Center and Enterprise Security Services Collect network and security data from around the globe 5 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The problem
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cyber attackers are targeting applications
Applications Hardware Networks
• • • • • • • • • •
Security Measures Property
Switch/Router security Firewalls NIPS/NIDS
Customer Data
VPN Net-Forensics Anti-Virus/Anti-Spam DLP
Processes
Host FW Host IPS/IDS
Trade
Vuln. Assessment tools 7 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
84
%
of breaches occur at the application layer
9/10
mobile applications are vulnerable to attack
8 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What’s the Worst that Could Happen?
• • • • •
The Incident
PlayStation Network breach reported April 2011
77M
customer accounts compromised PS Network completely offline for
25 days
Total cost of damages / loss
> $171M …could be as high as $24B …
• • • • •
The Attack
DDoS attack followed by
SQL Injection
130+ servers completely compromised Account data, credit cards, email addresses stolen Required full network shutdown to contain More than just PlayStation Network… 9 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Application security challenges
Monitoring / Protecting Production Software Securing legacy applications Existing Software Demonstrating compliance Procuring secure software Certifying new releases In-house development Outsourced Commercial
10 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Open source
Today’s approach > expensive, reactive
Somebody builds bad software 1 IT deploys the bad software 2 We convince & pay the developer to fix it 4 We are breached or pay to have someone tell us our code is bad 3
11 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Why it doesn’t work
30x more costly to secure in production
30X 15X 10X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into Production, it costs 30x more than during design.
Source: NIST
12 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Application Security Testing Techniques
RASP
30X
IAST DAST SAST
15X 10X 5X 2X
13
Requirements SAST: Coding Integration/ component testing Static Application Security Testing IAST: Interactive Application Security Testing RASP: System testing Production DAST: Dynamic Application Security Testing Runtime Application Security Protection
Source: NIST
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Application Security Testing Fortify Solutions
RTA WebInspect / WebInspect Agent
30X
SCA
15X
Education
10X 5X 2X Requirements Coding Integration/ component testing System testing Production
14
SCA: Static Code Analyzer RTA: RunTime Analyzer (AppDefender/AppView)
Source: NIST
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The right approach > systematic, proactive
In-house Embed security into SDLC development process Outsourced Commercial Open source 1 Improve SDLC policies Leverage Security Gate to validate resiliency of internal or external code before Production 2 Monitor and protect software running in Production 3
This is application security
15 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The solution
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fortify’s Software Security Vision 1 2 Application Assessment Software Security Assurance (SSA) 3 Application Protection Assess
Find security vulnerabilities in any type of software
Mobile, Web, Infrastructure
In-house Outsourced Commercial Open source
Assure
Fix security flaws in source code before it ships
Secure SDLC
Protect
Fortify applications against attack in production
Logging, Threat Protection
17 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify – Software Security Assurance
On-Premise and On-Demand 18 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fortify on Demand Security Gate
• •
Secure ALL your applications before deployment
Web, Facebook, Mobile In-house, out-sourced, third-party
on Demand Security Testing Service
Code Test Contract/Outsource Procure
19 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Gate
Deploy
HP Fortify on Demand
Get results fast with security testing software-as-a-service
Simple
• •
Launch your application security initiative in <1 day
No hardware or software investments No security experts to hire, train and retain
Fast
• •
Scale to test all applications in your organization
1 day turn-around on application security results Support 1000s of applications for the desktop, mobile or cloud
Flexible
• •
Test any application from anywhere
Secure commercial, open source and 3 rd party applications Test applications on-premise or on demand, or both 20 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify on Demand at a glance
Comprehensive and accurate
Static Testing HP Fortify SCA Dynamic Testing HP WebInspect Audit & Analysis Manual
Powerful remediation
Analysis & Reports Online Collaboration • • • • • • • ABAP C/C++ Cold Fusion Java Objective C Python VB6 • • • • • • •
Broad support
ASP.NET
Classic ASP Flex JavaScript/AJAX PHP T-SQL VBScript • • • • • • • C# COBOL HTML JSP PL/SQL VB.NET
XML • •
Mobile Security Testing All platforms
• Apple iOS • Android •
Multiple analysis types
• Windows, Blackberry Source Code Client Network Running Application Protocol Analysis Server 1 Day Static Turnaround • • • • • • 21 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fast, secure & scalable
Virtual Scan Farm Encryption
Breadth of testing
10,000+ applications 18 different industries represented 5 Continents Civilian and Defense Agencies across US Government Vendor Management and Internal Management Development teams from 1 to 10,000s Third Party Reviews
Thank you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Testing
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify Static Code Analyzer (SCA)
Static analysis – find and fix security issues in your code during development • • • •
Features:
Automate static application security testing to identify security vulnerabilities in application source code during development Pinpoint the root cause of vulnerabilities with line of code details and remediation guidance Prioritize all application vulnerabilities by severity and importance Supports 21 languages, 500+ vulnerability categories 24 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP WebInspect
Dynamics analysis – find critical security issues in running applications • • • •
Features:
Quickly identify risk in existing applications Automate dynamic application security testing of any technology, from development through production Validate vulnerabilities in running applications, prioritizing the most critical issues for root cause analysis Streamline the process of remediating vulnerabilities 25 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Secure Development
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify Software Security Center server
Management, tracking and remediation of enterprise software risk • • • •
Features:
Specify, communicate and track security activities on software projects Role-based, process-driven management of software security program Integrations into key development environments • • • Build integration, defect tracking, source control, 3rd party analysis engines Flexible repository and reporting platform for security status, trending and compliance Normalized, correlated vulnerability repository Aggregated risk metrics 27 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Secure Development Tools
Manage remediation and audit workflows •
Online collaboration
• Reduce overhead of engaging development • • Easy web-based, IDE-like navigation Consistent Presentation & Auditing • Defect-Tracking Integration • • One-click integration Deep link back for details
Developer IDE plug-ins
• View results and manage remediation
Audit Workbench
Security auditor view of the process 28 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protect
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fortify Runtime Technology
An
action
can change the state of the target program. It could throw an exception, show a message, or modify variable values.
Target Program Monitor
Event Handler Chain Log
Application Visibility is Limited
OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking Application Logs:
• • • Few or uninteresting details No logs at all Require custom connectors
Applications
31 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IT SOC
ArcSight ESM with Application View
Introducing Application View Know you apps. Know your users. Know your data!
OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking
• • • Retro-fits applications with security event logs No change to application required Out-of-box ready for ArcSight ESM
Applications
32 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IT SOC
Application View: What is it?
Application View provides software application log visibility for security event analysis and correlation to help you:
Know your apps
1010101001010101101 0101001010101001010 1101010100101011010
Know your users
1010101001010101101 0101001010101001010 1101010100101011010 • • • • Remove the blind spot Application intelligence Application monitoring Out of the box views • • • • Monitor user access Identity fraud Track user activity Protect against ID theft 33 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Know your data
1010101001010101101 0101001010101001010 1101010100101011010 • • • • Track resource access Identify data leakage Review security forensics Identify application errors
Application View: How does it work?
Apps Application Events
10101010010101011010 10100101010100101011 01010100101011010101 00101011010101001010 110101010011001
Users
Runtime Agent installed on App Server Java & .Net Apps Security events are logged and sent to ESM CEF format via syslog connector ArcSight ESM gathers, correlates and reports on triggered events Out-of-the-box dashboards and reports 34 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Application Defender – Application Security Simplified
Visibility
Actionable information through interactive dashboards and alerts
HP Application Defender
1,2,3
Simplicity
Install quickly and easily with a three-step deployment, get protection up and running in minutes
Protection
Stop attacks from inside the application.
35 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Application Defender Solution
Simplicity Visibility Secure Command/Event Channel (443) Applications 36 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protection
Simplicity
• • •
Quick
Installation •
Easy
“In Service” Updates • • Up and running in less than 5 minutes 3 easy steps Rulepack • Agent Binary
Accurate
application protection and grouping 37 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Visibility
• • •
Quick
access to specific vulnerability events
Easy
filtering of real time and historical data
Accurate
presentation of event trigger and stack trace detail 38 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protection
• • •
Quick
protection against attacks from within your application
Easy
identification of top vulnerability events by criticality
Accurate
results from within application logic and data flows 39 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Summary
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Summary: Find, Fix and Fortify
HP Fortify Software Security Center
1 Find & Fix security issues
in development
2 Fortify applications
against attack
3 Save money
in development
4 Reduce risk
from applications 41 © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.