Transcript Document

“If you haven’t taken a look at these guys, I
think you should, before that ‘bad thing’
happens to your company.”
- CIO Magazine
“The company making security a built-in
feature to software”
Qui ckT ime™ and a
T IFF (Uncompres sed) decompres sor
are needed to s ee this picture.
- CNBC Powerlunch
© FORTIFY SOFTWARE INCORPORATED 2006, All Rights Reserved
Fortify - the Software Security Market Leader
The technology innovator that defined the
segment
Multiple award winning products span the
development lifecycle
Over 150 patent claims filed to date
Largest & most demanding customer base
Sustained 300% revenue growth
10:1 win ratio in head-to-head bake-offs
The world’s largest code bases (19M SLOC)
Blue chip technical & management team
Average 25 years software experience
Advised by the world’s top security experts
2
“Fortify is the clear
winner for many
reasons, including their
superior analysis and
reporting capabilities,
and their understanding
and support of how
security fits into the
software development
lifecycle.”
- Mary Ann Davidson, CSO, Oracle
IT Setup
Hidden slide
In-Secure is In-Complete and Not Good Enough
Root cause of security problems
Gartner - 75% of breaches due to poorly
written applications
NIST - 92% of vulnerabilities are in
software
Leading enterprises take action today!
Awareness now at 70%
Over 20% implementing or actively
investigating
If you are not, you will soon…
Demands of customers/partners
Regulatory requirements
Industry best practices
4
Applications become increasingly critical
and pervasive and a prime target for
hackers and malicious insiders creating a
staggering increase in lost information and
system downtime.
Tough Challenges Require an Experienced Partner
What is your risk exposure now?
Baselines and benchmark metrics
Across the enterprise
Purchased and custom developed
Key constituents have competing
requirements
The Top 5 Software Security
Traps and Pitfalls
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Management - visibility & risk reduction
Infosec
- assurance and accountability
Development - agility and flexibility
How will you introduce security
discipline in software development?
New concepts and requirements
Increased responsibility and accountability
5
“Most companies get this wrong. Success
requires executive mandate and clear
controls for establishing accountability for
security in development.”
- Gary McGraw, Author and CTO, Cigital
ISV Setup
Hidden slide
In-Secure is In-Complete - What is Your Brand Worth?
Software vulnerabilities make for
good headlines
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
76+ articles in Feb 2006 alone
Pressure is mounting
Customers quick to blame vendors
Risk exposure awareness at 90%
Microsoft establishing best practices
Aggressively promoting “SDL”
You will be doing SDL…
Customers/partners will ask
Regulatory requirements will demand it
Differentiator for you or your competitor
7
Built-In Software Security Flaws
Have Companies Up In Arms
More than half of those responding
to InformationWeek Research's
Global Security Survey 2006 say
vendors should be held legally or
financially responsible for products'
security vulnerabilities.
InformationWeek
Jul 10, 2006 12:01 AM
Tough Challenges Require an Experienced Partner
What priority is security given in your
development ranks?
Security is not just another bug…
Key constituents have competing
requirements
Management - visibility & risk reduction
Infosec
- assurance and accountability
Development - agility and flexibility
How will you introduce security
discipline in software development?
New concepts and requirements
Increased responsibility and accountability
8
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
“If we have a group that is
knowingly ignoring the SDL or deprioritizing it, at best we have an
accountability problem and at
worst an HR problem.”
- Mike Nash, Corporate VP, Microsoft
The Fortify Solution
Hidden slide
The Goal of (SDL): “Building Security In”
Software Development
Lifecycle (SDL)
10
Secure Development
Lifecycle (SDL)
Security Training
Source Code
Analysis & Review
Threat Modeling
Security Testing
Risk Analysis
Application Security
Event Monitoring
Fortify Completes Your Software - Makes it Secure
PLAN
Fortify Software
Security Analysis Suite
Fortify Software
Security Test Suite
Fortify Application
Security Deployment Suite
Source Code Analysis
and RunTime Analysis
Security Testing
and RunTime Analysis
Application Monitoring
and Protection
DESIGN
CODE
Fortify Software
Security Manager
Metrics and Reporting
FUNCTIONAL PENETRATION
TEST
TEST
DEPLOY
“Other vendors are promising integrated
lifecycle solutions while Fortify has been
delivering on that promise for years.”
Andrew Binstock, InfoWorld Magazine
11
Fortify Scales from the Desktop to the Enterprise
Q uick Tim e™ an d a
TI FF ( Uncom pr essed) d ecom pr es sor
ar e n eeded t o see t his pict ur e.
Fortify Professional
Fortify Team
Fortify Enterprise
Individual developers,
testers, and auditors
Software development
teams
Integrated Enterprise
Deployments
Fortify Source Code
Analyzer
Dev Pro Version
Q uick Tim e™ an d a
TI FF ( Uncom pr essed) d ecom pr es sor
ar e n eeded t o see t his pict ur e.
Fortify Software Security
Analysis Suite
Fortify Software Security
Manager
Source Code & RunTime Analysis
Developer Desktop and Build Server
Triage, Review and Audit GUI
Reporting & Metrics
Lifecycle Management
Policy-Driven Analysis
Rules Management
Infosec Project Auditing
Q uick Tim e™ an d a
TI FF
( Uncom pr essed) d ecom pr es sor
ar e n eeded t o
see t his
pict ur e.
Fortify Security Tester
Q uick Tim e™ an d a
TI FF
( Uncom pr essed) d ecom pr es sor
ar e n eeded t o
see t his
pict ur e.
Visual Studio Team Suite 2005
Q uick Tim e™ an d a
TI FF ( Uncom pr essed) d ecom pr es sor
ar e n eeded t o see t his pict ur e.
Fortify RunTime
Analyzer
Security Debugging
The “Purify” for Security
12
Fortify Software Security
Test Suite
RunTime Analysis
Security Testing
Q uick Tim e™ an d a
TI FF
( Uncom pr essed) d ecom pr es sor
ar e n eeded t o
see t his
pict ur e.
Fortify Application Security
Deployment Suite
Application Monitoring and
Defense
Q u ic k T im e ™ a n d a
T I F F ( Un c o m p r e s s e d ) d e c o m p r e s s o r
a r e n e e d e d t o s e e t h is p ic t u r e .
Q u ic k T im e ™ a n d a
T I F F ( Un c o m p r e s s e d ) d e c o m p r e s s o r
a r e n e e d e d t o s e e t h is p ic t u r e .
Q u ic k T im e ™ a n d a
T I F F ( Un c o m p r e s s e d ) d e c o m p r e s s o r
a r e n e e d e d t o s e e t h is p ic t u r e .
Integrates and manages multiple
Fortify Team Suites
Teams Delivers Code You Can Trust with Fortify
Development
Test
Fortify Source Code
Analyzer
Comprehensive, accurate analysis
tuned for low false negatives
Fortify Security Tester
Thorough and effective WhiteBox™
testing leveraging existing QA scripts
Build Server
Fortify Audit Workbench
Fast and effective triage, review,
and audit
Security
Lead
Security Testers
Fortify RunTime Analyzer
Enhanced WhiteBox™ testing through
concurrent dynamic analysis
Production
FPR
Management
Fortify SCA Dev Pro
Targeted, accurate analysis tuned
for low false positives
Developers
Desktop (Visual Studio, Borland, Eclipse, IBM WSS)
13
Security Ops Team
Fortify Application Defense
Real-time security event monitoring and protection
through production-grade runtime analysis
Fortify is Proven in the Most Demanding Environments
Fortify has proven to meet the needs of
enterprise deployments
Define
Design
Monitor
Code
Security
Deploy
Management
14
Fortify delivers what the others miss - complete
and accurate results
Test
Operations
Extensible solutions that span the development
lifecycle (SDL)
Solutions for the developers, testers auditors
More languages, platforms, frameworks and
tools than anyone else
Superior architecture and proven experience
with the most demanding customers
Development
QA
The award winning Fortify Source Code
Analysis Suite
Patent-pending RunTime Analysis
Patent-pending X-Tier Analysis
Patent-pending WhiteBox Security Testing
Fortify in the Enterprise – Security In Development
Define
Design
Monitor
Deploy
Test
“After an extensive evaluation, we
found that Fortify not only had the
lowest false positives, but routinely
found issues the others missed…”
Kevin O’Neil
Investors Bank &Trust
Management
Security Leads
Code
Security
15
Fortify Software Security Manager
Fortify Rules Builder
Central visibility and control required to
manage an enterprise deployment
Fortify Source Code Analyzer
Fortify RunTime Analyzer
Fortify Audit WorkBench
Comprehensive and accurate results for
low false negatives at code review
Fortify SCA Dev Enterprise
Targeted analysis tuned for low
false positives at the desktop
Security Auditors
Development
Teams
Development
Fortify in the Enterprise– Security In QA / Test
Define
Design
Fortify Software Security Manager
Fortify Rules Builder
Central visibility and control required to
manage an enterprise deployment
Management
Security Leads
Monitor
Code
Security
Deploy
Fortify Source Code Analyzer
Fortify RunTime Analyzer
Source Code and RunTime Analysis
deliver actionable and meaningful
WhiteBox™ testing results
Test
“Fortify tears the cover
off black-box testing
and offers results that
help fix the issues…”
IDC, 2006
16
Security Auditors
Penetration
Testing Teams
Fortify Security Tester
Thorough and effective security
testing leveraging existing QA scripts
QA
Fortify in the Enterprise – Security In Production
Define
Design
Fortify Software Security Manager
Fortify Application Defense
1st embedded application security monitor
providing unparalleled insight and protection
Monitor
Code
Security
Security
Operations
Deploy
Test
“Fortify delivers on the promises made by
application firewalls – it’s accurate, scalable
and easy to implement.”
- Aditya Palande, ProTrade
17
Getting Started is Easy – Security Assurance Gates
Management
Define
Visibility on business risk and
software security improvement
goals.
Design
Security
Monitor
Code
Development
Deploy
Test
18
Crucial feedback on vulnerabilities
and progress towards goals.
Augmented with training security is
introduced with guidance of the
infosec team.
Software security audits and tests performed at key milestones
Collect and track metrics and enforce policies
Stop faulty code from entering into production
Only Fortify
Hidden slide
The Solution You Can Trust - Complete and Accurate
Why is completeness a requirement for security?
The dilemma:
Accuracy or completeness?
acceptable risk
Are you going to miss security issues or
make make developers upset?
Accuracy is meaningless if the
results are not complete
Complete results are useless if they
are not accurate
Fast, easy and accurate for developers
Complete and accurate for security staff
20
Accurate
You don’t need to compromise
accuracy for completeness!
QA Tools
acceptable utility
Pen-Testing
Products
In-adequate Solutions
Complete
Other Security
Analysis Products
Fortify Source Code Analysis - The Gold Standard
Fortify finds what the others miss - complete
and accurate results
5 analyzers deliver breadth and accuracy
Over 3,000 security rules covering 118
vulnerability categories
Over 20 quality categories through integration
with FindBugs
Extensible so you can write your own custom
analysis rules
Fortify fits the way you work and supports the
tools you use today
Separate auditor and developer versions
Platforms: Windows, Solaris, Red Hat Linux,
Mac OS X, HP-UX, IBM AIX
Frameworks: EJB (BEA, WebSphere), Cold
Fusion, Struts, Hybernate, Spring
IDEs: Visual Studio, Eclipse, IBM, Borland
21
Secure Coding
Rules
Source Code
C, C++, .Net
Java, JSP,
PL/SQL, T-SQL, XML,
CFML
Source Code Analyzers
semantic
Broad and
deep coverage
for the security
auditor so you
don’t miss a
thing
data
flow
control
flow
Tuning Options
config
structure
Directed
analysis on the
desktop so
you don’t slow
down
development
X-Tier™ Analysis For Confidence in the Results
Only Fortify’s patent-pending X-Tier™ Analysis allows complete
coverage of all critical code paths
Real world applications are multilanguage and multi-tier
Web Applications (3-tier)
EIA, SOA and Web Services
Little or no assurance if you can’t model
data-flow across the tiers
Attacks are at the top of the stack
Vulnerabilities can be deep in the
system
Fortify RunTime and Source Code
Analyzers support X-tier analysis
The only vendor with this technology
*(numerous patents pending)
22
Front End
ASP
JSP
Business
Logic
Java,
C#,
C/C++
Back End
PLSQL
TSQL
See The Entire Picture With Fortify RunTime Analysis
Complete and Accurate Results
Finds vulnerabilities that can’t be found in the
code
Environmental and runtime errors
Errors is 3rd party (binary) code
Finds vulnerabilities that penetration testing
misses
Any server-side event that does not alter HTTP
response (XSS, SQL Injection, Process
Injection, …)
Logging private data
Has far greater accuracy and lower false
positives than any other techniques
Nothing more accurate than a monitor at the
call site when security event occurs
23
Attack Patterns &
Signature DB
Binary
Java, .NET
“In-house” or 3rd party
RunTime Monitors
attack
surface
security
event
honey
token
data
statistical
privacy correlation
Security Events
Optional runtime protections
provide greater assurance of
deployed applications
Security Testing Without Fortify = Black Box
Attacks and visibility limited to what can be seen on the web GUI
Misses Attack surface: Files (EDI and Config), Database, RPC/IPC, EIA (Tibco,
Tuxedo, etc)
Cannot find internal security event - ie. logging a credit card into a clear text log file
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Qui ckTi me™ and a
TIFF (Uncompressed) decompr essor
are needed to see this pictur e.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see t his pict ure.
Blind attacks have zero knowledge of program internals
Does an input field go to a DB, process invocation, crypto routine, I/O, nowhere?
Source file? line of code? call tree? data-flow path? - ALL MISSING FROM REPORTS
24
T I F F ( Un c o m p re s s e d ) d
ec om pr es or
ar e n
e e d e d t o s e e t h is p ic t u r e .
Only Fortify Delivers WhiteBox™ Security Testing
Binary
Fortify RunTime
Analyzer
Java, .NET
Coverage statistics for attack surface
and all security relevant operations
Full visibility into what happened “on
the inside”
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Qui ckTi me™ and a
TIFF (Uncompressed) decompr essor
are needed to see this pictur e.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see t his pict ure.
Source
Java, C/C++,
C#, VB.Net,
PLSQL, TSQL
25
Q u ic k T
im e ™ a n d a
T I F F ( Un c o m p re s s e d ) d
ec om pr es or
ar e n
e e d e d t o s e e t h is p ic t u r e .
Fortify Source Code
Analyzer
Source Code Analysis provides a blueprint for targeted attacks
“Source Code” view of security issues
Benefit From Our Experience and Expertise
Fortify Establishes The Market
Supported by pre-eminent security
researchers, Fortify Software delivers the
world’s first commercial software security
analyzer.
2003
2004
Actively Engaging Leaders
Working closely with early adopters,
Fortify delivers an integrated suite
filing over 150 patent claims.
27
Source Code Analysis Suite
Application Defense
The award winning market
defining platform that the others
are still struggling to copy.
2005
Event monitoring and
protections for legacy
applications and
packaged software.
2006
Security Tester
The first security testing solution to
deliver white box security testing and
deliver it to QA professionals
2007
Software Analysis Redefined
Fortify Software Analysis
Suite 5.0
Bring it Home
Hidden slide
Solutions That Grow With You
Proven options for a quick and painless start
Software Security Assurance Gates
The most effective way there is to reduce software risk exposure
Discretionary Development Deployment
200% increase* in security training retention
Enterprise Software Vulnerability Base-Line Audit
Analysis of legacy systems for base line reporting and risk assessment
Seamless transition to an enterprise software security program
Integrated Development - Infosec Deployment
Flexibility for development, comprehensive assurance for infosec
Enterprise metrics and reporting
Full visibility across all projects with and ability to manage through policy
* Arkasoft Security Training Survey - 2005
29
Expertise and Guidance Every Step of the Way
Fortify Services
Management
Fortify Rapid-Start Deployment
Fortify 3rd Party Code Verification Services
Fortify Managed Auditing Services
Fortify Global Partners
Define
Design
Monitor
Code
Security
Deploy
Test
30
Fortify is The One That You Can Count On
Compare…
Others
Fortify is a much better fit
Extensible solutions that span the development lifecycle (SDL)
Solutions for the developers, testers auditors, teams, and the enterprise
Support for more languages, platforms, frameworks and tools than anyone else
A superior architecture and proven experience with the most demanding
customers across a wide range of deployments
Fortify delivers what the others miss - complete and accurate results
The award winning Fortify Source Code Analysis Suite
Patent-pending RunTime Analysis
Patent-pending X-Tier Analysis
Patent-pending WhiteBox Security Testing
31
Take the Fortify Challenge
Get Started…
Allow us to perform a Baseline Security Audit on one of your software
projects
If we find no serious security issues - We Pay You $10K
Otherwise pay our standard code audit fee
$25K for a typical application < 250K SLOC
If you are anything less than delighted with the findings - You Pay Nothing
Transitions easily into a Managed Audit Service
Pilot a Development Team Rollout
Infosec team and 2-3 development groups
Define project scope, introduce technology, measure results
Fee based on project scope, size, and timeline
32
Hidden Slides - Talking
Points Summing up
Competitors
Hidden slide
Caveat Emptor - Software Security is the Next Big Thing
Network-vendors
Quality-vendors
Penetration Testers
“Security in a Box”
“Security Light”
“Badness-ometers”
Focusing on the attack over
the root cause, “Now fixes
applications” is now the latest
craze.
To broaden reach of niche
products, static analysis
vendors add security to a list
of quality issues.
A popular solution for
establishing awareness is
being offered up as a
sustainable solution.
• Reactive approach that got
us where we are now.
• Security issues are not “just
another bug”.
• Great for demonstrating the
problem.
• Focused on addressing the
attack or protecting the
infrastructure.
• Static analysis tools lack the
advanced data-flow features
like X-Tier™ and RunTime™.
• Testing without upstream
activities to “test” is pointless
and expensive.
• Some solutions serve as a
stop gap, but by no means
replace the need to build
security in.
• Products (ParaSoft, Coverity,
Klokwork) fall way behind in
platforms and rules coverage.
• Penetration tests must move
to the QA stage of the SDL
and be replaced with audits that most project pass.
35
Rule #1: Never Mention Your Competitors…
…unless you maintain better than 10:1 win rate in head to head bake-offs
Ounce Labs
Makes a lot of noise but still catching up on the basics (languages and
platforms). Presentation over substance - fact check their claims.
Secure Software
Well Respected services firm struggling to transition into a software company.
Consultantware architecture (Python Scripts).
SPI Dynamics
Recent dramatic change in product strategy promising Fortify functionality
validates our approach - What does it say about them?
36