Be Fast, but be Secure a New Approach to Application Security July 23, 2015

Transcription

7 Be fast but be secure A new approach to application security Cindy Blake and Gerben Verstraete/ July 2015 #AppDefender

8 Velocity is new normal hybrid deliver the key & you better get it right 50 Percentage of Percentage businesses expect to be digital in 24 months 1 trillion applications by % apps deleted upon finding a bug 100 billion connected devices in X increase in the number of apps 81 Percentage of IT org. believe cloud provides competitive solutions for IT 25+ releases per quarter per app by % of organizations using agile 30 cost reduction for business operations by smart machines by Percentage of projects delivered business 1 value 1st time of every $5 spent on packaged software will be cloud based(2018) 84 % of breaches at the app layer 3 seconds before a user abandons an app 37 percentage of orgs that host apps externally

9 The number of apps is growing Increasing platforms and complexity many delivery models PRODUCTION LEGACY SOFTWARE OUTSOURCED COMMERCIAL OPEN SOURCE IN-HOUSE DEVELOPMENT

10 Current solutions protect the perimeter Yet, 84% of breaches occur in the application software

11 The ratio of spending between perimeter security and application security is 23-to-1. Joseph Feiman, Gartner analyst Maverick* Research: Stop Protecting Your Apps: It s Time for Apps to Protect Themselves, Sept 25, 2014

12 Challenges to overcome Lack of visibility Business damage in the form of productivity losses Infrastructure performance events are not seen in the context of security events Disparate data sources and management systems limits organizations to understand the impact of anomalies Device and device components moving in and out of the infrastructure unnoticed Inability to pin point Responding to and resolving incidents are both time consuming and costly Lack of integrated data sources and a true understanding of the business impact Limited ability to respond to new vulnerabilities\threats Comprehensive malicious code attacks Securing complex applications (legacy and modern) is challenged by business pressures Borderless consumption models of applications in the cloud and across mobile platforms Security as an afterthought, not fully embedded in the entire application lifecycle Governance and Compliance No integrated approach to keep service infrastructure compliant with releases across global infrastructure Cumbersome processes to meet audit requirements and reporting capabilities Security has build a silo within many organizations, not integrating as a partner across the lifecycle

13 Security has to be embedded in everything IT does EA PMO Testers Dev IT Value Chain Users LOB IT Ops IT Engineers Strategy to Portfolio Requirement to Deploy Request to Fulfill Detect to Correct Drive IT portfolio to business innovation Build what the business wants, when it wants it Catalog, fulfill, and manage services and track usage Anticipate and resolve service issues Plan Define Dev Build Test Deploy Release Operate 13 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

14 Traditional NOCs and SOCs will need to converge IT Security User Provisioning Identity & Access Mgmt Application Security Database Encryption Anti-Virus, Endpoint Firewall, Security See Everything Act IT Operations Performance & Availability User Management App Lifecycle Mgmt Operations Mgmt Network Mgmt See Everything Understand Context Proactive Risk reduction 14 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

15 Key focus areas Proactive Exposure Analyses Continuous discover what you have in order to protect your applications Security Asset Lifecycle Managemen t Augmented Cyber Operations Detect, Contain and Prioritize Continuous Security and IT Operations correlating events and understand business context Prevent and Respond Continuous manage compliance across complex services infrastructures and automated event remediation Security Compliance & Automated Remediation Secure Application Lifecycle Managemen t Design Secure Continuous Development and Testing with integrated security processes and technology 15 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

16 Continuous Application Security Scan it Test it Defend it HP App Defender Application Development Production / Operations

17 Application Security Testing Application Security Testing is a best practice, but remediation before production is difficult to implement = 3 weeks + to remediation Application Security talent is very difficult to find Process need to be defined so that everything is standardized and efficient Developers are not measured to think about security

18 Application Security Testing Application Security Testing is a best practice, but remediation before production is difficult to implement = 3 weeks + to remediation C+ Application Security talent is very difficult to find Process need to be defined so that everything is standardized and efficient Developers are not measured to think about security

19 Common challenges to removing software vulnerabilities You lack access to the code of critical applications Your security scan just found 100+ app vulnerabilities where to begin? Your vendor told you a patch will be ready in 3 months You have no idea what vulnerabilities you have Your app is end-of-life and you really do not want to invest the resources Developer resources are constrained

20 Maximum Days to Announce Remediation Source: HP Cyber Risk Report, 2015 We were hoping that critical vulnerabilities would be the fastest to fix. Interestingly, this was not always the case. One possible reason could be that most organizations tend to fix and verify all critical and high vulnerabilities first. Hence, the developers could be prioritizing their tasks from a single bucket based on the ease of completing the task, rather than the severity of the issue.

21 Traditional approaches rely on Web Application Firewalls (WAFs) Over the Wire works great until it s bypassed Tools are available to exploit WAF s signature based approach and more An example from BlackHat 2012 See RASP vs WAF study by the SANS Institute

22 When does it make sense to rely on RASP? As a virtual patch You lack access to the code of critical applications Your security scan just found 100+ app vulnerabilities Your vendor told you a patch will be ready in 3 months You have no idea what vulnerabilities you have Time to market pressure START For defense in depth You want contextual insight into your application s security

23 Security can be agile You can deliver software quickly and without compromise using continuous, integrated, and automated methods for overall application health. Fail forward with known security vulnerabilities - let HP Application Defender protect those vulnerabilities with compensating controls while you remediate the code.

24 Without compromising performance Rapid application development is difficult when juggling application performance and secure coding. Confidently deploy your RASP solution with granular and transparent performance metrics - let HP App Pulse show you how. Model your defense pre-production to confidently predict load and performance. Try them both for free App Pulse free trial App Defender free trial

25 Application Defender Technology Target Program Monitor <Rule> Application Server Program Point Event Event Handler Action Event Handler Chain Log

26 Application Defender Integrated with your NOC\SOC Target Program Monitor <Rule> NOC\SOC Operations (choice) Application Server Program Point Event Event Handler Event Handler Chain Operations Bridge (OMi) ArcSight ESM AppView Action Log

27 HP Security Research HP Fortify runtime technology HP Application Defender Application Security Simplified Visibility Actionable and accurate insight from within the application to pinpoint vulnerabilities for protection or remediation HP Application Defender 1,2,3 Simplicity Install quickly and easily with a three-step deployment, get protection up and running in minutes Protection Stop attacks categorically or for specific vulnerabilities.

28 Simplicity Quick Installation Up and running in less than 5 minutes 3 easy steps Easy In Service Updates Rulepack Agent Binary Accurate application protection and grouping

29 Visibility Quick access to specific vulnerability events Easy filtering of realtime and historical data Accurate presentation of event trigger and stack trace detail

30 Protection Quick protective action against attacks from within your application Easy identification of top vulnerability events by criticality Accurate results from within application logic and data flows

31 Try it today Contact your sales executive Learn more and begin your trial at hp-application-defender.com No cost. Monitor and protect one application for as long as you choose. When you are ready to purchase, this SaaS offer is priced per application instance with discounts for more applications and for longer contracts. Prices start at $149 for one app per month

32 Questions? HP-Application-Defender.com