zur Erstellung von Präsentationen

Size: px
Start display at page:

Download "zur Erstellung von Präsentationen"

Transcription

1 Dr. Markus Schumacher PPT Reliable Masterfolie SAP Applications We protect your ABAP We protect your ABAP TM Code: Security, Compliance, Performance, Maintainability & Robustness

2 CONTENTS 1. About Virtual Forge 2. CodeProfiler Protecting your ABAP TM Code 3. CodeProfiler Approach and Test Domains 4. Technology Integration (SAP TMS/ChaRM, SAP BI, IBM) 5. CodeProfiler Certification and References 6. Professional Services 7. Summary & Discussion

3 1. PPT About Masterfolie Virtual Forge

4 Virtual Forge GmbH History & Facts Founded in 2001, headquarters in Heidelberg, Germany Privately held Long-term development & consultancy expertise in the area of SAP security audits SAP design and code reviews SAP penetration testing SAP Trusted Technology Partner Unique solution Virtual Forge CodeProfiler (1.0 in 2008) Data and Control Flow Analysis Automated testing of ABAP TM, ABAP Objects, BSP, WebDynpro ABAP Security, Compliance, Performance, Maintainability, Robustness Book Sichere ABAP-Programmierung, SAP Press 2009 Leading Industry Guideline for ABAP Development and Maintenance

5 Virtual Forge GmbH Vision and Promise zur environments. Erstellung von Präsentationen Virtual Forge is the leading provider for code security and quality solutions in SAP We help our clients as trusted advisor to identify code security & quality gaps. prioritize these gaps for mitigation and resolve them. significantly improve their SAP environment. We are able to offer our clients latest and market leading expertise through a clear focus on first-class research in SAP code security & quality. SAP s internal ABAP TM development uses Virtual Forge CodeProfiler in their security and quality processes. Thus, our clients benefit from first-hand experience from the world s largest SAP development projects.

6 2. PPT CodeProfiler Masterfolie Protecting your ABAP TM Code

7 Protecting your SAP applications Identify, prioritize, and mitigate issues in your ABAP TM Code Worldwide more than organizations of all sizes and industries are depending on SAP solutions and services to run their business, making SAP solutions highly critical. More than 90% of SAP applications are written in ABAP. Custom development adds specific functionality to applications Often no requirements for non-functional aspects No testing beyond functional testing Consequence: unknown risks in ABAP applications

8 How we help our Clients CodeProfiler delivering a Business Case in key areas

9 Protection by CodeProfiler Securing high risk areas in SAP infrastructures Virtual Virtual Forge Forge GmbH GmbH All All rights rights reserved. reserved.

10 Data Loss Prevention Asset Flow Analysis CodeProfiler determines, whether critical data leaves the boundaries of a trusted environment (asset flow analysis). Three simple steps 1. You define critical data (HR data, credit card numbers, etc.). 2. Conduct CodeProfiler scan against target application: results show where critical data is accessed and written to external context 3. Review findings, assess risk, and mitigate potential backdoors

11 Data Loss Prevention Sample Code Sample program accesses personal data from table PA0002. Data is passed to FORM that writes the critical data (asset). CodeProfiler highlights the flow of the assets (in red) throughout the complete program Data Loss Example PROGRAM zsimple_asset_demo. PERFORM example_asset. FORM example_asset. DATA : lv_id LIKE PA0002-PERID. SELECT PERID FROM PA0002 INTO lv_id WHERE PERNR = PERFORM example_leak USING lv_bc. ENDSELECT. ENDFORM FORM example_leak USING perid TYPE PRDNI. WRITE : / 'Social security number:', perid. ENDFORM.

12 3. PPT CodeProfiler Masterfolie Approach & Test Domains

13 CodeProfiler Engine Data and Control Flow Analysis CodeProfiler uses data and control flow analysis in combination with a comprehensive rule set that covers many data sources and dangerous ABAP TM statements. Data flow analysis is a technique that first identifies data source, i.e. points in the code where (external) data is read into variables. It then analyzes whether there are any connections between a data source and a potentially dangerous statement. Any identified connection (data flow) indicates that the dangerous statement is most likely exploitable. In addition to data and control flow analysis CodeProfiler applies further sanity tests like type checks, authority checks, usage of regular expresses etc. As a result we can prioritize the findings and improve the efficiency of the mitigation process.

14 CodeProfiler Engine Data and Control Flow Analysis

15 Testdomain Security Security This domain covers test cases related to classical security defects, i.e. code with hidden side effects that can be misused by an attacker. Visit for application security risks related to business applications. Testcases Examples: ABAP Command Injection Directory Traversal Cross-Site Scripting Missing AUTHORITY-CHECK Pishing SQL Injection

16 Protection by CodeProfiler Code Sample BIZEC APP/11 APP-01 (http://www.bizec.org) ABAP Command Injection: coding that dynamically creates and executes arbitrary ABAP programs based on user input on a productive system.

17 Testdomain Compliance Compliance This domain introduces test cases related to compliance defects, i.e. coding practices that bypass an important security mechanism in the SAP standard. Testcases Examples: Hard-coded User Name (sy-uname) Cross-Client Access to Business Data Hidden ABAP Code

18 Testdomain Performance Performance This domain includes test cases that identify coding practices that have adverse effects on the performance of an SAP system. Testcases Examples: Usage of WAIT Command Database Modifications in a Loop SELECT Statement in a Loop Usage of LIKE Clause Missing WHERE Restriction in SELECT Statement Nested SELECT Statement

19 Testdomain Quality (Maintainability) Maintainability This domain contains test cases that analyze the ABAP TM coding for issues that make the code difficult to maintain. Factors that reduce maintainability include Coding that is difficult to understand for a developer new to the project. Coding with a complex structure. Poor documentation. Testcases Examples: Empty Block Empty Module Overlong Module

20 Testdomains Quality (Robustness) Robustness This domain provides test cases that check for ABAP TM coding practices which jeopardize the reliable execution of a business application. An important benefit of having robust code is business continuity: Robust code reacts to error conditions in a controlled, reliable and predefined way. Testcases Examples: Insufficient Error Handling (TRY/CATCH) Incomplete CASE Statement Recursion (Immediate)

21 Naming Conventions Beyond Maintainability and Robustness, the test group Code Quality now also covers the frequently requested check for Naming Conventions Application specific rules different naming conventions per package Validity timeframe (from / to) Check of legacy and new code without conflicts with the applicable rules The naming conventions can be seamlessly integrated into the automated TMS/ChaRM code firewall.

22 Naming Conventions

23 CONTENTS CodeProfiler Status Quo: Getting Secure - As developer or auditor - Analysis of transports - Batch scheduling (SM37/SM36) 2. TMS/ChaRM Integration: Staying Secure - Automatic ti scan of transports t (SE10) - Approval Workflow (enforcement of requirements) 3. Work with Findings: Mitigation - Finding Manager (review, qualification and correction in SE80)

24 Predefined Roles, Menus and Authorization Objects

25 Configuration: Test Group Definition

26 CodeProfiler Analysis Packages, individual ABAP TM Object Types, or Transports

27 Batch Scheduling (SM36/SM37)

28 Result Navigation The executive summary report (PDF) contains a prioritized list of all discovered issues. This list provides immediate feedback on current business risks at code level. Following the executive summary, the full PDF report (or result navigation in the Finding Manager) contains detailed information about each finding, grouped by test cases. Each test case starts with general information about the respective issue: Introduction Business Risk Detailed Explanation Example Vulnerability Solution in General Solution Example In addition to the general information, the report lists details for all discovered d issues.

29 Working with Scan Results Finding Manager, Forward-Navigation to SE80

30 CodeProfiler finds and prioritizes Security Issues and other Findings

31 4. PPT Technology Masterfolie Integration

32 Integration in Development Process The integration into the SAP Transport Management System (TMS) enables you to check transports with CodeProfiler automatically before the actual release on task level as well as transport level (or both). You can then release them or, if required, re-route them to a defined exception handling process. The automated check before importing code into an existing system (development, consolidation, production) can be carried out in the same way as the check during the release phase. From a technology point of view, it does not make a difference whether one or more SAP Systems are connected. CodeProfiler supports the common transport and release mechanisms, such as Transport Management System (TMS), Change Request Management (ChaRM), Change und Transport System (CTS), as well as CTS plus. Integration with additional tools such as theguard! TransportManager by REALTECH, Transport Express by Basis Technologies, or other products is possible. The Virtual Forge CodeProfiler standard shipment includes a preconfigured SAP workflow (notification and approval workflow) for release, QA and exception processes.

33 TMS/ChaRM Integration Requirements Paper Development CodeProfiler Test/QA Production TMS gatekeeper D60 EhP4 Q60 EhP4 P60 EhP4 Exception via QA

34 Approval Workflow Governance & Compliance in Development Process Reject QA / PL Review Developer Develop Release Review Reque est Change Approve CodeProfiler Parse False TMS kay O Transp.

35 Options of TMS/ChaRM Integration A. PPT Workflow Masterfolie Process: zur Erstellung CodeProfiler allows von to transport Präsentationen CodeProfiler declines to transport Developer ask QA instance via approval workflow for exception Yes, transport will be released (compliance: document exceptions) No, back to development B. Simplified Process: Developer may decide on his own discretion to release transport although CodeProfiler reported issues Appropriate approach depends on your requirements - Organization (small, large) Compliance (4 eyes principle) - Reliability / Stability Speed (fixes, development)

36 Enforcement of ABAP TM Guidelines Flexible Definition of Gatekeeper Functionality

37 TMS/ChaRM Integration (SE10)

38 High Availability CodeProfiler is often used in large system landscapes in order to monitor the entire code base (legacy and new ABAP code) Making this more effective, several CodeProfiler instances can now be flexibly assigned to several SAP systems (m x n) That way, scans can be easily parallelized and the high availability of the code audit infrastructure can be achieved The implementation of a large scale CodeProfiler infrastructure is now simpler and built-in

39 High Availability n x m relations between CodeProfiler and SAP system SAP D01 SAP Q01 SAP D02 SAP Q02 CodeProfiler CPSERVER1 CPSERVER2 CPTMSSERV1 CodeProfiler CPSERVER3 CPSERVER4 CPTMSSERV2

40 Dashboard in SAP BI

41 Dashboard in SAP BI

42 CodeProfiler is Ready for Rational zur Scans Erstellung of Java von applications Präsentationen Technical integration

43 Integration IBM AppScan Source Edition Triage of findings in your ABAP TM Code

44 Integration IBM AppScan Source Edition Drill-Down by Vulnerabilities only (all impact levels)

45 Integration IBM AppScan Source Edition Drill-Down by Vulnerabilities (High Impact only)

46 Integration IBM AppScan Source Edition ABAP TM analysis with data flow, code details and description

47 5. PPT CodeProfiler Masterfolie Certification and References

48 CodeProfiler protects SAP Aiming to expand the quality assurance of SAP software enhancements, SAP has licensed the testing software CodeProfiler, developed by the ABAP programming language security specialist, Virtual Forge. This is the first solution on the market that is designed for static analysis of ABAP applications with a specific focus on security and compliance tests. CodeProfiler offers SAP customers that have developed their own ABAP code, extensive quality assurance. Security is important to us and to our customers. It s good to see that our trusted partner Virtual Forge provides a tool for security test automation. Now all our customers can establish a baseline security level in their ABAP code. SAP Executive Board Member Gerhard Oswald (2009)

49 CodeProfiler is SAP Certified CodeProfiler has successfully completed SAP s integration certification program. This proves that CodeProfiler is an extremely reliable solution for your SAP environments. In addition, Virtual Forge is now listed as an official SAP Software Partner.

50 Linde Gases Division Linde Group Gases Division: It s very important for us to maintain full control over our coding. To increase the effectiveness and efficiency of our system development at Linde, we mainly work with external ABAP developers. Ever since we ve been using CodeProfiler, the developers have become more aware and are delivering better code quality. Stephan Sachs, Manager Application Security. CodeProfiler Benefits for Linde Efficiency: CodeProfiler allows for an automated ABAP analysis that effectively fulfills the quality requirements of Linde and its customers. Control: With the help of CodeProfiler, Linde can ensure highest quality standards when cooperating with external ABAP developers. Governance: CodeProfiler provides automated compliance checks that meet the company s requirements and process standards. Quality is integrated into the development process and not the result of arbitrary actions. Cost Savings: CodeProfiler reduces the risk related to malicious code and minimizes the time needed for code inspection and debugging. A quality investment that pays: Today, CodeProfiler is an established quality assurance tool at Linde.

51 Other selected References Linde Group Gases Division: It s very important for us to maintain full control over our coding. To increase the effectiveness and efficiency of our system development at Linde, we mainly work with external ABAP developers. Ever since we ve been using CodeProfiler, the developers have become more aware and are delivering better code quality. Stephan Sachs, Manager Application Security. Mölnlycke Healthcare (Schweden): The use of Virtual Forge s CodeProfiler software for verifying all code has revolutionized our way of working, without t any significant ifi effort or cost. We now have gained control over the coding quality and relating security risks. Roderik Mooren, IT Director. SIEMENS AG uses Virtual Forge CodeProfiler.

52 SAP Custom Code Security Service Powered by Virtual Forge CodeProfiler

53 6. PPT Professional Masterfolie Services

54 Virtual Forge Service Portfolio Services: Virtual Forge supports customers as a Trusted Advisor and delivers high quality Professional Application Audits with the Virtual Forge CodeProfiler Review and Changes of the development lifecyclel Implementation of the Virtual Forge Development Guidelines into your development process ClassroomTraining Secure ABAP TM Coding Project driven Audits Penetrationtests Fixing of Vulnerabilities Coordination of Consulting Partners Set Up of a transparent t Security and Compliance Environment With Virtual Forge as your Partner for Security and Compliance in ABAP Developments in small and huge system landscapes and projects you will get value out of a lot of experiences and expert know how.

55 6. PPT Summary Masterfolie & Discussion Feedback is always welcome!

56 Why should you use CodeProfiler?! CodeProfiler is the tool of choice for in-depth ABAP TM analyses Security, Compliance, Performance, Maintainability, Robustness Prioritization helps you to define the mitigation plan Governance and Compliance in your Development Process No single line of code enters your SAP -System without a thorough check ( Code Firewall ) Enforcement of Security and Quality standards for ABAP development Controlled roll-out: tighten scan profile over time in a grace period Accountability and compliance: exceptions are documents via four-eyes principle in approval workflow Possible to integrate CodeProfiler in popular transport management systems (SAP TMS, Solution Manager ChaRM, Realtech theguard!, Basis Technologies Transport Express, etc.)

57 Value Proposition Cost PPT effectiveness: Masterfolie running safe business processes Be prepared for cyber attacks and industrial espionage: prevent security weaknesses and backdoors Value for money: control externally supplied ABAP TM code (offshore/nearshore/vendor) No invest in own content needed, no maintenance of content State-of-the art security content in the standard release Always up-to-date content with new releases (active research & continuous updates) Ease of use: check your ABAP while you write it Run CodeProfiler as developer while you write code (like spell checker ) Run CodeProfiler as QA manager (like lector of a book ) Fully integrated in SAP standard environment: SE80, TMS/ChaRM

58 Value Proposition Being in control: governance & compliance at the process level Central control for new ABAP TM code - gatekeeper for code in the development process ) - governance at the process level (TMS-Integration) Approval workflow - compliance regarding coding standards Use the standard: CodeProfiler is industry ready Auditors (internal / external) use CodeProfiler in company audits Customers worldwide use CodeProfiler for QA & Compliance including SAP, Siemens, Linde, Munich Re, and many more Scan your ABAP anytime in one run: unparalleled analysis speed: up to Lines of Code per Second, results available instantly Gartner selected Virtual Forge as Cool Vendor for the SAP Ecosystem 2011

59 Your questions? VIRTUAL FORGE Dr. Markus Schumacher Speyerer Straße Heidelberg Deutschland Telefon: + 49 (0) Fax: + 49 (0) VIRTUAL FORGE Distributor in Scandinavia ADSOTECH Scandinavia Oy Ilmakuja 4 a ESPOO Finland Telefon: Fax:

Ensuring the Security and Quality of Custom SAP Applications

Ensuring the Security and Quality of Custom SAP Applications Ensuring the Security and Quality of Custom SAP Applications for smooth-running SAP applications and business processes Security is an important quality feature Security is important to us and to our customers.

More information

Andreas Wiegenstein Dr. Markus Schumacher

Andreas Wiegenstein Dr. Markus Schumacher Andreas Wiegenstein Dr. Markus Schumacher PPT SAP Masterfolie GUI Hacking (V1.0) zur Troopers Erstellung Conference von 2011, Heidelberg Präsentationen Who am I Andreas PPT Masterfolie Wiegenstein CTO

More information

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase decision. This

More information

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis. Patrick Hildenbrand, Product Management Security, SAP AG September 2014

SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis. Patrick Hildenbrand, Product Management Security, SAP AG September 2014 SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Patrick Hildenbrand, Product Management Security, SAP AG September 2014 Disclaimer This presentation outlines our general product

More information

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT Compliance & SAP Security Secure SAP applications based on state-of-the-art user & system concepts Driving value with IT BO Access Control Authorization Workflow Central User Management Encryption Data

More information

KuppingerCole Product Research Note. Virtual Forge CodeProfiler. by Prof. Dr. Sachar Paulus March 2012

KuppingerCole Product Research Note. Virtual Forge CodeProfiler. by Prof. Dr. Sachar Paulus March 2012 KuppingerCole Product Research Note by Prof. Dr. Sachar Paulus March 2012 Virtual Forge CodeProfiler KuppingerCole Product Research Note Virtual Forge CodeProfiler KuppingerCole Product Research Note Virtual

More information

theguard! SmartChange Intelligent SAP change management think big, change SMART!

theguard! SmartChange Intelligent SAP change management think big, change SMART! theguard! SmartChange Intelligent SAP change management think big, change SMART! theguard! SmartChange theguard! SmartChange takes an intelligent SAP change management approach. It provides maximum automation,

More information

Hack In The Box Conference 2011, Amsterdam. Dr. Markus Schumacher

Hack In The Box Conference 2011, Amsterdam. Dr. Markus Schumacher Hack In The Box Conference 2011, Amsterdam Dr. Markus Schumacher PPT SQL Masterfolie Injection with ABAP zur Ascending Erstellung from Open von SQL Injection Präsentationen to ADBC Injection Who am I Andreas

More information

Detecting Data Leaks in SAP -

Detecting Data Leaks in SAP - Andreas Wiegenstein TITEL bearbeiten Dr. Markus Schumacher IT Defense, January 30th February 1st, Berlin Detecting Data Leaks in SAP - The Click Next to Level edit Master of Static text Code styles Analysis

More information

EFFICIENT ENTERPRISE SERVICE MANAGEMENT: FLEXIBLE, IN LINE WITH ITIL, AND OUT OF THE BOX

EFFICIENT ENTERPRISE SERVICE MANAGEMENT: FLEXIBLE, IN LINE WITH ITIL, AND OUT OF THE BOX THEGUARD! SERVICEDESK EFFICIENT ENTERPRISE SERVICE : FLEXIBLE, IN LINE WITH ITIL, AND OUT OF THE BOX EFFICIENT ENTERPRISE SERVICE : FLEXIBLE, IN LINE WITH ITIL, AND OUT OF THE BOX THEGUARD! SERVICEDESK

More information

ABAP Custom Code Security

ABAP Custom Code Security ABAP Custom Code Security A collaboration of: SAP Global IT & SAP Product Management for Security, IDM & SSO November, 2012 Public SAP Global IT - ABAP custom code security 1. Introduction / Motivation

More information

theguard! Software for Enterprise-wide IT Management and Secure Business Processes

theguard! Software for Enterprise-wide IT Management and Secure Business Processes theguard! Software for Enterprise-wide IT Management and Secure Business Processes REALTECH headquarters in Walldorf IT Management with theguard! To survive in the fiercely competitive world market, companies

More information

Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014

Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014 Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014 Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

SAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.

SAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1. SAP Security Recommendations December 2011 Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.0 Secure Software Development at SAP Table of Contents 4

More information

Application Security Center overview

Application Security Center overview Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &

More information

Web application security: automated scanning versus manual penetration testing.

Web application security: automated scanning versus manual penetration testing. Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents

More information

On-Demand SAP BPC Support

On-Demand SAP BPC Support On-Demand SAP BPC Support Content Solution Overview Introduction to SAP RDS Solutions Solution Details SAP BPC 10 Techwave Consulting Inc. Data source: Gartner Techwave BPC Center of Excellence Implementation

More information

IBM Rational AppScan: Application security and risk management

IBM Rational AppScan: Application security and risk management IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM

More information

Operationalizing Application Security & Compliance

Operationalizing Application Security & Compliance IBM Software Group Operationalizing Application Security & Compliance 2007 IBM Corporation What is the cost of a defect? 80% of development costs are spent identifying and correcting defects! During the

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

Web Application Firewall-as-a-Service

Web Application Firewall-as-a-Service data sheet Most websites are vulnerable to attack. Vulnerabilities are due to both insecure coding practices and an increasingly complex threat landscape. In 2015, two the application security testing

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

A Short Guide: Quality in SAP Change Management. The 5-system landscape as a key factor to success

A Short Guide: Quality in SAP Change Management. The 5-system landscape as a key factor to success A Short Guide: Quality in SAP Change Management The 5-system landscape as a key factor to success White Paper, February 2014 Table of Contents 1 INTRODUCTION 2 2 QUALITY TRUMPS QUANTITY: ITIL-COMPLIANT

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

HP Application Security Center

HP Application Security Center HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

Organizational IT Concepts and SAP Solution Manager. General IT operations and service concepts with SAP Solution Manager. Driving value with IT

Organizational IT Concepts and SAP Solution Manager. General IT operations and service concepts with SAP Solution Manager. Driving value with IT Organizational IT Concepts and SAP Solution Manager General IT operations and service concepts with SAP Solution Manager Driving value with IT How SAP customers can benefit from REALTECH s Solution Manager

More information

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner

More information

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

IBM Rational AppScan: enhancing Web application security and regulatory compliance. Strategic protection for Web applications To support your business objectives IBM Rational AppScan: enhancing Web application security and regulatory compliance. Are untested Web applications putting your

More information

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing The Stakes Are Rising Security breaches in software and mobile devices are making headline news and costing companies

More information

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER A C a s e s t u d y o n h o w Z e n Q h a s h e l p e d a L e a d i n g K - 1 2 E d u c a t i o n & L e a r n i n g S o l u t i o n s P r o v i d e r i n U S g a u g e c a p a c i t y o f t h e i r f l

More information

Now Is the Time for Security at the Application Level

Now Is the Time for Security at the Application Level Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now

More information

2011 NASCIO Nomination Business Improvement and Paperless Architecture Initiative. Improving State Operations: Kentucky

2011 NASCIO Nomination Business Improvement and Paperless Architecture Initiative. Improving State Operations: Kentucky 2011 NASCIO Nomination Business Improvement and Paperless Architecture Initiative Improving State Operations: Kentucky Kevin Moore 6/1/2011 Executive Summary: Accounts Payable was a time consuming, inefficient

More information

White Paper. McAfee Web Security Service Technical White Paper

White Paper. McAfee Web Security Service Technical White Paper McAfee Web Security Service Technical White Paper Effective Management of Anti-Virus and Security Solutions for Smaller Businesses Continaul Security Auditing Vulnerability Knowledge Base Vulnerability

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

CA Vulnerability Manager r8.3

CA Vulnerability Manager r8.3 PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL

More information

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking

More information

Application Backdoor Assessment. Complete securing of your applications

Application Backdoor Assessment. Complete securing of your applications Application Backdoor Assessment Complete securing of your applications Company brief BMS Consulting is established as IT system integrator since 1997 Leading positons in Eastern Europe country Product

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014 Security Testing Vulnerability Assessment vs Penetration Testing Gabriel Mihai Tanase, Director KPMG Romania 29 October 2014 Agenda What is? Vulnerability Assessment Penetration Testing Acting as Conclusion

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015 SAP Secure Operations Map SAP Active Global Support Security Services May 2015 SAP Secure Operations Map Security Compliance Security Governance Audit Cloud Security Emergency Concept Secure Operation

More information

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Application Security from IBM Karl Snider, Market Segment Manager March 2012

Application Security from IBM Karl Snider, Market Segment Manager March 2012 Application Security from IBM Karl Snider, Market Segment Manager March 2012 1 2012 IBM Corporation Helping Solve Customer Challenges Application Security Finding Application Vulnerabilities GlassBox scanning

More information

Simply Sophisticated. Information Security and Compliance

Simply Sophisticated. Information Security and Compliance Simply Sophisticated Information Security and Compliance Simple Sophistication Welcome to Your New Strategic Advantage As technology evolves at an accelerating rate, risk-based information security concerns

More information

White Paper. Managing Risk to Sensitive Data with SecureSphere

White Paper. Managing Risk to Sensitive Data with SecureSphere Managing Risk to Sensitive Data with SecureSphere White Paper Sensitive information is typically scattered across heterogeneous systems throughout various physical locations around the globe. The rate

More information

Quality Assurance Service Offerings

Quality Assurance Service Offerings Quality Assurance Service Offerings About Brandix i3 We are Business Improvement and Enterprise Application Specialists offering Enterprise Software Development, Infor M3 Consulting and Business Improvement

More information

The Worksoft Suite. Automated Business Process Discovery & Validation ENSURING THE SUCCESS OF DIGITAL BUSINESS. Worksoft Differentiators

The Worksoft Suite. Automated Business Process Discovery & Validation ENSURING THE SUCCESS OF DIGITAL BUSINESS. Worksoft Differentiators Automated Business Process Discovery & Validation The Worksoft Suite Worksoft Differentiators The industry s only platform for automated business process discovery & validation A track record of success,

More information

Document ID. Cyber security for substation automation products and systems

Document ID. Cyber security for substation automation products and systems Document ID Cyber security for substation automation products and systems 2 Cyber security for substation automation systems by ABB ABB addresses all aspects of cyber security The electric power grid has

More information

Web Application Security

Web Application Security About SensePost SensePost is an independent and objective organisation specialising in information security consulting, training, security assessment services and IT Vulnerability Management. SensePost

More information

WHITE PAPER. iet ITSM Enables Enhanced Service Management

WHITE PAPER. iet ITSM Enables Enhanced Service Management iet ITSM Enables Enhanced Service Management iet ITSM Enables Enhanced Service Management Need for IT Service Management The focus within the vast majority of large and medium-size companies has shifted

More information

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014 QualysGuard WAS Getting Started Guide Version 3.3 March 21, 2014 Copyright 2011-2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.

More information

IBM Rational AppScan Source Edition

IBM Rational AppScan Source Edition IBM Software November 2011 IBM Rational AppScan Source Edition Secure applications and build secure software with static application security testing Highlights Identify vulnerabilities in your source

More information

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 5 4 Copyright... 5

1 Introduction... 2 2 Product Description... 3 3 Strengths and Challenges... 5 4 Copyright... 5 KuppingerCole Report EXECUTIVE VIEW by Alexei Balaganski May 2015 is a business-critical application security solution for SAP environments. It provides a context-aware, secure and cloud-ready platform

More information

DataFlux Data Management Studio

DataFlux Data Management Studio DataFlux Data Management Studio DataFlux Data Management Studio provides the key for true business and IT collaboration a single interface for data management tasks. A Single Point of Control for Enterprise

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

DeltaV Cyber Security Solutions

DeltaV Cyber Security Solutions TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital

More information

performance indicators (KPIs) are calculated based on process data, and displayed in easy-to-use management views.

performance indicators (KPIs) are calculated based on process data, and displayed in easy-to-use management views. DATA SHEET iet ITSM IT Service Management through ITIL To keep a business running as smoothly as possible, IT must operate by defined processes and must align itself with business needs. There are guidelines,

More information

Web App Security Audit Services

Web App Security Audit Services locuz.com Professional Services Web App Security Audit Services The unsecured world today Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System

More information

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the

More information

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

Realize That Big Security Data Is Not Big Security Nor Big Intelligence G00245789 Realize That Big Security Data Is Not Big Security Nor Big Intelligence Published: 19 April 2013 Analyst(s): Joseph Feiman Security intelligence's ultimate objective, enterprise protection, is

More information

Penetration Testing in Romania

Penetration Testing in Romania Penetration Testing in Romania Adrian Furtunǎ, Ph.D. 11 October 2011 Romanian IT&C Security Forum Agenda About penetration testing Examples Q & A 2 What is penetration testing? Method for evaluating the

More information

Fortify. Securing Your Entire Software Portfolio

Fortify. Securing Your Entire Software Portfolio Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

New IBM Security Scanning Software Protects Businesses From Hackers

New IBM Security Scanning Software Protects Businesses From Hackers New IBM Security Scanning Software Protects Businesses From Hackers Chatchawun Jongudomsombut Web Application Security Situation Today HIGH AND INCREASING DEPENDENCE ON WEB SERVICES Work and business Communications

More information

Quality Assurance. Service Offerings. About Brandix. Overview

Quality Assurance. Service Offerings. About Brandix. Overview Quality Assurance Service Offerings About Brandix We are Business Improvement and Enterprise Application Specialists offering Enterprise Software Development, Infor M3 Consulting and Business Improvement

More information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

More information

Your Location Instant NOC using Kaseya. Administrator at Remote Location Secure access to Management Console from anywhere using only a browser

Your Location Instant NOC using Kaseya. Administrator at Remote Location Secure access to Management Console from anywhere using only a browser Kaseya Product Brief The Kaseya Platform Making your systems more secure, your staff more productive, your services more reliable and your results easier to validate. No matter what part of Kaseya s integrated

More information

"Practical Security Testing for Web Applications"

Practical Security Testing for Web Applications T10 Track 5/7/2009 11:15:00 AM "Practical Security Testing for Web Applications" Presented by: Rafal Los Hewlett-Packard Application Security Center Presented at: 330 Corporate Way, Suite 300, Orange Park,

More information

QA Classroom and Online training from Yes-M Systems

QA Classroom and Online training from Yes-M Systems QA Classroom and Online training from Yes-M Systems One of the best QA courses: Manual Testing Highlights 85+ hours to finish the course Experienced Instructors Recruiters help with Resume Preparation

More information

Penetration testing: exposure of fallacies 1-14

Penetration testing: exposure of fallacies 1-14 Penetration testing: exposure of fallacies 1-14 Statistics of the vulnerabilities distribution (2014) Network perimeter: 73% 52% 34% Ability to connect third-party equipment without pre-authorization Weak

More information

The Pension Portal. Helping you take your pension business into the paperless age

The Pension Portal. Helping you take your pension business into the paperless age The Pension Portal Helping you take your pension business into the paperless age When you ve been helping pension professionals implement client portals for as long as we have, you understand that the

More information

PCI-DSS Penetration Testing

PCI-DSS Penetration Testing PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)

More information

End-to-End Application Security from the Cloud

End-to-End Application Security from the Cloud Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed

More information

Minimize Access Risk and Prevent Fraud With SAP Access Control

Minimize Access Risk and Prevent Fraud With SAP Access Control SAP Solution in Detail SAP Solutions for Governance, Risk, and Compliance SAP Access Control Minimize Access Risk and Prevent Fraud With SAP Access Control Table of Contents 3 Quick Facts 4 The Access

More information

ISO/IEC 20000 IT Service Management - Benefits and Requirements for Service Providers and Customers

ISO/IEC 20000 IT Service Management - Benefits and Requirements for Service Providers and Customers ISO/IEC 20000 IT Service Management - Benefits and Requirements for Service Providers and Customers Authors Ralf Buchsein, Manager, KESS DV-Beratung GmbH Klaus Dettmer, Product Manager, iet Solutions GmbH

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

Your Complete Employer Solution THE MARKETPLACE. Pre-integrated, best-in-class third-party and internally developed add-on solutions

Your Complete Employer Solution THE MARKETPLACE. Pre-integrated, best-in-class third-party and internally developed add-on solutions Your Complete Employer Solution THE MARKETPLACE Pre-integrated, best-in-class third-party and internally developed add-on solutions Marketplace offerings include: Travel and expense report management Background

More information

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances ACL WHITEPAPER Automating Fraud Detection: The Essential Guide John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances Contents EXECUTIVE SUMMARY..................................................................3

More information

Application Management Services

Application Management Services Application Management Services Application Development Key Initiative Overview Structured Approach Strategize and Plan Develop Governance Drive Change Management Execute Measure and Improve Data source:

More information

Organizations Should Implement Web Application Security Scanning

Organizations Should Implement Web Application Security Scanning Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities

More information

Standard: Web Application Development

Standard: Web Application Development Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed?

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed? CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed? by Mariano Nunez mnunez@onapsis.com Abstract Global Fortune 1000 companies, large governmental organizations and defense entities

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

IPLocks Vulnerability Assessment: A Database Assessment Solution

IPLocks Vulnerability Assessment: A Database Assessment Solution IPLOCKS WHITE PAPER February 2006 IPLocks Vulnerability Assessment: A Database Assessment Solution 2665 North First Street, Suite 110 San Jose, CA 95134 Telephone: 408.383.7500 www.iplocks.com TABLE OF

More information

REALTECH ChangePilot 1.0

REALTECH ChangePilot 1.0 1.0 (Version 2/2009) Introduction In times of globalization and rapid change, it is crucial for companies to adapt to changing conditions. Their agility is more and more determined by the ability of their

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

The McAfee SECURE TM Standard

The McAfee SECURE TM Standard The McAfee SECURE TM Standard December 2008 What is the McAfee SECURE Standard? McAfee SECURE Comparison Evaluating Website s Security Status Websites Not In Compliance with McAfee SECURE Standard Benefits

More information

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Protect Your Connected Business Systems by Identifying and Analyzing Threats SAP Brief SAP Technology SAP Enterprise Threat Detection Objectives Protect Your Connected Business Systems by Identifying and Analyzing Threats Prevent security breaches Prevent security breaches Are

More information