Table of contents. Real world application security in five easy steps. Business white paper

Size: px
Start display at page:

Download "Table of contents. Real world application security in five easy steps. Business white paper"

Transcription

1 Real world application security in five easy steps Business white paper Table of contents Introduction Executive summary Step One: Build the business case to get funding Step Two: Prioritize the important applications to assess first Step Three: Find and build the resources to implement your program Step Four: Now that scanning is complete, what s next? (Fixing vulnerabilities)....6 Step Five: Building security into the software development lifecycle Conclusion For more information

2 Introduction If your organization is not taking a proactive, systematic approach to securing your Web applications, then you are leaving your infrastructure and sensitive data vulnerable to the most common, rapidly growing vector of IT attacks today. Web-based attacks often result in significant costs due to lost revenue, theft of sensitive customer information, and non-compliance with government and industry mandates. Unfortunately, more than three-quarters of all system attacks today are aimed directly at insecure Web applications. Recent headlines show the danger associated with Web application security flaws. Last year, a federal grand jury indicted a number of hackers for allegedly breaching systems that belonged to many well-known retailers and large credit card payment processors. According to the U.S. Department of Justice, more than 130 million credit and debit cards were stolen. And, according to court documents, while the perpetrators visited store locations to monitor certain point-of-sale systems, it was security-related application attacks, notably SQL injection, that made it relatively easy to plant malware on the victims systems and then commit widespread, ongoing theft. Fortunately, SQL injection flaws, like most Web application security flaws from buffer overflows to cross site-scripting errors are avoidable. Now, if the programming mistakes that create these vulnerabilities are preventable, why are Web application attacks on the rise? The answer is simple: Many companies have yet to put into place the people, processes, and technology necessary to build their Web applications in a secure and sustainable way. Because so many types of attacks target Web applications, if consistent precautions are not taken, then it is not a matter of if an organization will be breached on the Web but when and to what extent. Unfortunately, when the breach does occur, more often than not, the security managers and security teams find themselves in the hot seat trying to answer the how and the why this could have happened. While the security professional must answer to management following a breach, it is management that s ultimately answerable to customers, shareholders, and business partners. Executive summary By taking a few simple steps, organizations can considerably increase the security of their Web applications while cutting costs and improving regulatory compliance. This white paper explains how. It provides the guidance necessary to help your organization get started with a sustainable Web application security program from building the business case to instilling the proper processes for success. Step One: Build the business case to get funding To avoid Web-related breaches, organizations need the resources to make certain that Web applications are designed, built, and maintained with security in mind to mitigate business risks. And, to get the funding for developer training and the technology necessary to build an effective Web application security program, a strong business case must be presented to management. Not surprisingly, questions about how to go about making a winning argument for a Web application security program are among the most common questions existing customers and prospects ask of HP Application Security Center consultants. Fortunately, a strong case for Web application security can be made. Before delving into the details about how to build that business justification, let s cover one of the most common mistakes security managers make when they present the case for security funding to business managers. Their presentations tend to focus too heavily on the technical risks and benefits associated with Web application security. That is a big mistake: Most non-it managers do not necessarily understand or relate to the technical details of security. They are not always familiar with buffer overflows. They have probably never heard of cross-site scripting or SQL injection. And, frankly, in most cases, they do not want, or have the need, to know. What they do need to understand, more than ever, is that Web application security vulnerabilities create substantial risk to data breaches, cause regulatory non-compliance, and jeopardize customer loyalty. Understanding this is crucial to build the business case necessary to obtain the funds you need to put a Web application security program in place. 2

3 Here s how: Demonstrate the frequency and the cost of security breaches First, make it clear that data security breaches are on the rise and that they are costly and how the data shows that security breaches are getting more expensive all the time. In fact, the cost of suffering a breach is probably much steeper than most business executives assume. The Ponemon Institute recently released its annual study, The Cost of a Data Breach 1, and found that the average cost per breached record reached $204 in 2009, up from $182 in Because most breaches involve thousands, if not tens of thousands of records, it is easy for a single security incident to set an organization back hundreds of thousands, if not millions of dollars. According to Ponemon, the total cost per breach, per organization, ranged from $613,000 to $32 million. Illustrate the security requirements of regulatory compliance Secondly, regulatory compliance calls for adequate data security. There has been much discussion in recent years about Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the myriad of statewide financial data breach disclosure laws. These mandates have had a significant impact on enterprise IT security initiatives. Failure to comply with such regulations can lead to significant penalties levied against both the corporation and personally against its directors fines and even criminal prison sentences. This makes it vital that organizations are fully attentive to the information they hold about employees, customers, and suppliers. They need to know how this information is being used, stored, and shared, as well as the regulatory burdens. For instance, PCI DSS mandates that all Web applications be built based on secure coding guidelines, such as those provided by the Open Web Application Security Project (OWASP). This includes reviews to find vulnerabilities such as non-validated inputs, cross-site scripting, poor session management, and others. The costs associated with regulatory fines are high, as are the costs of data breach notifications. Customers, partners, and suppliers expect secure operations Third, security is no longer a nice-to-have, or a should-have aspect of doing business. Security simply is part of doing business today, and it is a primary concern of customers, business partners, and suppliers. When it comes to business-to-business relationships, it s increasingly common for partners and suppliers to want to review security policies. In some cases, they even ask to conduct their own security reviews of applications and infrastructure especially when connecting networks. That is why, to build your business argument for Web application security, you also may want to visit an often overlooked department: marketing. Talk to product managers and the business owners of Web applications, and ask them for examples of partners, customers, and prospects who have asked about the organization s security program. Collect anecdotal evidence regarding customers and partners asking to review security policies and security reviews. Finally, it s time to bring your argument close to home. The best way to achieve this is to take all of the business drivers for Web application security discussed above regulatory compliance, customer demand, and cost of breaches and map those realities to the current state of your Web application security. That is accomplished best by assessing an application, or set of applications, and then explaining the results to management. The next step highlights how to get started. Step Two: Prioritize the important applications to assess first With Web application security assessment software in hand (if your organization does not have a Web application assessment tool, there are plenty of demonstration versions readily available), it s now time to find a few business-critical Web applications and servers and conduct the assessment. In addition to building your business case, there are many reasons why your organization may need to conduct a Web application assessment. It could be to check the security status of a new Web application, before deployment, or as part of a regulatory review, or simply to run an overall checkup on the security posture of the Web applications throughout the organization. Whatever the case, if the assessment will involve more than a handful of applications over time, you will need to prioritize what applications to assess first Annual Study: Cost of a Data Breach, Ponemon Institute, January

4 Figure 1: Example of Application Security Priority Matrix Application Confidentiality Integrity Availability Total Registration High High High 27 E-Store Med High High 24 Blog Low Low Low 9 Catalog Low Med High 18 In order to create your business case, and for the sake of all-around security, start with the highest priority applications. However highest priority is subjective and often depends on the type and size of the organization. For a retailer, for example, the highest priority (for security purposes) could be applications and servers that help to support credit card transactions. A health care provider might be most concerned with all applications that touch patient health data, to meet HIPAA mandates. In these cases, the scope of the assessment would be for PCI DSS compliance or for HIPAA review. For an organization that is not regulated, determining the assessment scope could be as simple as scanning the most used applications, or applications that handle the most sensitive data. Depending on the size of your organization, it could be that even trying to limit focus to the high priority applications will not adequately limit your scope. So, it may be necessary to prioritize applications even within that scope. Below is a chart inspired largely by the National Institute of Standards and Technology method for prioritizing applications for review. It is based on the traditional CIA (confidentiality, integrity, and availability) model. The idea is to rank applications based on the importance of confidentiality (HIPAA, employee records), integrity (financial data, such as used in financial reporting and inventories), and availability (e-commerce shopping cart, trading desk). A common strategy is to take the applications that ranked highest first, assess them, and then work down. But it s not always this straightforward. Higher priority applications may need a more thorough analysis than an automated security code review. The application may require penetration testing from a skilled ethical hacker who has little to no knowledge of what the application does (known as a black-box test). Or, the assessment is conducted where the evaluator has limited knowledge of the application to which the attacker would have limited access, and is sometimes even given credentials to the applications (known as grey-box testing). The important thing to remember in this step is to bring systematic methodology to your Web application security assessments, and prioritize all the applications in the organization so that none are left out, and the most important are evaluated first. By using the same assessment toolset to measure the risk, you can start tracking real vulnerability statistics across your enterprise. Having a consistent way to measure this risk is crucial to creating a benchmark so that a security policy can be created. If you find yourself in the situation of a stillunderfunded Web application security program, gather all the data you can about the security of your Web applications both commercially bought and those developed in-house. As you find sensitive data, put it in your reports and make it clear that outside attackers also could get hold of these data. Nothing drills the importance of Web application security home to executives more powerfully than seeing confidential corporate information in the reports. This exercise should go a long way in helping you get the additional budget you need. 4

5 Figure 2: Cost to fix security defects 100X 1X 6.5X 15 X Design Development Testing Deployment Step Three: Find and build the resources to implement your program Application security is a team effort. Companies that have successful programs in place have high-level executive sponsorship and it is not just the security teams that are involved. Application developers, QA, compliance, and audit teams all should be part of it. With high-level executive sponsorship, you are more likely to be able to get the people and resources you need for success. How do you get that sponsorship? Explain to executives why Web application security is in their best interest. Like many people, executives are keen to look out for their own as well as their companies interests. If you can convince them that their image and the health of the business would be damaged if your applications were infiltrated, then you can hold their attention. That means your best bet is to explain how security issues can damage the executive s position and the company. Take the overall business case, previously discussed, and explain to a number of executives the very real-world risks to them, as well as to the organization, that could result from inadequate Web application security. These executives will most likely care about how Web application security (or lack thereof) can affect downtime, as well as lost business and the costs to recover from a breach. Be certain to use recent breaches and regulatory fines as examples. As you make your case, highlight all the good things the security program has achieved already: Blocking efforts to lock down the network, keeping out malware, and rapidly putting operating system patches in place because upwards of 75 percent of attacks now are targeting Web applications. Stress how Web application security will increase availability for sales, and protect privacy, confidential customer and corporate data, and intellectual property. Then, explain how security defects should be treated and fixed in the same way as functional defects. That helps ensure that security problems are caught early in the development cycle, when they cost less much less to fix (see Figure 2). Saving money, reducing risk, and making it easier to achieve regulatory compliance should help you win the executive sponsorship necessary to get the budget you need to make your program succeed. Another powerful resource for your program is the developer community within your organization. Rather than assessing applications and demanding that developers fix the flaws that are uncovered an approach that only will build animosity over time it is better to co-opt the development and quality assurance groups. Have them sent to security conferences where application security is discussed. Provide members of the development teams with Web application security training. There are lots of conferences and training opportunities, from SANS (SysAdmin, Audit, Network, Security) Institute to OWASP and others. Once developers understand how security actually undermines the functionality of their applications, they can be partners in ensuring success in driving security adoption throughout the application development lifecycle. 5

6 Figure 3: Ingredients for application security success Application security is everyone's responsibility 4 Groups/Teams of people: People Business Development QA Security Action Educate and Empower Process Build security in Repeatable and predictable Best practices Enterprise policies and standards Technology Enterprise security platform Automated solutions Built in security knowledge Communication Another ally you want is the quality assurance (QA) team. Get the QA team armed with tools that help it test for security defects as part of regular QA testing. By bringing developers and QA into the fold, you are helping to bridge the gap that typically exists in organizations between the security development and QA teams. Training these groups, and giving them the tools they need to find security defects, will go a long way to closing that gap. Developers and QA will no longer feel that security issues simply can be tossed to the security group and be forgotten. They will come to realize that they are actually responsible for a good part of the organization s security. Step Four: Now that scanning is complete, what s next? (Fixing vulnerabilities) This section assumes you already have conducted a scan on one or more of your critical applications. There are many resources available that provide guidance on running a Web application assessment. Consider reading Web application security guides, such as the OWASP Testing Project Guide for more information. Once the scan is complete, the next stage is to categorize and prioritize the vulnerabilities uncovered. In this process, you first list your most critical vulnerabilities with the highest potential of negative impact on the systems that are most important to your organization. Then, list other vulnerabilities in descending order based on risk and business impact. Once you have categorized and prioritized vulnerabilities, the next step is to estimate the effort and the resources needed to implement the fix. The idea is to fix the highest-risk vulnerabilities first, and structure your remediation efforts to capitalize on time: such as beginning to fix flaws that could take the longest to repair (so they don t hold up production) and duplicate vulnerabilities so that efforts are scaled. The time or difficulty estimates can be as simple as easy, medium, and hard. Remediation work will begin not only with the problems that pose the greatest risk, but also those that will take the longest time to correct. For instance, get started first on fixing complex vulnerabilities that could take considerable time to fix, and wait to work on the half-dozen medium defects that can be rectified in an afternoon. By following this process, you would not fall into the trap of having to extend development time or delay an application rollout because it has taken longer than expected to fix all of the security-related flaws. This process also enables ample opportunity for collaboration and ongoing contact with application auditors and developers. You now have an attainable roadmap to track. When developers have mended the vulnerabilities, it is time to verify the security posture of the application with a reassessment, or regression testing. For this, it is crucial that the developers are not the only ones charged with assessing their own code. They already should have completed their own verification. It is vital that an independent entity, whether an in-house team or an outsourced consultant, review the code to ensure everything has been done right. Also, another set of eyes will provide a fresh perspective on the security of your applications. 6

7 Step Five: Building security into the software development lifecycle It is clear that organizations can mitigate an enormous amount of risk by strengthening Web application security through secure design and development. A safe application development reduces the cost of fixing security vulnerabilities and maintenance (by catching them early). It also reduces the costs associated with data breaches. The secret to success is not in the one-time assessment, but in building security into the software development lifecycle. A secure Software/Systems Development Lifecycle (SDLC) means having the policies and procedures in place that consider and enforce secure development from application conception through defining functional and technical requirements, coding, quality testing, and the life of the application in production. With a new application design, SDLC means bringing the security group at least someone who is familiar with Web application security into the discussion at the onset. This way, the application can be modeled properly. And when IT security has input throughout the process, security issues are much less likely to surface later in the lifecycle and that helps ensure that small problems do not become big security events. For secure SDLC to succeed, developers must code securely. They need to be trained to incorporate security best practices and checklists in their work. For databases, they must check query filtering. For application fields, they must validate proper input handling. Putting these types of procedures in place can improve security dramatically during the development process. Having developers check field inputs and look for common programming mistakes as the application is being written also will make future application assessments flow much more smoothly. Despite developer training and secure coding practices being followed, no application is developed perfectly. That s why the next major phase of the SDLC is crucial that is when the entire application, or a module, is sent for formal QA testing. While most organizations test for functional requirements and availability at this stage, organizations employing the secure SDLC will add security testing that will be conducted by quality assurance and security assessors. Some people tend to skip processes when deadlines and pressures loom. That is an area in which technology can play a significant role. The right tools will help to automate many of the tasks developers, security teams, and QA must do to conform to secure development practices. The right tools also will make certain that the application development and management framework is in place to maintain a portfolio of secure Web applications. How the right tools help reinforce and maintain secure development: While many application security vendors offer solutions to some pieces of the secure development lifecycle, such as application security assessments, only HP Application Security Center brings all of the pieces together. It helps your developers, QA teams, and security professionals to assess application security risks quickly by detecting and correcting security vulnerabilities. HP Application Security Center security testing applications provide common security policy definitions, automated security tests, centralized permissions control, and Web-based access to security information. These applications and services include: HP WebInspect: HP WebInspect performs Web application security testing and assessment for today s complex Web applications, built on emerging Web 2.0 technologies. HP WebInspect delivers fast scanning capabilities, broad security assessment coverage, and accurate Web application security scanning results. HP WebInspect identifies security vulnerabilities that are undetectable by traditional scanners. With innovative assessment technology, such as simultaneous crawl and audit (SCA) and concurrent application scanning, you get fast and accurate automated Web application security testing and Web services security testing. HP QAInspect: HP QAInspect enables you to manage and conduct functional testing and Web site security testing from a single platform without the need for specialized security knowledge. HP QAInspect also features deep and intuitive integrations, helping you test Web applications for security without leaving the QA environment. It finds and then prioritizes Web application security vulnerabilities and presents detailed information and remediation advice for each vulnerability. With this software, you can incorporate fully automated Web site security testing into the overall test management process without affecting aggressive product release schedules. 7

8 HP Assessment Management Platform (AMP): A standard for advanced, global security programs, HP AMP is a distributed, scalable Web application security testing platform that helps you address the complexities of today s Web application security testing and scanning programs. It lets all constituents get information about application security vulnerabilities and participate in the assessment and remediation process without losing centralized control. With HP AMP, organizations can perform unlimited automated Web application security testing and assessments, while consolidating information into a real-time, high-level dashboard view of the enterprise s current risk posture and regulatory compliance. This consolidates and summarizes the organization s application security status so that you easily can assess and remedy security vulnerabilities in your applications. Application Security Center on HP SaaS: As organizations continue to grapple with smaller IT security staffs, leaner budgets, and new regulatory compliance mandates, the demand for reliable, cost-effective security Web application audits and assessments increases. An efficient Software-as-a-Service (SaaS) assessment platform helps to address all of these challenges. HP SaaS brings the experience, technology, and processes necessary to help you start and maintain an enterprise-class application security program. Conclusion HP Application Security Center offers application security technologies and services that enable your organization to stay protected from costly security breaches, remain compliant with government and industry regulations, and even reduce the long-term costs associated with application maintenance. It is crucial that application security is addressed throughout the entire lifecycle. HP and the HP Application Security Center have the expertise and tools Assessment Management Platform, WebInspect, QAInspect to get you there. For more information For more information on the HP Application Security Center, contact your local HP representative or visit This is an HP Indigo print. Get connected Get the insider view on tech trends, alerts and HP solutions for better business outcomes Technology for better business outcomes To learn more, visit Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA0-1273ENW, February 2010

HP Application Security Center

HP Application Security Center HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and

More information

Table of contents. Web application security: too costly to ignore. White paper

Table of contents. Web application security: too costly to ignore. White paper Web application security: too costly to ignore White paper Table of contents Web application security: too costly to ignore.... 2 Web application security: solving a complex challenge.... 3 Toward continuous

More information

HP Fortify Software Security Center

HP Fortify Software Security Center HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)

More information

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National

More information

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise Best practices in open source governance Managing the selection and proliferation of open source software across your enterprise Table of contents The importance of open source governance... 2 Executive

More information

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

IBM Rational AppScan: enhancing Web application security and regulatory compliance. Strategic protection for Web applications To support your business objectives IBM Rational AppScan: enhancing Web application security and regulatory compliance. Are untested Web applications putting your

More information

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly

More information

Best Practices - Remediation of Application Vulnerabilities

Best Practices - Remediation of Application Vulnerabilities DROISYS APPLICATION SECURITY REMEDIATION Best Practices - Remediation of Application Vulnerabilities by Sanjiv Goyal CEO, Droisys February 2012 Proprietary Notice All rights reserved. Copyright 2012 Droisys

More information

Table of contents. Performance testing in Agile environments. Deliver quality software in less time. Business white paper

Table of contents. Performance testing in Agile environments. Deliver quality software in less time. Business white paper Performance testing in Agile environments Deliver quality software in less time Business white paper Table of contents Executive summary... 2 Why Agile? And, why now?... 2 Incorporating performance testing

More information

Moving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010

Moving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010 Moving to the Cloud? Take Your Application Security Solution with You September 2010 A WhiteHat Security Whitepaper 3003 Bunker Hill Lane, Suite 220 Santa Clara, CA 95054-1144 www.whitehatsec.com Introduction

More information

HP and netforensics Security Information Management solutions. Business blueprint

HP and netforensics Security Information Management solutions. Business blueprint HP and netforensics Security Information Management solutions Business blueprint Executive Summary Every day there are new destructive cyber-threats and vulnerabilities that may limit your organization

More information

Application Security Center overview

Application Security Center overview Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &

More information

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. Managing business infrastructure White paper Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities. September 2008 2 Contents 2 Overview 5 Understanding

More information

HP Server Automation Standard

HP Server Automation Standard Data sheet HP Server Automation Standard Lower-cost edition of HP Server Automation software Benefits Time to value: Instant time to value especially for small-medium deployments Lower initial investment:

More information

Seven Practical Steps to Delivering More Secure Software. January 2011

Seven Practical Steps to Delivering More Secure Software. January 2011 Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step

More information

Table of contents. Enterprise Resource Planning (ERP) functional testing best practices: Ten steps to ERP systems reliability

Table of contents. Enterprise Resource Planning (ERP) functional testing best practices: Ten steps to ERP systems reliability Enterprise Resource Planning (ERP) functional testing best practices: Ten steps to ERP systems reliability Table of contents Introduction.......................................................2 Step 1:

More information

Manage projects effectively

Manage projects effectively Business white paper Manage projects effectively HP Project and Portfolio Management Center and HP Agile Manager Table of contents 3 Executive summary 3 The HP Solution Invest in what matters most then

More information

IBM Rational AppScan: Application security and risk management

IBM Rational AppScan: Application security and risk management IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

Reining in the Effects of Uncontrolled Change

Reining in the Effects of Uncontrolled Change WHITE PAPER Reining in the Effects of Uncontrolled Change The value of IT service management in addressing security, compliance, and operational effectiveness In IT management, as in business as a whole,

More information

IT Security & Compliance. On Time. On Budget. On Demand.

IT Security & Compliance. On Time. On Budget. On Demand. IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Total Protection for Compliance: Unified IT Policy Auditing

Total Protection for Compliance: Unified IT Policy Auditing Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.

More information

Business Opportunity Enablement through Information Security Compliance

Business Opportunity Enablement through Information Security Compliance Level 3, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 Business Opportunity Enablement through Information Security Compliance Page No.1 Business Opportunity Enablement

More information

BRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper

BRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper BRIDGE the gaps between IT, cloud service providers, and the business. IT service management for the cloud Business white paper Executive summary Today, with more and more cloud services materializing,

More information

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million.

OVERVIEW. With just 10,000 customers in your database, the cost of a data breach averages more than $2 million. Security PLAYBOOK OVERVIEW Today, security threats to retail organizations leave little margin for error. Retailers face increasingly complex security challenges persistent threats that can undermine the

More information

Application Security 101. A primer on Application Security best practices

Application Security 101. A primer on Application Security best practices Application Security 101 A primer on Application Security best practices Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

Integrated Threat & Security Management.

Integrated Threat & Security Management. Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate

More information

Leveraging a Maturity Model to Achieve Proactive Compliance

Leveraging a Maturity Model to Achieve Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................

More information

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m Introduction This paper discusses the relevance and usefulness of security penetration

More information

DEMONSTRATING THE ROI FOR SIEM

DEMONSTRATING THE ROI FOR SIEM DEMONSTRATING THE ROI FOR SIEM Tales from the Trenches HP Enterprise Security Business Whitepaper Introduction Security professionals sometimes struggle to demonstrate the return on investment for new

More information

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.

More information

Managing Vulnerabilities For PCI Compliance

Managing Vulnerabilities For PCI Compliance Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF

More information

Mobile Application Security Study

Mobile Application Security Study Report Mobile Application Security Study 2013 report Table of contents 3 Report Findings 4 Research Findings 4 Privacy Issues 5 Lack of Binary Protection 5 Insecure Data Storage 5 Transport Security 6

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

White Paper: PCI DSS 3. New Standard but Same Problems?

White Paper: PCI DSS 3. New Standard but Same Problems? White Paper: PCI DSS 3 New Standard but Same Problems? Introduction Cardholder data continues to be a target for criminals. Lack of education and awareness around payment security and poor implementation

More information

Real-Time Security for Active Directory

Real-Time Security for Active Directory Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The

More information

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

Fortify. Securing Your Entire Software Portfolio

Fortify. Securing Your Entire Software Portfolio Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,

More information

How To Test For Security On A Network Without Being Hacked

How To Test For Security On A Network Without Being Hacked A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few

More information

the limits of your infrastructure. How to get the most out of virtualization

the limits of your infrastructure. How to get the most out of virtualization the limits of your infrastructure. How to get the most out of virtualization Business white paper Table of contents Executive summary...4 The benefits of virtualization?...4 How people and processes add

More information

Why cloud backup? Top 10 reasons

Why cloud backup? Top 10 reasons Why cloud backup? Top 10 reasons HP Autonomy solutions Table of contents 3 Achieve disaster recovery with secure offsite cloud backup 4 Free yourself from manual and complex tape backup tasks 4 Get predictable

More information

Avoiding the Top 5 Vulnerability Management Mistakes

Avoiding the Top 5 Vulnerability Management Mistakes WHITE PAPER Avoiding the Top 5 Vulnerability Management Mistakes The New Rules of Vulnerability Management Table of Contents Introduction 3 We ve entered an unprecedented era 3 Mistake 1: Disjointed Vulnerability

More information

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software VOLUME 3 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary April 19, 2011 Executive Summary The following are some of the most significant findings in the

More information

PCI Solution for Retail: Addressing Compliance and Security Best Practices

PCI Solution for Retail: Addressing Compliance and Security Best Practices PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment

More information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

More information

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Simply Sophisticated. Information Security and Compliance

Simply Sophisticated. Information Security and Compliance Simply Sophisticated Information Security and Compliance Simple Sophistication Welcome to Your New Strategic Advantage As technology evolves at an accelerating rate, risk-based information security concerns

More information

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

Getting Started with Web Application Security

Getting Started with Web Application Security Written by Gregory Leonard February 2016 Sponsored by Veracode 2016 SANS Institute Since as far back as 2005, 1 web applications have been attackers predominant target for the rich data that can be pulled

More information

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER Regulatory compliance. Server virtualization. IT Service Management. Business Service Management. Business Continuity planning.

More information

A tour of HP Sarbanes-Oxley IT assessment accelerator. White paper

A tour of HP Sarbanes-Oxley IT assessment accelerator. White paper A tour of HP Sarbanes-Oxley IT assessment accelerator White paper Table of Contents Introduction...3 Sarbanes-Oxley and the ITGC Environment...4 COBIT framework of ITGC...4 Creating a compliance testing

More information

Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline

Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline IBM Security Thought Leadership White Paper Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline July 2015 2 Five Steps to Achieve

More information

PCI Compliance for Healthcare

PCI Compliance for Healthcare PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?

More information

PCI DSS COMPLIANCE DATA

PCI DSS COMPLIANCE DATA PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities

More information

How To Standardize Itil V3.3.5

How To Standardize Itil V3.3.5 Business white paper Standardize your ITSM An HP approach based on best practices Table of contents 3 Introduction 3 Benefits and challenges 5 The HP approach to standardizing ITSM 6 Establish an IT operations

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com

More information

HP Software Licensing and Management Solutions (SLMS) Helping organizations maximize their software investment.

HP Software Licensing and Management Solutions (SLMS) Helping organizations maximize their software investment. HP Software Licensing and Management Solutions (SLMS) Helping organizations maximize their software investment. Three smart reasons to choose HP SLMS as your organization s software provider 1 Acquire

More information

Solution brief. HP solutions for IT service management. Integration, automation, and the power of self-service IT

Solution brief. HP solutions for IT service management. Integration, automation, and the power of self-service IT Solution brief HP solutions for IT service management Integration, automation, and the power of self-service IT Make IT indispensable to the business. Turn IT staff into efficient, cost-cutting rock stars.

More information

The top 10 misconceptions about performance and availability monitoring

The top 10 misconceptions about performance and availability monitoring The top 10 misconceptions about performance and availability monitoring Table of contents Introduction................................................................ 3 The top 10 misconceptions about

More information

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise WHITE PAPER: BUSINESS CONTINUITY AND BREACH PROTECTION White Paper Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise Business Continuity and Breach

More information

The PCI Dilemma. COPYRIGHT 2009. TecForte

The PCI Dilemma. COPYRIGHT 2009. TecForte The PCI Dilemma Today, all service providers and retailers that process, store or transmit cardholder data have a legislated responsibility to protect that data. As such, they must comply with a diverse

More information

The case for a hybrid web optimization strategy

The case for a hybrid web optimization strategy Business white paper The case for a hybrid web optimization strategy Combining the best of managed services and self-service Table of contents 3 Considerations when creating a web optimization strategy

More information

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review

More information

Is your business prepared for Cyber Risks in 2016

Is your business prepared for Cyber Risks in 2016 Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers

More information

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting

More information

Brochure. Update your Windows. HP Technology Services for Microsoft Windows 2003 End of Support (EOS) and Microsoft Migrations

Brochure. Update your Windows. HP Technology Services for Microsoft Windows 2003 End of Support (EOS) and Microsoft Migrations Brochure Update your Windows HP Technology Services for Microsoft End of Support (EOS) and Microsoft Migrations Stabilize and secure your infrastructure Microsoft will end support for Windows Server 2003/R2

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle

More information

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life Executive s Guide to Windows Server 2003 End of Life Facts About Windows Server 2003 Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows

More information

Table of contents. Standardizing IT Service Management. Best practices based on HP experience in ITSM consolidation. White paper

Table of contents. Standardizing IT Service Management. Best practices based on HP experience in ITSM consolidation. White paper Standardizing IT Service Management Best practices based on HP experience in ITSM consolidation White paper Table of contents Go!... 2 Benefits and challenges... 2 The HP approach to standardizing ITSM...

More information

Real-time hybrid analysis:

Real-time hybrid analysis: Real-time hybrid : Find more, fix faster Technology white paper Brian Chess, Ph.D., Distinguished Technologist, HP Founder and Chief Scientist, HP Fortify Summary Real-time hybrid marks a substantial evolution

More information

The Seven Deadly Myths of Software Security Busting the Myths

The Seven Deadly Myths of Software Security Busting the Myths The Seven Deadly Myths of Software Security Busting the Myths With the reality of software security vulnerabilities coming into sharp focus over the past few years, businesses are wrestling with the additional

More information

Best Practices for Building a Security Operations Center

Best Practices for Building a Security Operations Center OPERATIONS SECURITY Best Practices for Building a Security Operations Center Diana Kelley and Ron Moritz If one cannot effectively manage the growing volume of security events flooding the enterprise,

More information

Agile and the cloud: why automating application deployment matters. Executive summary. Applications are the business

Agile and the cloud: why automating application deployment matters. Executive summary. Applications are the business Agile and the cloud: why automating application deployment matters Business white paper Executive summary Agile development methodologies and the cloud computing model have increased the pace of deployment

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

Three simple steps to effective service catalog and request management

Three simple steps to effective service catalog and request management Three simple steps to effective service catalog and request management Prepare for cloud initiatives and get incremental ROI with self service catalog and request management Business white paper Executive

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

Delivering IT Security and Compliance as a Service

Delivering IT Security and Compliance as a Service Delivering IT Security and Compliance as a Service Matthew Clancy Technical Account Manager Qualys, Inc. www.qualys.com Agenda Technology Overview The Problem: Delivering IT Security & Compliance Key differentiator:

More information

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers How to Protect Your from Hackers Web attacks are the greatest threat facing organizations today. In the last year, Web attacks have brought down businesses of all sizes and resulted in massive-scale data

More information

Vulnerability management lifecycle: defining vulnerability management

Vulnerability management lifecycle: defining vulnerability management Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By

More information

OPEN SOURCE SECURITY STUDY

OPEN SOURCE SECURITY STUDY OPEN SOURCE SECURITY STUDY How Are Open Source Development Communities Embracing Security Best Practices? HP Enterprise Security Business Whitepaper Executive Summary Open source now permeates more than

More information

CIO survey: All s not well at endpoints

CIO survey: All s not well at endpoints Business white paper CIO survey: All s not well at endpoints HP Autonomy s ediscovery market offering Table of contents 4 Understanding the need 4 Endpoint asset 4 Endpoint liability 5 Understanding the

More information

Privilege Gone Wild: The State of Privileged Account Management in 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015 Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...

More information

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Web Security. Discovering, Analyzing and Mitigating Web Security Threats Web Security Discovering, Analyzing and Mitigating Web Security Threats Expectations and Outcomes Mitigation strategies from an infrastructure, architecture, and coding perspective Real-world implementations

More information

Three simple steps to effective service catalog and request management

Three simple steps to effective service catalog and request management Three simple steps to effective service catalog and request management Prepare for cloud initiatives and get incremental ROI with self service catalog and request management Business white paper Executive

More information

Your world runs on applications. Secure them with Veracode.

Your world runs on applications. Secure them with Veracode. Application Risk Management Solutions Your world runs on applications. Secure them with Veracode. Software Security Simplified Application security risk is inherent in every organization that relies on

More information