Selling HP Fortify Solutions

Transcription

1 Selling HP Fortify Solutions FOR HP CHANNEL PARTNERS 2 Sales plays traps Sales Playbook There has never been a better time to sell HP s security solutions. Trends in Big Data, cloud, and mobile fuel growing enterprise risk, while the attackers get stronger and more intent on compromising key assets of an organization. We are in a time of significant change, and security has become a board-level discussion. The CISO sits at the heart of the response to this growing threat landscape, often with an increased budget. But Security leadership is under immense pressure because applications are the target and have become the single biggest security headache for organizations. You have market-leading application protection solutions and services that continue to set the direction for the industry. This playbook will help you take advantage of this tremendous opportunity. Work the ESP sales process 1 Understand Customer 2 Validate Opportunity Qualify Opportunity 4 Develop and Propose 5 Negotiate and Close 6 Won and Deploy 7 Won and Expand Elevator pitch HP Fortify saves money and measurably reduces risk from software. HP Fortify s comprehensive suite of software security solutions finds security vulnerabilities in applications, automates the process of fixing security vulnerabilities by securing the software development lifecycle (SDLC), and protects applications against attack in production. HP Fortify is the market leader as confirmed by the Gartner Magic Quadrant 1 that gives customers the choice of on-premise, as-a-service, or a combination of both to assess, assure, and protect applications. We have the industry s largest software security research group 2 that improves time-to-value by discovering security threats early in the process, which reduces costs and increases revenue. Our best in-class source code analysis detects vulnerabilities, across 21 languages, reduces false-positives, and is widely used to assess, assure, and protect applications. WIFM? What s in it for me? Win with a leader. Since HP Fortify dominates in its market, participate in that leadership position by expanding current customers and attacking whitespace in ESP accounts. Easy-to-sell SaaS innovation. HP Fortify on Demand security-as-a-service is fast growing, easy to get started, and rapid time-to-value in software security. Sell the business value and increase deal size, accelerate deal closure, increase credibility with your customer, lower discounting, and win more business. 4 November 201 HP Restricted. For HP and Channel Partner Internal use only.

2 Sales plays traps Senior Sales Execs say: Start with business value Don t lead with a product or technology conversation. Start your discovery process by listening carefully and focusing on business value. Tailor your talking points to the person and his or her role. Here s how senior sellers do it: 1) GAIN CREDIBILITY. Show genuine interest in your customer s situation. Understand their role demands and walk in with some understanding of their industry, company, environment, and the professional challenges they face. For example, the CISO would be interested in reducing time-to-market, and the Director of Application Security might be interested in fixing vulnerabilities before software release. Understand their maturity level regarding security and risk management. And then listen. You: We re here to help. We understand your problem. We know how to make you look better and do your job more efficiently. We ve done it for your peers. Help them take an initiative to the business. Help them understand the expected business value of their roadmap. For example, in 24 months, we will have certain technical capabilities that will result in business outcomes such as better assessment and protection. Having a strategy helps reduce the risk associated with their initiatives. You: This is where you want to go. These are the solution areas we should probably talk about. But it s easier and better if the solutions already have some integration and support each other from an outcome perspective. 2) TALK RISK. Move the conversation to risk regarding the critical business processes that must be protected from the risk of releasing an application with security vulnerabilities. Mention other customers in their industry or with their problem that HP has helped. Don t miss the opportunity to generate the intangible value why they should invest with HP rather than an internally developed cheap alternative. You: Why does your business or department or agency exist? What does it do, and where does IT support those endeavors? Now you know why they have IT. Drill down to understand where they are and where they might want to go in terms of their security journey. Lead them in a conversation about what can go wrong. You ve started doing a risk assessment. You: What are the biggest risks that you are trying to minimize? What happens when the software doesn t work, or what happens if someone comes in and attacks those applications? What happens if the software development process has gaps or flaws causing it to break down? ) VISUALIZE AND QUANTIFY IMPACT. Now talk about impact. You understand what they are trying to protect. Start to make it real and quantify the possible impacts. The Resources section identifies some tools. You: What is it you re trying to protect? What is the chance of this actually happening? Is that a physical impact? Is that a dollars-and-cents impact? 4) DETERMINE APPETITE FOR SOLVING. From there, you determine whether they ve got a problem that s really worth solving, or whether they are simply checking the HP Fortify box someone told me I need to secure my applications. Of course, the former is more productive than the latter. Frequently, a Assessment is a great place to start by addressing the customer pain points and determining customer commitment. Once they see the potential value of HP Fortify from the Assessment, the investment discussion becomes much easier. 5) MAKE IT THEIR IDEA. It s best if they envision a solution idea. They have to come up with the funding, and they have to be very invested in the idea the executive team will respond to. All this, and you still haven t necessarily had a conversation about technology. Remember, sell the business value, and you ll increase deal size, accelerate deal closure, increase credibility with your customer, lower discounting, and win more business. 2 HP Restricted. For HP and Channel Partner Internal use only. 2 Trends for your talk track Software is everywhere. It is only getting more complex, more open source, more outsourced, and more mobile; 80% of successful attacks are targeting software, even while control of software is slipping. Customers don t have a plan to deal with this, and they don t understand the negative impact that mobile and cloud have on their security posture. Hackers have become very skilled at exploiting application layer vulnerabilities in software to steal sensitive data or intellectual property or manipulate transactions. These attacks frequently result in business interruption, brand damage, and significant financial loss. Depending upon your source, between 75% and 85% of security breaches today take place in applications. Breaches are frequently taking place in the application layer. Historically, companies spent money on protecting what is tangible: the network and hardware. But software is a different matter for security folks. It s outside their control, it s developed by someone else, and it s complex with all its moving parts and dependencies. Companies for a long time believed that if you protected the perimeter, the software would be unreachable. However, that has not proven to be the case. Software has become the new entry point. Why? Software is the lifeblood of the business and is an attractive target, having been ignored from a security standpoint for so long. The most valuable information in any company is accessible through their applications, and the data stolen from them can be highly profitable. 69% of CISOs listed application security as their biggest threat 84% of new breaches take advantage of threats associated with the applications 4 Although mobile application security is the primary focus of 56% of organizations, nearly half (48%) admit to a lack of mobile testing expertise million apps are available through Apple s App Store and Google Play 6 Build a compelling business case The outcome of a value-focused conversation with your customer is a clear understanding of their challenges and how they map to our business benefits. Engage multiple stakeholders to refine your understanding of customer strategies, initiatives, and key performance indicators. If the customer argues, it s a good thing they re engaged and willing to share details you can use. Expect to iterate and don t be afraid to ask for help contact HP [email protected]. Build a compelling business case for your customer using the HP ROI Analyst solution: roianalyst.hp.com/roianalyst/authenticatelogin.do 1 4

3 Sales plays Roles traps Take a risk-based, adversary-centric approach 4 Historically, attackers were interested in defacing websites. Today, attackers are after financial gain or highly sensitive information. Efforts will continue to fail to make us secure because they lack the focus on the adversary. A response must disrupt the adversary at every step of their process. To achieve that, you must sell to varied IT buying centers each with different needs and motivations. The Attack Countermeasure Research Improve security awareness and counterintelligence Infiltration Block access Discovery Find attackers Capture Protect target assets internally and externally Exfiltration Damage remediation and counterintelligence HP ESP Solutions HP Security Research TP (NGFW, IPS) DVLabs services Fortify (Fortify on Demand, SCA, WebInspect) Services (SSA Risk Assessment, Application Security Assessment) ArcSight (Logger, Express, ESM, RepSM, IdentityView, Application View) Services (Healthcheck, SOC Analyst Training, SOC Primer) ArcSight (RepSM, TRM) Fortify Runtime Atalla ArcSight RepSM Services (Security Intelligence Solution Engagement) Buying Center Care Abouts IT Ops Availability; MTTR, lowering OPEX; visibility and control AppSec and App Dev Eliminating vulnerabilities in apps; time to market for apps; delivering app within a fixed budget Security Ops Risk management and mitigation; security policy; insight and remediation of security incidents; compliance IT Security Monitor and lock threats; network access and performance (speed) CISO Drives Security vision; provides value to peers (VP IT Ops, VP AppDev, VP Networking); protects IP, providing business continuity Who cares about what? Stopping attackers requires coordination across departments and an understanding of not only buyers of HP ESP solutions but also those who influence the security buying decisions. When you sell HP Fortify, your primary relationship is with the Application Security team and the CISO, and when you sell Application View, it is to Security Operations. Services and education should be included in most deals they will increase the likelihood that the products don t become shelfware. Key CISO In many organizations, CISOs have budget authority and the latitude to make software security decisions. They are responsible for ensuring business continuity, setting security policy, and educating the organization about risk. They often become fire fighters when a breach happens. HP Fortify can be a onestop shop for the CISO, eliminating the need for consultants and disconnected point products. Help the CISO talk to the VP of Application Development by explaining that the HP Fortify solutions not only secure applications but also accelerate software releases by minimizing code rework using best practices. Director of Application Security The team investigates security breaches in applications and ensures that applications, technology infrastructure, SDLC, and operations processes do not conflict with security policies or diminish existing controls. They have too much to do and not enough. Show them that HP Fortify enables faster identification of code problems, and shows developers how to fix vulnerabilities based on best practices. When there s no time to fix, Runtime can block attacks until repairs are made. Director of Security Operations Their time is pulled between fire-fighting and developing/implementing proactive information security policies that meet the needs of the business. They need visibility to see gaps in policies and tools to quickly remediate. 1 1 HP Fortify 101 overview Security teams are under tremendous pressure to understand and secure the software that connects customers, partners, and employees to their organizations corporate data and assets. Open-source component development, web application development, and rapid development and deployment of mobile applications make it difficult for even the most savvy IT security teams to stay on top of managing the security of deployment software. The HP Fortify application security solution is characterized by three capabilities Assess, Assure, and Protect. These represent a comprehensive solution approach that other vendors cannot match. Assess Assess and quantify software security risk. Assure Build security into software. Identify vulnerabilities, prioritize them by risk, and provide line-by-line code detail to fix. Protect Monitor high-risk applications while they run. Detect threats and take appropriate action based on custom rules all in real-time. HP Restricted. For HP and Channel Partner Internal use only.

4 Use USe CASes cases arguments Sales plays traps Use Cases Use this table in conjunction with the Discovery Questions in each Play to engage customers in a conversation. Knowing the business need will provide you with more insight into the bigger picture than simply focusing on the technical use case. Following are typical security business need categories, paired with example use cases customers often want to address, and likely HP Fortify solutions. Similar Use Case tables can be found for HP ArcSight and HP TippingPoint in their respective playbooks. HP Fortify business benefits Save money by deploying software security practices before an app hits production. Reduce time and cost to remediate security vulnerabilities. Reduce delays in time-to-market. 2 2 Need Sample Use Cases HP Solution Compliance: collecting information to comply with internal audit or external constraints (e.g. PCI, SOX, ISO, etc.) Risk Management: using business and security information to be proactive and minimize risk Protect apps that have vulnerabilities Development team doesn t have time to fix the problem(s) Develop/maintain secure applications Application monitoring Proactive code correction HP Fortify on Demand, SCA, and WebInspect identify vulnerabilities, ensuring that apps are secure. HP Fortify Runtime blocks application attacks in production. HP Application View monitors applications to find an attack. HP Fortify on Demand, SCA, and WebInspect identify software vulnerabilities, eliminating threats and reducing business risk. Services provides the opportunity to train on software security with HP Fortify elearning. Services provides a Software Security Assurance Risk Assessment. Reduce compliance costs. Reduce penetration testing service spending. Avoid a breach and associated liabilities, brand damage, and legal costs. A comprehensive solution Avoid Breach: monitor and protect applications with business-critical information to prevent fraud or theft Industry specific Fraud Unusual access patterns in data HP Fortify on Demand, SCA,and WebInspect identify software vulnerabilities to avoid a breach. HP Application View can track activity in and around critical business applications for signs of fraud and abuse customizable by industry. HP Fortify Runtime blocks application attacks in production. Services provides an Application Security Assessment to develop a plan to protect against a breach. Competitors provide a single on-premise or SaaS solution, not both. HP Fortify provides a comprehensive solution that enables customers to discover and fix vulnerabilities in any app (mobile, web, cloud, etc.) using static and dynamic testing in either on-premise or on-demand. We provide support for 21 languages in static analysis, any web technology in dynamic analysis. HP Fortify integrates all analysis results and vulnerabilities into a single, consistent workflow and reporting solution. Securing the SDLC: secure application development Static application security testing (SAST) Dynamic application security testing (DAST) Scan-of-record Proactive secure application development Ad-hoc secure component development Late-stage (e.g., in QA phase) verification HP Fortify Software Security Center (SSC) integrates security analysis into the software lifecycle. HP Fortify on Demand, SCA, and WebInspect perform SAST and DAST during the software development lifecycle and minimize the likelihood of successful attacks. HP Fortify Runtime blocks application attacks in production. Services provides Software Security Assurance Program Design. 4 HP Restricted. For HP and Channel Partner Internal use only.

5 Sales plays traps BEST Expertise and HP Fortify has over 2000 customers across multiple industries and geographies. We have continuously been a Leader in the Gartner Magic Quadrant since HP Fortify has deep deployment experience establishing and supporting many application security testing programs. BEST Real-time Application Protection Runtime detects application threats and blocks attacks accurately in real-time. Runtime enables customized attack responses such as blocking the action, terminating the session, sanitizing the attack, alerting administrators, and more. Runtime has a 0% decrease in vulnerabilities found after deployment when compared to do-it-yourself solutions, according to IDC Studies and HP customers. BES Time- to-value Customers using HP Fortify on Demand saw 10x faster remediation than with internal solutions. 7 After Fortify solutions were adopted, remediation required fewer (from 4-5 additional FTEs before down to virtually zero), saving an estimated $44K annually in remediation costs per application. 8 FoD reduced the average remediation time from one to two weeks to one to two hours. 9 Master these sales arguments to win deals. BEST Speed Adopting HP Fortify, the average organization achieved a 50% reduction in penetration testing costs, translating into annual savings of more than $250K when compared to a do-it-yourself solution. 10 HP Fortify yields a 6% reduction in QA testing time, when compared to do-ityourself solutions, according to IDC Studies and HP customers. FoD results in a 6% reduction in QA testing time, when compared to do-it-yourself solutions, according to IDC Studies and HP customers. BEST Productivity Increases Organizations saw their development effort shrink by as much as 40% while on average developer productivity nearly doubled. 11 HP Fortify has a 0% reduction in application rework cost when compared to do-it-yourself solutions, according to IDC Studies and HP customers. FoD yields a 45% reduction in application security-related outage rectification time, when compared to do-it-yourself solutions, according to IDC Studies and HP customers. FoD has a 67% reduction per application in the number of vulnerabilities found after deployment when compared to do-it-yourself solutions, according to IDC Studies and HP customers. POC Best Practices from Senior SEs A POC is not the first step; it s the last step in the sales cycle. Don t use a POC to get customer enthusiasm. When there is budget, customer commitment, after presentations and demonstrations are done, and a customer really understands what it s all about, then we POC. Before the POC, have the customer try a FREE scan on fortifymyapp.com; this will give them a sense of the value of HP Fortify solutions. Have a pre-poc meeting with the customer that aligns expectations to address the customer s goals, time frame, and success criteria. SE works with the Application Security team to identify one or two applications for evaluation. Only charge customers if you believe they are trying to get a free assessment and not really evaluating the product. NEVER give the customer the full report for a free POC, give them only the summary. You can give them the full report after you have the signed contract. For on-premise POCs, plan for one day, but not more than a two-day effort. Do your homework. The person with the most data wins. At the end of the POC day, have a standard wrap-up meeting to discuss success and next steps. Be sure to include the Director of Application Development and the CISO. Beat IBM Include HP Fortify on Demand in the discussion since IBM does not offer a SaaS-based solution. Show SCA s collaborative remediation and governance capabilities. Also demonstrate how SCA maintains audit information and how issue suppressions survive between scans. AppScan must update the product and rules at the same time, so demonstrate SCA s ability to update product and rules independently. Highlight WebInspect s ability to display successful exploits as they attack, and tracking of false positives between scans of the same application. Beat Veracode Show the on-premise solutions since Veracode offers only a SaaS-based product. Show the SCA and FoD options for static, dynamic, and hybrid analysis on premise and via cloud. Show FoD s capability to verify false positives from dynamic tests and to provide consistent response times. Beat WhiteHat According to SEs, WhiteHat takes more than 14 days to complete a scan because they rely on manual testing. Emphasize the fact that FoD automates many of these tests, which enable FoD to be lower cost while providing more flexibility on types of scans, variations, and policies. Have the customer try a FREE scan on fortifymyapp.com to see how quick and easy security testing can be. HP Restricted. For HP and Channel Partner Internal use only. 5

6 Use cases Sales plays 6 HP ArcSight arguments Attach traps SALES PLAY 1: HP ArcSight application view Attach FRTY ARST Attach v01 Go back to customers that have implemented HP ArcSight, and offer to extend their visibility to include real-time application monitoring with Application View. Threats are targeting applications as the weakest link in the security ecosystem, because many security applications have no logging capabilities, especially for custom applications. That leaves zero visibility when it comes to potential security-related events from user activity (such as session access or database queries). Position this to the Security Operations team as broadening their monitoring capability to user behavior within applications. Application View retrofits applications, even custom applications, with security logging with Fortify s Runtime technology. Customers have seen this as quickly valuable in a custom application environment. The Application Security team will be interested in the ability to minimize system down-time. Discovery questions 2 How do you log application security events and user activity events? Are you able to combine application and user events to enable you to take action? Do you have legacy or custom applications that you want to monitor? What are users doing with those applications during non-business hours? Are you able to create an incident when a user s credentials log in from Sunnyvale and minutes later from Shanghai? How does application event information get integrated and correlated with other relevant activity? Does it feed into your SIEM? Are you able to detect malicious user behavior? How do you protect against user identity theft or identity fraud? Are you able to monitor application events without custom script for the application? Do you have internal compliance or external regulations that must be met? How do you support your corporate regulations for identity theft or the data theft policy (e.g., PCI, SOX)? How do you generate audit-quality log reports, compliance reports, and overall IT security and performance reports? How much application data is included in these reports? Why HP wins Comprehensive security visibility. Application View provides true application-level visibility of security events that are then analyzed and correlated to identify irregular internal or external application usage that would generally go unseen. The intelligence provided enables fast analysis of database queries, error messages, session login/logout, and other application-related threats that can lead to data theft, ID theft, and other malicious activities. No changes to applications. Application View logs applications security and user activity events to HP ArcSight ESM without code change. It is simple to deploy and doesn t require reprogramming or re-learning when the application is updated or changed. Insight into user actions. It identifies malicious behavior, provides user behavior and transactional logging for security analysis, and feeds this information to ESM. By providing insight into user actions, it protects users, production applications, and data, stops customers from losing data, and helps detect fraudulent behavior. Out-of-the-box ESM integration. Application View has native integration with HP ArcSight ESM to leverage existing investment and receive additional threat intelligence. This enables correlation of application events with all other security events in ESM to better identify security incidents. Prospects to look for HP ArcSight customers that have ESM, especially those with IdentityView or RepSM. A customer that has many legacy or custom applications running in their production environment. An organization that has to release an application before vulnerabilities are fixed. A Security Operations team that wants to monitor user access to applications. 1 6 HP Restricted. For HP and Channel Partner Internal use only.

7 Use cases Sales plays 67 HP ArcSight arguments Attach traps SALES PLAY 1: HP ArcSight application view Attach FRTY ARST Attach v01 HP ArcSight Application View provides software application log visibility for security event analysis and correlation to help customers understand their applications, users, and data. Comparable HP Fortify customers AMS Car Rental Company (Hertz) 6 7 Need: Protect revenue-producing e-commerce website, and enable development to identify the root cause of vulnerabilities. HP Fortify Solution: Runtime, SCA, HP Fortify Global Services Client Outcome: Better alerting and protection against attacks that occur against their system. Protecting critical applications from major vulnerabilities and address the root cause of software vulnerabilities. Objection handling Competitors claim to monitor applications. Typically, when competitors talk about application monitoring, they refer to intercepting Layer 7 information. These events are brought into the SIEM and correlated with other security events for greater visibility and insight. Logging-only competitors have no capability to do application monitoring. What about Splunk or IBM/Q1 for application monitoring? They do application logging by installing various connectors all over the network. They can see users logging in to the applications, database queries, and log entries. However, all of these collectors are positioned on the network, outside the applications. Each collector has to be customized to the application being monitored. Application View can see all of what is happening, including how, why, and by whom. 5 HP ArcSight Application View provides application data to enable organizations to gain more visibility and behavioral insights. HP Restricted. For HP and Channel Partner Internal use only. 7

8 Use cases Sales plays 68 Manage arguments application security traps SALES PLAY 2: Manage Application Security Testing Why HP wins Focus on organizations that want application security that is fast, comprehensive, accurate, and mobile, but don t want to create a team for security testing or use high-priced consultants. Another possible target is any organization that want to protect their brand from any negative activity. For these situations, focus on the Application Security Director and sell HP Fortify on Demand (FoD) as a quick method of performing a security assessment on applications. Direct customers to fortifymyapp.com for the fastest way to start checking out this solution. Many organizations are challenged by the development of mobile applications. The technology is relatively new and not as well understood as web applications. A lot of times mobile development is outsourced to third parties. In some organizations, mobile application security is being neglected. Discovery questions 2 What application security is done today? Where does application security fit within your overall security measures? How do you evaluate and protect your web applications? Who is in charge of ensuring application security compliance? FRTY Outsourcing v01 Fast turnaround. FoD is simple. Application security initiatives can be launched in less than a day with no hardware or software investments and no security experts to hire, train, and retain. FoD can scale to test all applications in an organization whether server, mobile, or cloud. Comprehensive solution. HP Fortify provides a complete software security solution with static, dynamic, and hybrid testing, along with collaborative remediation and proactive SDLC governance. FoD can scan the source code of 21 languages, dynamically assess any web application no matter the language, and supports Apple ios, Android, BlackBerry, and Microsoft Mobile for best-in-breed mobile application testing. Dynamic testing. HP Fortify on Demand provides advanced dynamic testing based on HP WebInspect. FoD can test any application, including mobile, commercial open-source, and third-party applications. The FoD solution is more comprehensive and accurate because it adds dynamic testing to static testing and audit/analysis. FoD delivers similar functionality to on-premise static and dynamic solutions, but in a cloud-based dashboard. Best-practice solutions. FoD uses security experts to provide developers with best-practice solutions to solve the problems that FoD identifies in the code. This increases development productivity by enabling security to be quickly built onto the software, rather than adding it on after it is deployed. Is it important to get a vulnerability report quickly so that you can fix the vulnerabilities? What is driving the need for security testing? Do you want to get a baseline assessment of in-house, third-party, or open-source application risk? Are you developing and deploying mobile applications? How are you currently testing mobile applications for security vulnerabilities? Are you testing the mobile code as well as the server (back-end) code? How much time does it take for you to do a manual review of code to identify security vulnerabilities during development? What are your operational costs for labor to perform enterprise application security assessment? How much effort is spent on QA testing to find security vulnerabilities? Do you want to avoid the install or support of software on-premises? Do you want the results pre-screened or vetted before they are reported to you? Do you want to utilize industry experts for application security? Is the Application Development team not/ minimally involved? Are you unable to dedicate any human to this effort? Prospects to look for Organizations that outsource development. Organizations developing mobile applications. Organizations with multiple external development teams. Organizations with a large portfolio of applications that need to be assessed at scale. Teams with short time (e.g. two weeks) to produce a report. Organizations just starting an application security initiative. Teams that are small or overworked and can t keep up with the demand of the increasing number of applications. Multiple teams that are geographically spread out and challenged to come up with a centralized solution. Teams that don t have buy-in for an enterprise solution. 1 8 HP Restricted. For HP and Channel Partner Internal use only.

9 Use cases Sales plays 69 Manage arguments application security traps SALES PLAY 2: Manage Application Security Testing HP Fortify on Demand is easy to use. No hardware, software, or expertise required. Customers can get started with HP Fortify on Demand in three easy steps. 1 2 Initiate Customer uploads software to the cloud or provides the URL of the application. Objection handling Test HP Fortify on Demand conducts a thorough security test (dynamic or static) of the application. The Application Development team doesn t care about implementing security because they do not typically have secure code as their objective. HP Fortify on Demand can help meet this group s objectives because FoD speeds up the software release process. With one day of FoD testing, developers are shown code vulnerabilities and the best practices to quickly fix the vulnerabilities. We use an outside Application Penetration Testing Firm. Typically, people respond and say oh we use XYZ for our Web App Pen Testing firm. You should ask them if they able to assess 100% of their apps and test all released, based on what they are paying the outside firm. For the typical fees customers pay for a single application, that customer could get unlimited FoD assessments for a year of that application. Can you test applications written for ios (Objective-C) and Android (Java)? FoD is a comprehensive SaaS testing solution. We excel at testing mobile applications and can test ios and Android applications. Does Application Security pay? Review Customer reviews and analyzes the results of the application test in the form of a detailed report or dashboard. Mainstay Partners studied 17 organizations that have implemented security solutions from HP Fortify. Key findings indicate that the average vulnerability remediation time fell from one to two weeks to one to two hours; repeat vulnerabilities decreased from 80% to virtually zero; organizations saved an estimated $44K in remediation costs per application; companies reducing time-to-market delays saved an estimated $8.M annually Comparable HP Fortify customers AMS Retailer (B&H Photo Video) FRTY Outsourcing v Need: Proactively enhance the security posture of the company; strengthen compliance with PCI standards; implement an automated approach to application security. HP Fortify Solution: FoD Client Outcome: Automated scanning process to ensure more comprehensive application security assessment than previously achieved using manual review techniques; implementation of HP Fortify on Demand allowed enhanced PCI compliance; significantly reduced exposure to potential security challenges. EMEA Bank (VTB) Need: Identify and remediate vulnerabilities in new website; enhance security of outsourced code; protect VTB Bank s reputation. HP Fortify Solution: FoD Client Outcome: Achieved significant reduction in vulnerabilities of scanned code; enhanced security of bank s customer-facing website; implemented a cost-effective, easy-to-use solution fits the bank s business model. AMS Oilfield Services Company (Baker Hughes) Need: A major breach in the oil industry cost more than $1 billion and raised general awareness of the threat landscape, which prompted the client base to request a higher level of application security to protect critical asset data and intellectual property. HP Fortify Solution: FoD Client Outcome: Delivers significant improvement in application security, with many vulnerabilities identified and remediated; provides application security model for the industry, as customer s client base seeks to replicate the solution in their own companies. HP Restricted. For HP and Channel Partner Internal use only. 9

10 Weave Sales security plays 10 6 into SDLC traps SALES PLAY : Weave security into SDLC Identify organizations that are interested in incorporating security into their Software Development Lifecycle (SDLC). It is typical that the organization wants to implement an on-premise solution integrated into the SDLC to ensure that the code being developed is free of security vulnerabilities. Target the Application Security Director with Static Code Analyzer (SCA), emphasizing its ability to find vulnerabilities in code and suggest rapid fixes, and WebInspect to find vulnerabilities in QA and Production environments. Position HP Fortify earlier in the development cycle to increase productivity there will be less code rewrite in production enabling faster releases due to less rework. HP Fortify can provide these solutions on-premise or as-a-service. Discovery questions Who is responsible for application security in the organization? Is the Development team involved? How would your company benefit from having more secure applications? What is the acceptable level of risk for your application security? How do you measure that? What happens if you don t achieve that level? What business drivers are motivating you to address application security? Who is impacted by not securing your applications properly? What would be the impact of a breach on your company? Are you integrating security testing into your SDLC? Where is the Security team involved in the SDLC? What is the basis for your code review process? Are you looking to use an automated code security review to fix the problem at code level? How do you measure code security? How does the Security team know whether an application has been fully tested and secured? What practices are in place (static analysis, dynamic analysis, penetration tests, code review, etc.)? Do you need control over security testing? How much time does it take for you to do a manual review of code to identify security vulnerabilities during development? What are your operational costs for labor to perform enterprise application security assessment? How much effort is spent on QA testing to find security vulnerabilities? 10 HP Restricted. For HP and Channel Partner Internal use only. 2 Why HP wins Continuous market leader. HP Fortify pioneered software security assurance and has been a Gartner Magic Quadrant Leader since According to Product Marketing, with over 2000 customers, HP Fortify has four to five times more customers than any other competitor. Increased productivity. SCA and WebInspect increase development productivity by enabling security to be built into the software, rather than added on after the software has been released and is deployed. Time-to-value. The HP Fortify solution with SCA and WebInspect accelerates the timeto-value to achieve secure applications. It does this with a shorter turnaround time, which enables the Development team to quickly resolve security issues with corrective actions for software, processes, and procedures. Secure at the source. SCA and WebInspect protect business-critical applications from advanced cyber attacks by removing security vulnerabilities from software. The secure development process that HP promotes is a set of best practices for ensuring proactive application security. Our continuous research keeps current with the latest threats in an unmatched combination of breadth and depth. Best practices secure software at the application code level, making it immune to attack even if intruders get past perimeter defenses. Reducing business risk. Feedback from HP customers shows that 85% of HP Fortify customers buy to reduce business risk. Threats are increasing, and Fortify has the expertise and track record for delivering world-class software security assurance programs. Prospects to look for FRTY SDLC v01 Organizations that failed an audit or had a breach. Companies with an executive mandate to secure applications. Developers complain that pen test/dynamic analysis/ethical hacking occurs too late in SDLC, disrupting/delaying the release and have too many false positives. Teams unable to monitor and track critical issues in applications. Groups that need to scale/control/coordinate in-house dynamic testing. Desire to automate in-house dynamic testing to free up the security staff. 1

11 Weave Sales security plays 11 6 into SDLC traps SALES PLAY : Weave security into SDLC Security spans the entire SDLC HP Fortify provides various solutions to help secure applications throughout the SDLC. Design HP Fortify Static Code Analyzer Code Objection handling Development Security Test WebInspect Integrations & Staging IT/Operations Fortify Runtime Production Your (on-premise) solution sounds complex. Your competitor (Veracode) told us that we can do security testing without installing any software. Finding vulnerabilities is just the first step because nothing has been accomplished until those vulnerabilities are fixed in the software. That can only be done by embedding these practices in the SDLC, not just producing reports. We have already made a significant investment in security products. How are these different? Your existing security initiatives and investments may be appropriate if they are specifically about protecting applications software. According to Gartner, 84% of security breaches today are due to software vulnerabilities. The HP Fortify solution augments your existing security investments with a program to help protect all your software applications. I know a little about applications security, but I need help knowing where to start with my specific business requirements. The first step is knowing the key applications and what you would like to accomplish from a security perspective to secure your environment. Based on that information, HP tailors almost every HP Fortify program to the needs of the client. We look at your risk profile, applications, and and build a program with technologies and services to help ensure you meet your goals for success. Why can t I just wait and fix the problems that are identified during production? It costs 0 times more to fix security issues after a breach occurs in production than to build security into your code during application design. 5 Comparable HP Fortify customers AMS Life and Health Insurer (Lincoln Financial) FRTY SDLC v Need: Take a proactive approach to application security; prepare for future application security-related regulations; reduce business risk by identifying/remediating vulnerabilities earlier in the development process. HP Fortify Solution: SCA Client Outcome: Cost abatement through reduced need for third-party services; faster time to security; risk transparency in software development lifecycle; more accurate judgment of business risk before application deployment; cost-effective; enables remediation of security vulnerabilities at a low cost point. AMS Major Airline (Delta) Need: Enhance security of delta.com website; create one-stop shop for defect tracking (including security defects) in HP Quality Center; enable Information Security staff to focus on more critical tasks than code scanning. HP Fortify Solution: WebInspect, Upgrade hardware to HP ProLiant DL80 G7 Client Outcome: Code scan time reduced from 1.5 days to less than 12 hours; code scanning now completed largely during off-hours, minimizing impact on day-to-day QA testing; Information Security team better integrated into company mainstream; security of critical delta.com website significantly enhanced. EMEA Leading Telecom Provider (Telecom Italia) Need: Reduce security vulnerabilities to prevent costly and reputation-damaging breaches, and integrate proactive security analysis into development lifecycle with minimal impact on productivity. HP Fortify Solution: SCA Client Outcome: Changed development process to prevent the introduction of security vulnerabilities in new code; reduced costs by finding security vulnerabilities early in the lifecycle; controlled application security with a continuous, repeatable process. HP Restricted. For HP and Channel Partner Internal use only. 11

12 Capitalizing Sales on other plays 12 6 opportunities traps Third-party Vendor Management What s the opportunity? Third-party vendor management is often a driver for outsourcing application security testing. Understanding this specific situation may give you an opportunity to better position and sell HP Fortify. For many large organizations, software purchased from third-party software developers represents a large percentage of their deployed software and therefore a substantial area of potential risk. Yet outsourced developers usually provide no visibility into the software s security state. HP Fortify helps these customers by managing the application security process with each vendor. HP Fortify performs the testing, and works with the vendors with as many iterations as necessary to ensure that the customer gets a clean report and a secure application. Customers try to adjust contracts, but that addresses the situation AFTER it becomes a problem. It is better to avoid the problem if possible. How does Sales position this? HP Fortify on Demand (FoD) provides the means to analyze third-party vendor software for vulnerabilities. Talk with customers about implementing FoD during the procurement or upgrade process to ensure that significant problems are addressed before your customer accepts the software. Position FoD as a common and consistent testing solution applied to all third-party vendors. It should be used as an assessment gate for application security before acceptance and transition into production. Emphasize that testing isn t simply finding problems: The FoD test report provided to vendors has explicit best-practice steps to correct code errors. HP Fortify customer 6 7 AMS Auto Manufacturer (General Motors) Need: Audit and verify the security of third-party developed software; implement a more rigorous method to quickly and accurately identify security vulnerabilities; enable third-party vendors to efficiently remediate security vulnerabilities. HP Fortify Solution: FoD Client Outcome: Enhanced capability on the part of software vendors to provide secure applications; an effective software-as-a-service solution to assess and improve the security of outsourced code; independent expertise and guidance to enhance the security posture of third-party software; HP Fortify partnership and expertise that can grow as the program develops. Who cares? Organizations with limited application development staffs. Where software development is not a core competency. Companies that are concerned about brand image. Organizations building a mobile presence. What to look for? We have many vendors that develop our applications. We don t have insight into the security state of vendor software. Our vendor SLA doesn t specify how to measure for vulnerabilities. Third-party, outsource, or contract firms develop our software. We are unsure how to test our third-party vendor code for vulnerabilities. Our vendors don t want to divulge source code. We need a consistent way to test all of our vendors software. HP differentiators 1 2 Comprehensive analysis. HP Fortify on Demand can assure that third-party software is secure with accuracy and depth in 21 languages, using static source code analysis and/or dynamic testing all available on-demand. Quick and easy process. Vendors upload an application to the FoD secure site, and get results in as little as 48 hours. Vendors receive line-of-code level information on the vulnerabilities and integrated auditing capabilities for addressing issues. Clear and efficient communication of result. FoD produces high-level reports on the risk category of each project as well as detailed reports with vulnerability information, the location of the vulnerability, and how to fix it. Consistent independent reviews. HP Fortify can provide organizations with software security analysis that is done consistently across all vendors and products. We provide independent expertise and guidance to enhance the security posture of third-party vendor software. 12 HP Restricted. For HP and Channel Partner Internal use only.

13 Capitalizing Sales on other plays 1 6 opportunities traps Compliance What s the opportunity? Compliance covers internal audit processes as well as external regulatory requirements. Many mid-market, enterprise, and government organizations must comply with internal and external policies. Often, compliance is used as the justification for buying HP Fortify. Since compliance has broad business impacts, its success or failure is visible at many levels of the organization, up to and including the Board of Directors. How does Sales position this? Many HP Fortify products address aspects of compliance. The CISO and/ or Chief Compliance Officer (CCO) sets strategy and policy for compliance. Position the HP Fortify portfolio as a way to reduce risk and ensure compliance. The Application Security Director often has the tactical responsibility for ensuring that applications comply, so position HP Fortify on Demand, SCA, and WebInspect to address requirements making applications more secure, and Runtime s real-time application protection capability to help with production application protection requirements. HP differentiators Cost-effectiveness. In the Mainstay ROI studies, HP Fortify shows significant compliance cost savings. Executives indicated that the HP Fortify solution helped control costs by streamlining regulatory compliance projects that required meeting strict application security standards. 1 HP application security compliance expertise. The HP Software Security Research group keeps solutions ahead of compliance mandates, mapping results onto standards and participating in those standards bodies, such as OWASP, PCI, SANS, and NIST/MITRE. More cost-effective. The extra development and auditing effort needed to comply with regulations can be costly, as are the potential penalties for non-compliance. HP Fortify products help control costs by streamlining regulatory compliance projects by quickly identifying and ranking vulnerabilities according to severity, and generating a report that s an audit trail for regulators. Cost savings. According to the Mainstay Partners study implementing software security assurance services reduced overall compliance and penetration testing costs by $250K-500K per organization. The average organization adopting software security assurance saw the fees paid to compliance auditors fall by 89% or about $15,000 annually. 14 Who cares? The CISO is often responsible for passing compliance audits. Often the decision-maker. A Chief Compliance Officer (CCO) develops compliance policy and procedures and is an influencer. Application Security Managers are responsible for ensuring that applications meet compliance policies and procedures. Typically the recommender. The Director of Security Operations team monitors applications to meet compliance policy and are influencers. HP Fortify compliance offerings Different standards (e.g., PCI-DSS) have different requirements. These HP ESP products and services address different portions of the PCI-DSS requirements. Sample PCI Requirements Develop and maintain secure systems and applications. Track and monitor all access to network and data. Restrict access to data by business need to know. Regularly test security systems and processes. HP Fortify customer What to look for? 1 2 Organization required to meet external compliance issues (e.g., PCI, SOX, HIPAA). Companies with internal compliance policies to meet IT governance standards. Organization with negative feedback or unanswered questions from a compliance audit. Organizations that are unsure how to implement a compliance for applications. HP Fortify Offerings HP Fortify on Demand, SCA, WebInspect Application View Application View SSA Risk Assessment, Application Security Assessment 6 7 AMS Major Bank (US Bank) Need: Implement a more effective and repeatable approach to PCI compliance; understand and measure security risks in the critical application portfolio; introduce and expand an effective remediation process for developers. HP Fortify Solution: SCA, Governance Client Outcome: Ability to measure previously unknown security risks in the application portfolio; developers guided toward an effective remediation process; greater confidence in achieving PCI compliance; higher visibility into previously unknown security risk in critical applications. HP Restricted. For HP and Channel Partner Internal use only. 1

14 Sales plays Leverage LEVERAGE HP traps ALM and Agile Manager Application security needs to be part of the application lifecycle from the beginning, not just left to be tested after development has released the code. HP Fortify solutions are designed to work with HP Agile Manager and HP Application Lifecycle Management (ALM) to drive application lifecycle progress and decisions from requirements through development and testing. For customers, it means secure, high-quality application delivery. Application security is a crucial component of managing the complete application lifecycle and is often managed as just a part of a broader project. HP ALM and HP Agile Manager are market-leading solutions for managing the delivery and quality of application projects of any size and complexity, and application security becomes a natural part of the lifecycle. HP ALM is an on-premise solution for large, complex application projects; HP Agile Manager is a software-as-a-service solution purpose-built and designed specifically to serve agile teams. It leverages native cloud architecture for instant-on access, boasts a clean, intuitive design, and offers technology innovations that remove latencies, bolster agile practices, and foster continuous improvement. Identify and work with your Software sales counterpart to determine which accounts are considering HP Agile Manager or ALM or have already deployed it. Then tell them about the benefits of HP Fortify finding vulnerabilities and fixing them with best practices to enhance software quality and accelerate deployment. Develop a cadence with the Software rep so that you are brought into every ALM opportunity to discuss Application Security and the benefits of HP Fortify. The winning differentiator: HP Software Security Research HP Software Security Research is one of HP s most important differentiators. It is the largest dedicated software security research group powering the HP Fortify products. HP Fortify Software Security Content supports more than 550 vulnerability categories across 21 programming languages and spanning more than 700,000 individual APIs. It provides quarterly security updates for HP Fortify SCA, Runtime, and WebInspect with detailed descriptions and remediation guidance to educate reviewers. It also provides content mapped to industry standards, taxonomies, and compliance frameworks. 45% of organizations currently involve QA too late in the development cycle, resulting in costly find and fix reactive testing 1 Although mobile application security is the primary focus of56% of organizations, nearly half (48%) admit to a lack of mobile testing expertise Only 26% of organizations utilize centralized testing/qa to achieve efficiency and cost optimizations Despite significant investment, of organizations 67% don t have the right testing tools to support their test environment, and 55% identify test environment management as a specialized skill they lack Source: Key Findings from the World Quality Report , published by Capgemini and Sogeti in combination with HP Set these general traps HP Fortify is the only comprehensive solution that addresses any software, and is available onpremise or on-demand. Fortify provides support for 21 languages and all types of applications (i.e., legacy, web, mobile). HP Fortify enables flexibility and a path for growth as the security program matures. Customers that start with FoD can develop an on-premise SDLC. Runtime is a unique solution to identify and mitigate malicious behavior before it impacts applications no competitors can match it. HP Fortify can detect 500 plus categories of security vulnerabilities. HP Fortify supports 21 programming languages, platforms, and IDEs, including Apple ios, Android, and Microsoft Mobile. FoD provides the ability to quickly and easily implement a security program through a cloudbased service. HP Fortify has more than 2000 customers, including nine of the top 10 banks. 14 HP Restricted. For HP and Channel Partner Internal use only.

15 Set these traps for IBM According to Gartner, IBM s static application security test (SAST) capabilities are not strong. 15 No SAST testing-as-a-service capabilities. COMPETITIVE Sales plays traps TRAPS Although IBM offers DAST testing-as-a-service capabilities, it describes its service as a high-touch, white glove service, and it is priced accordingly. 17 Their testing of mobile applications (ios Objective-C or Java on Android) is only static, not dynamic/behavioral. 18 According to Gartner, IBM scored near the bottom in overall satisfaction and pricing of its SAST product. IBM s DAST offering was cited most often as having been replaced within the past year. 19 Watch for these IBM traps IBM will bundle their static analysis solution into IBM Rational or security deals at close to no cost. IBM s dynamic analysis solution has the dominant market share. Counter with Fortify s comprehensive solution static and dynamic, flexibly offered on demand or on premise. Position HP Fortify s ability to find vulnerabilities quickly. IBM emphasizes their JavaScript testing capabilities using a SAST analysis of JavaScript within the context of a DAST scan for testing web applications using JavaScript. Counter that HP Fortify has sophisticated JavaScript support in our SAST and DAST products whether used together or independently. The IBM and IBM Global Services teams enter accounts topdown and present their vision and technological capabilities as a risk-based view of application intelligence. Engage in a higher-level discussion about risk mitigation of HP Fortify and include the larger HP ESP portfolio to reduce risk. Set these traps for Veracode For FoD opportunities, ask customers about testing applications in development since Veracode lacks business logic testing for dynamic testing. Talk about HP Fortify s options to host the solution within the client s network for applications where clients are unable to send code to the cloud. Their solution is SaaS-only 20, so ask customers whether they ever envision doing on-premise testing. Veracode has no IAST capabilities, so ask customers about their need to test web and mobile applications. 21 Watch for these Veracode traps Focus first on our fast turnaround time, scale, and onpremise software. Vercaode has problems with large applications that require they be split up and charges for every little piece. Veracode still uses NT Objectives as their dynamic testing, while claiming that they have built their own. It is weak compared to HP Fortify. They have a well-designed single user interface for consuming SAST and DAST services complete with rolebased access control, risk ratings, and embedded analytics. HP Fortify also has a single management console and reporting framework. Veracode is one of only two vendors (the other is GrammaTech) that offer native binary code testing capabilities. Both HP Fortify and Veracode can generate a list of binary vulnerabilities from the cloud. Highlight HP Fortify s accuracy, turnaround time for analysis, and ability to fix vulnerabilities. According to Gartner, Veracode receives high marks from customers for its service and support, as well as its customer success program. Position the broader HP ESP services and support organization as providing better service. Set these traps for WhiteHat WhiteHat services are limited to cloud-based testing as a service. Position with the customer that they may want to consider an on-premise option in the future. Emphasize HP Fortify s SAST strength because WhiteHat is not known for SAST, and their initial SAST offering supports only Java, with.net support scheduled by YE1. When talking with smaller customers, highlight HP Fortify on Demand because WhiteHat doesn t have a cost-effective automated DAST service for the low end of the market. According to Gartner, WhiteHat was rated near the bottom in service and support. Highlight the service and support capabilities for HP ESP and the broader HP. Watch for these WhiteHat traps Their static analysis is extremely limited and weak, borderline non-existent. They bought a two-person static consulting company and rolled it into their product to claim static analysis. Highlight HP Fortify s Language Support and Research team. Their SAST offering uses an on-site virtual appliance so that a complete copy of the customer s source code never leaves its site, and it offers a 24-hour turnaround SLA. HP Fortify SCA and WebInspect provide a comprehensive solution for customers. WhiteHat has basic IAST capabilities through which a vulnerability discovered by static analysis is correlated with DAST results, and uses IAST within its mobile testing capabilities. HP Fortify has similar functional capabilities. HP Restricted. For HP and Channel Partner Internal use only. 15

16 Sales plays traps Valuable tips to win with help from HP ESP HP has a channel first model. We drive our business through the channel. We recognize that customers will get a higher level of service from your business with more. You may own the account. HP respects your account relationships and will only provide help as requested to help shorten or simplify the sales cycle. HP will help customers engage Partners earlier. Our sales reps will help customers select their Partner as early as possible so you can begin to add value to the conversation, relationship, and the deal. Benefit from rich incentives. HP s partner program provides incentives for technical and sales competencies that include sales, marketing, and other rebates. HP can help you fill your pipeline. Welcome collaboration and build relationships with your HP Account lead. They can help bring deals to your business and expand your current installations with HP s breadth of offerings. Take advantage of HP ESP experts. Consider how HP engineering competency can help you with your customer POCs. leaders in strategic deals. Bring in HP executives and thought leaders to present roadmaps, futures, and technology innovation. HP Fortify Resources Partner Portal: hp.com/partners/us This is the standard HP Partner Portal where you can find information about your PartnerOne status, gain access to Training and Certification, and Sales Administration. HP Partner Certification Guides: includes for training courses and partner portals by Region FY14 AMS Partner Certification Guide FY14 APJ Partner Certification Guide FY14 EMEA Partner Certification Guide HP ESP Software Pricing: h20229.www2.hp.com/partner/protected/bto/pricingguide/pricing.html HP Deal Registration: hp-esp.force.com/partners External HP Fortify Customer Resources on HP.com (Research, Blog, etc.): hp.com/go/fortify HP Application Security on BrightTalk (customer webinar channel): brighttalk.com/channel/190 HP Fortify on Demand: fortifymyapp.com HP Enterprise Security and Risk Management on HP.com: hp.com/go/security HP Enterprise Security Products on BrightTalk (webinar channel): brighttalk.com/channel/7477 HP ESP Contacts: Contact your Partner Manager for all first line support questions 1: Gartner Magic Quadrant for Application Security Testing, 2 July 201 ID:G : 8.hp.com/us/en/software-solutions/software.html?compURI= : InformationWeek citing a February 201 Frost & Sullivan study) 5: HP website for ALM. 8.hp.com/us/en/software-solutions/software.html?compURI= : Turbulent Growth in Mobile Apps Mobile News by Fleur on Apr 201 appmachine.com/blog/turbulentgrowth-in-mobile-apps/ 7-14: Mainstay Whitepaper Does Software Security Pay? : Gartner Magic Quadrant for Application Security Testing, 2 July 201 ID:G Feedback? Please your thoughts and suggestions on this playbook to HP ESP Enablement at [email protected] 201 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA4-9602ENW, HP Restricted. For November HP and Channel 201 Partner Internal use only.