HP Yazılım Zirvesi - İstanbul 20 May Wyndham Grand Levent Burak DAYIOĞLU, Hüseyin ÖZEL Uygulamalarım Ne Kadar Güvende?

Transcription

1 HP Yazılım Zirvesi - İstanbul 20 May Wyndham Grand Levent Burak DAYIOĞLU, Hüseyin ÖZEL Uygulamalarım Ne Kadar Güvende? Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2 Uygulamalarım Ne Kadar Güvende? Burak DAYIOĞLU, CISSP, CSSLP, CRISC, Symturk Genel Müdürü Hüseyin ÖZEL, HP GTI&MEA Fortify Satış Müdürü Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

3 İhlaller ve Etkileri Artıyor İhlal sayısında yıllık ortalama %25 artış İhlalin büyüklüğünde yıllık ortalama %10 artış Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

4 Değişen Sınır: Uygulamalar Ağ Sunucular Uygulamalar Fikri Mülkiyet Security Measures Switch/Router security Firewalls Müşteri NIPS/NIDS Verileri VPN Net-Forensics İş Anti-Virus/Anti-Spam Süreçleri DLP Host FW Host IPS/IDS Ticari Vuln. Assessment Sırlar tools Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

5 20 Kritik BT Güvenlik Kontrolü Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

6 Symturk Çözümleri Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

7 Symturk ve HP 2003: Fortify Kuruldu 2007: Symturk & Fortify İş Ortaklığı 2010: HP Fortify Alımı 2011: Symturk HP Danışmanlığı 2013: Symturk Arcsight İş Ortaklığı 2015: Symturk Atalla İş Ortaklığı Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

8 Yazılım Güvenliği Çözümlerimiz Eğitim Süreç Danışmanlığı Fortify Entegrasyonu Yük Testleri Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

9 Cost What is the cost of doing nothing? Fixing software in production is about 30 times more expensive 30X 10X 15X 5X 2X Requirements Development Integration/ Unit Tests Functional Tests Production It costs 30 times more to fix security issues after a breach in Production than to build security into your code at the beginning during Design Source: NIST 9

10 Cost Application Security Testing Techniques RASP 30X DAST IAST SAST 15X 10X 5X 2X Requirements Development Integration/Unit Tests Functional Tests Production 10 SAST: Static Application Security Testing DAST: Dynamic Application Security Testing IAST: Interactive Application Security Testing RASP: Runtime Application Security Protection Source: NIST

11 Cost Application Security Testing Fortify Solutions RTA / Application Defender WebInspect / WebInspect Agent 30X Education SCA 10X 15X 5X 2X Requirements Development Integration/Unit Tests Functional Tests Production 11 SCA: Static Code Analyzer RTA: RunTime Application Source: NIST

12 Fortify s Software Security Vision Application Assessment Software Security Assurance (SSA) Application Protection In-house Outsourced Commercial Open source Assess Find security vulnerabilities in any type of software Mobile, Web, Infrastructure Assure Fix security flaws in source code before it ships Secure SDLC Protect Fortify applications against attack in production Logging, Threat Protection 12

13 HP Fortify Software Security Assurance On-Premise and On-Demand 13

14 Runtime - Enhance application logs & visibility OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking Applications Application Logs: Few or uninteresting details No logs at all Require custom connectors IT SOC 14

15 Runtime - Enhance application logs & visibility Introducing Application View Know your apps. Know your users. Know your data! OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking Applications Retro-fits applications with security event logs No change to application required Out-of-box ready for ArcSight ESM IT SOC 15

16 Runtime Protect your applications Simplicity Visibility Protection Secure Command/Event Channel (443) Applications 16

17 HP Confidential Fortify Solutions: Complete Secure Lifecycle Integration Security goals integrated in planning & requirements definition Application Lifecycle Management Threat Modeling is performed Application design / architecture is reviewed by security team Secure coding tools integrated & vulnerabilities proactively identified & fixed SCA Pre-Production Penetration testing WebInspect Post-Production Penetration Testing Metrics & Reporting Learn and Refine Planning & Requirements Design & Architecture Development Testing Production Maintenance Risk assessment and Profiles Security team signs off requirements Final design / architecture aligns with security goals & requirements Software Security Center Secure coding standards are applied and secure code is developed UFT ALM/QC on Demand Application Defender Application View Security team is involved in preproduction sign off Change management process includes security review & sign off Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

18 HP Fortify Named a Leader in Gartner Magic Quadrant Gartner Application Security Testing MQ 2014 HP offers comprehensive SAST capabilities with Fortify's strong brand name and breadth of languages tested. The company has innovative IAST capability with Fortify SecurityScope, which integrates with its WebInspect DAST. There is strong integration within HP's security portfolio, such as integration of AST knowledge into ArcSight and DAST knowledge into TippingPoint's IPS for WAF-like protection. HP uniquely offers runtime application self-protection (RASP) technology -- Gartner 18

19 19