1 HP Yazılım Zirvesi - İstanbul 20 May Wyndham Grand Levent Burak DAYIOĞLU, Hüseyin ÖZEL Uygulamalarım Ne Kadar Güvende? Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2 Uygulamalarım Ne Kadar Güvende? Burak DAYIOĞLU, CISSP, CSSLP, CRISC, Symturk Genel Müdürü Hüseyin ÖZEL, HP GTI&MEA Fortify Satış Müdürü Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
3 İhlaller ve Etkileri Artıyor İhlal sayısında yıllık ortalama %25 artış İhlalin büyüklüğünde yıllık ortalama %10 artış Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
4 Değişen Sınır: Uygulamalar Ağ Sunucular Uygulamalar Fikri Mülkiyet Security Measures Switch/Router security Firewalls Müşteri NIPS/NIDS Verileri VPN Net-Forensics İş Anti-Virus/Anti-Spam Süreçleri DLP Host FW Host IPS/IDS Ticari Vuln. Assessment Sırlar tools Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
5 20 Kritik BT Güvenlik Kontrolü Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
6 Symturk Çözümleri Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
7 Symturk ve HP 2003: Fortify Kuruldu 2007: Symturk & Fortify İş Ortaklığı 2010: HP Fortify Alımı 2011: Symturk HP Danışmanlığı 2013: Symturk Arcsight İş Ortaklığı 2015: Symturk Atalla İş Ortaklığı Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
8 Yazılım Güvenliği Çözümlerimiz Eğitim Süreç Danışmanlığı Fortify Entegrasyonu Yük Testleri Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
9 Cost What is the cost of doing nothing? Fixing software in production is about 30 times more expensive 30X 10X 15X 5X 2X Requirements Development Integration/ Unit Tests Functional Tests Production It costs 30 times more to fix security issues after a breach in Production than to build security into your code at the beginning during Design Source: NIST 9
12 Fortify s Software Security Vision Application Assessment Software Security Assurance (SSA) Application Protection In-house Outsourced Commercial Open source Assess Find security vulnerabilities in any type of software Mobile, Web, Infrastructure Assure Fix security flaws in source code before it ships Secure SDLC Protect Fortify applications against attack in production Logging, Threat Protection 12
13 HP Fortify Software Security Assurance On-Premise and On-Demand 13
14 Runtime - Enhance application logs & visibility OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking Applications Application Logs: Few or uninteresting details No logs at all Require custom connectors IT SOC 14
15 Runtime - Enhance application logs & visibility Introducing Application View Know your apps. Know your users. Know your data! OS, databases, storage IPS, routers, switches, firewalls, DLP Servers, IAM, networking Applications Retro-fits applications with security event logs No change to application required Out-of-box ready for ArcSight ESM IT SOC 15
17 HP Confidential Fortify Solutions: Complete Secure Lifecycle Integration Security goals integrated in planning & requirements definition Application Lifecycle Management Threat Modeling is performed Application design / architecture is reviewed by security team Secure coding tools integrated & vulnerabilities proactively identified & fixed SCA Pre-Production Penetration testing WebInspect Post-Production Penetration Testing Metrics & Reporting Learn and Refine Planning & Requirements Design & Architecture Development Testing Production Maintenance Risk assessment and Profiles Security team signs off requirements Final design / architecture aligns with security goals & requirements Software Security Center Secure coding standards are applied and secure code is developed UFT ALM/QC on Demand Application Defender Application View Security team is involved in preproduction sign off Change management process includes security review & sign off Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
18 HP Fortify Named a Leader in Gartner Magic Quadrant Gartner Application Security Testing MQ 2014 HP offers comprehensive SAST capabilities with Fortify's strong brand name and breadth of languages tested. The company has innovative IAST capability with Fortify SecurityScope, which integrates with its WebInspect DAST. There is strong integration within HP's security portfolio, such as integration of AST knowledge into ArcSight and DAST knowledge into TippingPoint's IPS for WAF-like protection. HP uniquely offers runtime application self-protection (RASP) technology -- Gartner 18
datasheet Trend Micro deep security as a service Advanced Security Built for the Cloud Organizations are embracing the economic and operational benefits of cloud computing, turning to leading cloud providers
A Requirement for Virtualization and Cloud Computing An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White Paper Prepared for FrontRange Solutions October 2012 IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Web Scale IT in the Enterprise It all starts with the data Issue 1 2 Q&A With Claus Moldt, Former Global CIO for SalesForce.com and David Roth, CEO of AppFirst 6 From the Gartner Files: Building a Modern
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
Job Family Standard for Administrative Work in the Information Technology Group, 2200 TABLE OF CONTENTS INTRODUCTION... 2 COVERAGE... 2 MODIFICATIONS TO AND CANCELLATIONS OF OTHER EXISTING OCCUPATIONAL
April 2013 Operational Intelligence: What It Is and Why You Need It Now Sponsored by Splunk Contents Introduction 1 What Is Operational Intelligence? 1 Trends Driving the Need for Operational Intelligence
Version 1.0 Date: Author: PCI Security Standards Council Executive Summary The time to migrate is now. For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
Data protection Protecting personal data in online services: learning from the mistakes of others May 2014 Contents Introduction... 2 What the DPA says... 4 Software security updates... 5 Software security
The Need for Secure Software Mano Paul, CSSLP, CISSP, AMBCI, MCAD, MCSD, Network+, ECSA Introduction Since 2005, when the Privacy Rights Clearinghouse started collecting and publishing the Chronology of
white paper Public or Private Cloud: The Choice is Yours Current Cloudy Situation Facing Businesses There is no debate that most businesses are adopting cloud services at a rapid pace. In fact, a recent
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning
Domain Time II Time Synchronization Software Suite Precise Time Synchronization for the Entire Enterprise Key Features Comprehensive time client, server & management software for precise time synchronization
1 The New Language of Cloud Computing A Market Insight by Frost & Sullivan in collaboration with F5 Networks Inc. Copyright 2015 Frost & Sullivan. All rights reserved. 2 The New Language of Cloud Computing
SAP Brief SAP s for Small Businesses and Midsize Companies SAP Business All-in-One s Objectives Drive Performance and Growth with Scalable s for Midsize Companies Manage every aspect of your business in
October 2009 Issue No: 3.51 HMG IA Standard No. 1 HMG IA Standard No. 1, Issue: 3.51 October 2009 The copyright of this document is reserved and vested in the Crown. Intended Readership This Standard is
Customer FIRST Program Guide Best-in-Class Software Maintenance, Support and Services Getting Maximum Value from Your Wonderware Software 1 About Schneider Electric and Wonderware Schneider Electric is
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND
HP Data Protector software Assuring Business Continuity in Virtualised Environments Would not it be great if your virtual server environment actually translated to a better reality? One where you could
PROACTIVE ASSET MANAGEMENT A pathway to optimized reliability and world-class business performance Oracle Utilities Work and Asset Management 2 Effective work and asset management ensures mission-critical
ARCHIVED PUBLICATION The attached publication, NIST Special Publication 800-30 (dated July 2002), has been superseded and is provided here only for historical purposes. For the most current revision of
Work.com Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: June 20, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,