HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security
|
|
- Brendan Stevenson
- 8 years ago
- Views:
Transcription
1 HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security
2 The problem
3 Cyber attackers are targeting applications Networks Hardware Security Measures Switch/Router security Firewalls NIPS/NIDS VPN Net-Forensics Anti-Virus/Anti-Spam DLP Host FW Host IPS/IDS Vuln. Assessment tools 3
4 We Would Like to See info-sec spending Business impact (# of incidents & exploits) 4
5 We Are Faced With info-sec spending Business impact (# of incidents & exploits) 5
6 Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router security Firewalls Customer NIPS/NIDS Data VPN Net-Forensics Anti-Virus/Anti-Spam Business DLP Processes Host FW Host IPS/IDS Trade Vuln. Assessment Secrets tools 6
7 Today s approach > expensive, reactive 1 Somebody builds insecure software IT deploys the insecure software 2 4 We convince & pay the developer to fix it We are breached or pay to have someone tell us our code is insecure 3 7
8 Why it doesn t work 30x more costly to secure in production 30X Cost 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into Production, it costs 30x more than during design. Source: NIST 8
9 The right approach > systematic, proactive Embed security into SDLC development process 1 2 In-house Outsourced Commercial Open source Leverage Security Gate to validate resiliency of internal or external code before Production 3 Improve SDLC policies Monitor and protect software running in Production This is application security 9
10 Product Overview
11 Software must be Fortify'd Fortify Source Code Analysis Source Code Security Audits Fortify Security Scope HP WebInspect Fortify RTA Run-Time Protection PLAN DESIGN CODE FUNCTIONAL TEST ACCEPTANCE TEST DEPLOY Software Inventory Collaboration Module Governance Module Fortify SSC Server Software Security Metrics and Reporting 11
12 Fortify on Demand
13 What are you going to do? How to launch a security program quickly? How to scale to get all applications tested? How to manage risk for applications when source code is unavailable? 13
14 Application security in three easy steps Upload Test Review Customer uploads software to the HP Fortify on Demand cloud HP Fortify on Demand conducts security tests (dynamic, static or manual) on the application Customer reviews the results of the application test in the form of a detailed report or dashboard 14
15 Multiple levels of FOD dynamic testing Dynamic Analysis Baseline Standard Premium App Risk Level Low Marketing Site Medium Personally Identifiable High Credit card / SSN WebInspect scan False Positive Removal Remediation Scan Manual Testing Business Logic Testing Web Services Static Assist or SecurityScope 15
16 Vendor management program How it works Vendor FOD account Procurer FOD account Automated Vendor Expert FOD account Testing Review Vendor FOD account Static Analysis Dynamic Analysis Vendor FOD account Vendor FOD account Detailed results Vendor publishes report to Procurer s account Vendor Uploads Application Results back in 1-5 days 16
17 Mobile application security support Mobile support for: Objective-C (Apple ipad/ iphone) Client Network Server Android Windows Blackberry Utilize Hybrid Analysis Source Code Running Application Test all three tiers Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage SQLi XSS LFI Authentication Session Management Logic Flaws 17
18 Fortify my Application HP Fortify on Demand (FoD) assessment services is offering a limited free trial where customers can get an example Java code of theirs assessed free of charge. The free FoD is out of California but is accessible from anywhere. The following are the limitations on the free version: Up to 5 assessments per month Java only Up to 75 MB per assessment Cross-Site Scripting (Up to 10 vulnerabilities) Access: In the menu on the right there's a link to TRY NOW: 18
19 Software Security Assurance
20 Software Security Assurance 4 Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations Disciplines Functions 20
21 SSA Maturity Model Maturity Levels Successive Maturity Levels for each functional area 0. Not undertaken 1. Initial understanding and ad-hoc provision 2. Increased efficiency and effectiveness 3. Comprehensive coverage For each Maturity Levels we define Control Objective Activities Success Metrics Resources required Costs Benefits 21
22 SSA Scorecard Blank Scorecard Industry Best Practices Enterprise Scoring Prioritized Roadmap Objective 3 Objective 2 Objective 1 Objective 0 7 Governance & Alignment 1 3 Requirements & Design 6 Education Standard Planning Threat Md Sec Req Def Design Arch Rev Code Rev Sec Testing Vul Mgmt Infr Harden Ops Enable 8 Verification & Assessment Deployment & Operations 22
23 Example for a Static Analysis Rollout
24 SSA Best Practice Approach Key Principles Rapid identification and remediation of critical vulnerabilities Don t forget to fix or boil the ocean Prevent introduction of new vulnerabilities Integrate into existing SDLC with minimal process changes Provide flexibility to integrate with new SDL as it rolls-out Provide support for the developers Training in the context of their own code base Mentoring as required Monitor and control Automate gathering of vulnerability statistics and publish Enforcement via security gate Continuous Improvement 24 24
25 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Establish SSA Team 25
26 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Baseline assessment against SSA Maturity Model Where you are SSA End-State Vision Where you want to be SSA High-Level Roadmap How you are going to get there Implementation Plan for first phase Next step Establish SSA Team 26
27 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Establish and manage the SA program 27 Requires senior management support Define Policies Application Security center of excellence Support for the development teams Define SDLC Controls Establish initial security gates Set-up Governance Module Application Catalogue Compliance Reporting Establish SSA Team
28 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Work with Pilot Application/Team 28 Fortify Infrastructure Set-Up Base-line Audit Remediation Support Fortify 360 Training Mentoring Capture Metrics Business As Usual Process Integration Establish SSA Team Gain knowledge and expertise Artefacts created are input to SSA Program
29 Example Process Development Teams Security AWB 2. Audit Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO 3. Assign CM Central Build Server(s) Build Tool Fortify SCA 5. Validate AWB Development Manager 1. Identify Security Auditor IDE 4. Fix Fortify CM Fortify SSC Server 29 Developer
30 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Assessment against SSA Maturity Model Where you are SSA End-State Vision Where you want to be SSA High-Level Roadmap How you are going to get there Implementation Plan for next phase Next step Establish SSA Team 30
31 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Publicise SSA Program Use Pilot team as a reference Roll-out across enterprise prioritised by business risk For each team Base-line Audit Fortify 360 Training Mentoring BAU Process Integration Publish Metrics Establish SSA Team 31
32 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Establish SSA Team Increase maturity level across all functions Raise the security bar Establish Continuous Improvement Loop 32
33 Goals and benefits for Software Security Assurance SSA A successful software security initiative leads to: Measurably reduced risk from existing applications A controlled process for preventing vulnerabilities in new releases Reduced costs, delays, and wasted effort from emergency bug fixes and incident clean-up 33
34 ROI
35 Fixing Bugs Earlier in the Lifecycle Cost of Fixing One Vulnerability Based On The Stage It Was Identified $ $14,102 $ $9.000 $6.000 $7, $3.000 $0 $139 $455 $977 Requirements Design Coding Testing Maintenance
36 Example: Cost of Fixing Critical Defects The following case study provides an example of the savings generated by using source code analysis to find vulnerabilities earlier in the SDLC Application Sample Application Size: 2 Million LOC Vulnerabilities Identified Using SCA Defects Identified during SCA: 1,600 Defects Deemed Critical
37 Example: Cost of Fixing Critical Defects Cost of Fixing Vulnerabilities Early Cost of Fixing Vulnerabilities Later Stage Critical Bugs Identified Cost of Fixing 1 Bug Cost of Fixing All Bugs Stage Critical Bugs Identified Cost of Fixing 1 Bug Cost of Fixing All Bugs Requirements $139 Design $455 Coding 200 $977 $195,400 Testing $7,136 Requirements $139 Design $455 Coding $977 Testing 50 $7,136 $356,800 Maintenance $14,102 Maintenance 150 $14,102 $2,115,300 Total 200 $195,400 Total 200 $2,472, Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3MM
38 Thank you 38 Success is foreseeing failure. Henry Petroski
39 Thank you
HP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationIs your software secure?
Is your software secure? HP Fortify Application Security VII konferencja Secure 2013 Warsaw - October 9, 2013 Gunner Winkenwerder Sales Manager Fortify CEE, Russia & CIS HP Enterprise Security +49 (172)
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationInformation Security: Enabling the Business Developing an Effective Application Security Program
Information Security: Enabling the Business Developing an Effective Application Security Program Bruce C Jenkins (bcj@hp.com) AppSec Program Strategist 04 April 2014 About me Commonwealth IT Security Conference
More informationHTML5 SECURITY. Why Should I Care? Ofer Shezaf, ofr@hp.com Product Manager, Security Solutions HP ArcSight
HTML5 SECURITY Why Should I Care? Ofer Shezaf, ofr@hp.com Product Manager, Security Solutions HP ArcSight 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationHP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training
HP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training HP and HP Enterprise Security Products are committed to your success as an HP Partner. In the Fortify Proof of Concept Boot Camp Training,
More informationHP Yazılım Zirvesi - İstanbul 20 May 2015 - Wyndham Grand Levent Burak DAYIOĞLU, Hüseyin ÖZEL Uygulamalarım Ne Kadar Güvende?
HP Yazılım Zirvesi - İstanbul 20 May 2015 - Wyndham Grand Levent Burak DAYIOĞLU, Hüseyin ÖZEL Uygulamalarım Ne Kadar Güvende? Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained
More informationStories From the Front Lines: Deploying an Enterprise Code Scanning Program
Stories From the Front Lines: Deploying an Enterprise Code Scanning Program Adam Bixby Manager Gotham Digital Science 10/28/2010 YOUR LOGO HERE Introduction Adam Bixby, CISSP, MS o Manager at Gotham Digital
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationApplication Security Testing Powered by HPE Fortify on Demand. Managed application security testing available on demand
Application Security Testing Powered by HPE Fortify on Demand Managed application security testing available on demand Powered by HPE Fortify on Demand, Sogeti Application security testing is a managed
More informationApplication Security Center overview
Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &
More informationTesting the Security of your Applications
Home Safeguarding Business Critical Testing the of your Applications Safeguarding business critical systems and applications 2 Safeguarding business critical systems and applications Organizations are
More informationTesting the Security of your Applications
Home Safeguarding Business Critical Testing the of your Applications Safeguarding business critical systems and applications 2 Safeguarding business critical systems and applications Organizations are
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationWho, What, Where, How: Five Big Questions in Mobile Security
Who, What, Where, How: Five Big Questions in Mobile Security Jacob West CTO, Fortify Products HP Enterprise Security Session ID: ASEC-R31 Session Classification: Intermediate Why is mobile security an
More informationCreating Value through Innovative IT Auditing
Redefine Cybersecurity, Explore Innovative Strategies and Develop Trust Creating Value through Innovative IT Auditing Ronnie Koh Head of IT Audit, DBS Bank How do we create value? By Increasing both Breadth
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationProduct Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company
Product Roadmap Sushant Rao Principal Product Manager Fortify Software, a HP company Agenda Next Generation of Security Analysis Future Directions 2 Currently under investigation and not guaranteed to
More informationContinuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
???? 1 Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Application Delivery is Accelerating Surge in # of releases per app
More informationThe Evolution of Application Monitoring
The Evolution of Application Monitoring Narayan Makaram, CISSP, Director, Solutions Marketing, HP Enterprise Security Business Unit, May 18 th, 2012 Rise of the cyber threat Enterprises and Governments
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationApplication Security Testing. Jesper Kråkhede
Application Security Testing Jesper Kråkhede AST 2015-10-22 2 Others call it security and try to avoid it I call it passion and dive right into it Jesper Kråkhede Worked as a security consultant for 17
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationStarting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden
Starting your Software Security Assurance Program May 21, 2015 ITARC, Stockholm, Sweden Presenter Max Poliashenko Chief Enterprise Architect Wolters Kluwer, Tax & Accounting Max leads the Enterprise Architecture
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationApplication Security 101. A primer on Application Security best practices
Application Security 101 A primer on Application Security best practices Table of Contents Introduction...1 Defining Application Security...1 Managing Risk...2 Weighing AppSec Technology Options...3 Penetration
More informationFortify. Securing Your Entire Software Portfolio
Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationModerator: Benjamin McGee, CISSP Cyber Security Lead SAIC
From Security Assessment to Vulnerability Remediation: The Realities of Deploying a Cloud-Based Application Risk Management Solution Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC Setting the
More informationEl costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada
El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada The Traditional Approach is Changing. Security is no longer controlled and enforced through the
More informationPractical Approaches for Securing Web Applications across the Software Delivery Lifecycle
Across the Software Deliver y Lifecycle Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle Contents Executive Overview 1 Introduction 2 The High Cost of Implementing
More informationBest Practices - Remediation of Application Vulnerabilities
DROISYS APPLICATION SECURITY REMEDIATION Best Practices - Remediation of Application Vulnerabilities by Sanjiv Goyal CEO, Droisys February 2012 Proprietary Notice All rights reserved. Copyright 2012 Droisys
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationLEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1
LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT
More informationPractical Applications of Software Security Model Chris Nagel
Practical Applications of Software Security Model Chris Nagel Software Security Consultant Fortify Software Introductions About Me: Chris Nagel Software Security Consultant With Fortify for 2+ Years Before
More informationOperationalizing Application Security & Compliance
IBM Software Group Operationalizing Application Security & Compliance 2007 IBM Corporation What is the cost of a defect? 80% of development costs are spent identifying and correcting defects! During the
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationHP Security Research Tour 2014 If you want better security, think like a bad guy.
HP Security Research Tour 2014 If you want better security, think like a bad guy. Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without
More informationVOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 4 State of Software Security Report The Intractable Problem of Insecure Software December 7, 2011 Executive Summary The following are some of the most significant findings in the Veracode State
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationEffective Threat Management. Building a complete lifecycle to manage enterprise threats.
Effective Threat Management Building a complete lifecycle to manage enterprise threats. Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive
More informationBuilding Assurance Into Software Development Life- Cycle (SDLC)
Application Software Assurance Center of Excellence (ASACoE) Building Assurance Into Software Development Life- Cycle (SDLC) James Woody Woodworth Operations Chief, ASACoE & Sean Barnum, Principal Consultant
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationIntroduction. Special thanks to the following individuals who were instrumental in the development of the toolkits:
Introduction In this digital age, we rely on our computers and devices for so many aspects of our lives that the need to be proactive and vigilant to protect against cyber threats has never been greater.
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationChanging the Enterprise Security Landscape
Changing the Enterprise Security Landscape Petr Hněvkovský Presales Consultant, ArcSight EMEA HP Enterprise Security Products 2012 Hewlett-Packard Development Company, L.P. The information contained herein
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationEd Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.
2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationBuilding a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved
Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing
More informationFortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA
Fortify Training Services Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security
More informationWebGoat for testing your Application Security tools
WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com
More informationBringing Security Testing to Development. How to Enable Developers to Act as Security Experts
Bringing Security Testing to Development How to Enable Developers to Act as Security Experts Background: SAP SE SAP SE Business Software Vendor Over 68000 employees Worldwide development Myself Security
More informationNERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice
NERC Cyber Security Compliance Consulting Services HCL Governance, Risk & Compliance Practice Overview The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to
More informationYour world runs on applications. Secure them with Veracode.
Application Risk Management Solutions Your world runs on applications. Secure them with Veracode. Software Security Simplified Application security risk is inherent in every organization that relies on
More informationBusiness white paper. Missioncritical. defense. Creating a coordinated response to application security attacks
Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationCapturing the New Frontier:
Capturing the New Frontier: How Software Security Unlocks the Power of Cloud Computing Executive Summary Cloud computing is garnering a vast share of IT interest. Its promise of revolutionary cost savings
More informationInformation Security. Incident Management Program. What is an Incident Management Program? Why is it needed?
Information Security Incident Management Program What is an Incident Management Program? It is a coordinated program of people, processes, tools and technology, which prevents and manages information security
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationSecurity Automation in Agile SDLC Real World Cases
Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys AppSec California, January 2016 Speaker Security Strategy at Synopsys Founder of Seeker / Pioneer of
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationBe Fast, but be Secure a New Approach to Application Security July 23, 2015
Be Fast, but be Secure a New Approach to Application Security July 23, 2015 Copyright 2015 Vivit Worldwide Copyright 2015 Vivit Worldwide Brought to you by Copyright 2015 Vivit Worldwide Hosted by Paul
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationVOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 3 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary April 19, 2011 Executive Summary The following are some of the most significant findings in the
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More information! Resident of Kauai, Hawaii
SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software
More informationSECURING YOUR SMALL BUSINESS. Principles of information security and risk management
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
More informationGlobal Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)
Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro) NICE Conference 2014 CYBERSECURITY RESILIENCE A THREE TIERED SOLUTION NIST Framework for Improving Critical Infrastructure Cybersecurity
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationMicrosoft Services Premier Support. Security Services Catalogue
Microsoft Services Premier Support Security Services Catalogue 2014 Microsoft Services Microsoft Services helps you get the most out of your Microsoft Information Technology (IT) investment with integrated
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationSoftware Supply Chains: Another Bug Bites the Dust.
SESSION ID: STR-T08 Software Supply Chains: Another Bug Bites the Dust. Todd Inskeep 1 Global Security Assessments VP Samsung Business Services @Todd_Inskeep Series of Recent, Large, Long-term Security
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More information應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊
應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊 HP Enterprise Security 林 傳 凱 (C. K. Lin) Senior Channel PreSales, North Asia HP ArcSight, Enterprise Security 1 Rise Of The Cyber Threat Enterprises and Governments are experiencing
More informationMobility. Exploiting and Maintaining the New Face of Engagement. Huseyin Ozel CT, HP EMEA Enterprise Mobility September 2015
Mobility Exploiting and Maintaining the New Face of Engagement Huseyin Ozel CT, HP EMEA Enterprise Mobility September 2015 Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationState of South Carolina Policy Guidance and Training
DRAFT For Discussion Purposes Only State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Information Systems (IS) Acquisitions, Development, and Maintenance Policy April/May
More informationStatic & Dynamic Analysis for Web Applications. OWASP Atlanta Chapter March 2010 Meeting. The OWASP Foundation http://www.owasp.
Static & Dynamic Analysis for Web Applications Tony UcedaVelez Atlanta, Chapter Lead & Guest Panel: Atlanta Chapter March 2010 Meeting Jeremiah Grossman (WhiteHat Security) Chris Eng (Veracode) Russell
More information5 Partner Benefits and Requirements... 8 5.1 Benefits... 8 5.2 Requirements... 8
Table of Contents Table of Contents... 2 1 Overview & Presentation... 4 2 Partner Communications... 5 2.1 Partner channels... 5 2.2 Kiuwan Representatives... 5 3 About Kiuwan... 6 4 Partner Types... 7
More information