HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Transcription

1 HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

2 The problem

3 Cyber attackers are targeting applications Networks Hardware Security Measures Switch/Router security Firewalls NIPS/NIDS VPN Net-Forensics Anti-Virus/Anti-Spam DLP Host FW Host IPS/IDS Vuln. Assessment tools 3

4 We Would Like to See info-sec spending Business impact (# of incidents & exploits) 4

5 We Are Faced With info-sec spending Business impact (# of incidents & exploits) 5

6 Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router security Firewalls Customer NIPS/NIDS Data VPN Net-Forensics Anti-Virus/Anti-Spam Business DLP Processes Host FW Host IPS/IDS Trade Vuln. Assessment Secrets tools 6

7 Today s approach > expensive, reactive 1 Somebody builds insecure software IT deploys the insecure software 2 4 We convince & pay the developer to fix it We are breached or pay to have someone tell us our code is insecure 3 7

8 Why it doesn t work 30x more costly to secure in production 30X Cost 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into Production, it costs 30x more than during design. Source: NIST 8

9 The right approach > systematic, proactive Embed security into SDLC development process 1 2 In-house Outsourced Commercial Open source Leverage Security Gate to validate resiliency of internal or external code before Production 3 Improve SDLC policies Monitor and protect software running in Production This is application security 9

10 Product Overview

11 Software must be Fortify'd Fortify Source Code Analysis Source Code Security Audits Fortify Security Scope HP WebInspect Fortify RTA Run-Time Protection PLAN DESIGN CODE FUNCTIONAL TEST ACCEPTANCE TEST DEPLOY Software Inventory Collaboration Module Governance Module Fortify SSC Server Software Security Metrics and Reporting 11

12 Fortify on Demand

13 What are you going to do? How to launch a security program quickly? How to scale to get all applications tested? How to manage risk for applications when source code is unavailable? 13

14 Application security in three easy steps Upload Test Review Customer uploads software to the HP Fortify on Demand cloud HP Fortify on Demand conducts security tests (dynamic, static or manual) on the application Customer reviews the results of the application test in the form of a detailed report or dashboard 14

15 Multiple levels of FOD dynamic testing Dynamic Analysis Baseline Standard Premium App Risk Level Low Marketing Site Medium Personally Identifiable High Credit card / SSN WebInspect scan False Positive Removal Remediation Scan Manual Testing Business Logic Testing Web Services Static Assist or SecurityScope 15

16 Vendor management program How it works Vendor FOD account Procurer FOD account Automated Vendor Expert FOD account Testing Review Vendor FOD account Static Analysis Dynamic Analysis Vendor FOD account Vendor FOD account Detailed results Vendor publishes report to Procurer s account Vendor Uploads Application Results back in 1-5 days 16

17 Mobile application security support Mobile support for: Objective-C (Apple ipad/ iphone) Client Network Server Android Windows Blackberry Utilize Hybrid Analysis Source Code Running Application Test all three tiers Credentials in memory Credentials on filesystem Data stored on filesystem Poor cert management Cleartext credentials Cleartext data Backdoor data Data leakage SQLi XSS LFI Authentication Session Management Logic Flaws 17

18 Fortify my Application HP Fortify on Demand (FoD) assessment services is offering a limited free trial where customers can get an example Java code of theirs assessed free of charge. The free FoD is out of California but is accessible from anywhere. The following are the limitations on the free version: Up to 5 assessments per month Java only Up to 75 MB per assessment Cross-Site Scripting (Up to 10 vulnerabilities) Access: In the menu on the right there's a link to TRY NOW: 18

19 Software Security Assurance

20 Software Security Assurance 4 Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization Alignment & Governance Requirements & Design Verification & Assessment Deployment & Operations Disciplines Functions 20

21 SSA Maturity Model Maturity Levels Successive Maturity Levels for each functional area 0. Not undertaken 1. Initial understanding and ad-hoc provision 2. Increased efficiency and effectiveness 3. Comprehensive coverage For each Maturity Levels we define Control Objective Activities Success Metrics Resources required Costs Benefits 21

22 SSA Scorecard Blank Scorecard Industry Best Practices Enterprise Scoring Prioritized Roadmap Objective 3 Objective 2 Objective 1 Objective 0 7 Governance & Alignment 1 3 Requirements & Design 6 Education Standard Planning Threat Md Sec Req Def Design Arch Rev Code Rev Sec Testing Vul Mgmt Infr Harden Ops Enable 8 Verification & Assessment Deployment & Operations 22

23 Example for a Static Analysis Rollout

24 SSA Best Practice Approach Key Principles Rapid identification and remediation of critical vulnerabilities Don t forget to fix or boil the ocean Prevent introduction of new vulnerabilities Integrate into existing SDLC with minimal process changes Provide flexibility to integrate with new SDL as it rolls-out Provide support for the developers Training in the context of their own code base Mentoring as required Monitor and control Automate gathering of vulnerability statistics and publish Enforcement via security gate Continuous Improvement 24 24

25 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Establish SSA Team 25

26 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Baseline assessment against SSA Maturity Model Where you are SSA End-State Vision Where you want to be SSA High-Level Roadmap How you are going to get there Implementation Plan for first phase Next step Establish SSA Team 26

27 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Establish and manage the SA program 27 Requires senior management support Define Policies Application Security center of excellence Support for the development teams Define SDLC Controls Establish initial security gates Set-up Governance Module Application Catalogue Compliance Reporting Establish SSA Team

28 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Work with Pilot Application/Team 28 Fortify Infrastructure Set-Up Base-line Audit Remediation Support Fortify 360 Training Mentoring Capture Metrics Business As Usual Process Integration Establish SSA Team Gain knowledge and expertise Artefacts created are input to SSA Program

29 Example Process Development Teams Security AWB 2. Audit Defect Tracking System Monitor CM Project Security Lead Source Code Repository(s) CISO 3. Assign CM Central Build Server(s) Build Tool Fortify SCA 5. Validate AWB Development Manager 1. Identify Security Auditor IDE 4. Fix Fortify CM Fortify SSC Server 29 Developer

30 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Assessment against SSA Maturity Model Where you are SSA End-State Vision Where you want to be SSA High-Level Roadmap How you are going to get there Implementation Plan for next phase Next step Establish SSA Team 30

31 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Publicise SSA Program Use Pilot team as a reference Roll-out across enterprise prioritised by business risk For each team Base-line Audit Fortify 360 Training Mentoring BAU Process Integration Publish Metrics Establish SSA Team 31

32 SSA Best Practice Approach Assess Pilot Assess Roll-out Mature Establish SSA Team Increase maturity level across all functions Raise the security bar Establish Continuous Improvement Loop 32

33 Goals and benefits for Software Security Assurance SSA A successful software security initiative leads to: Measurably reduced risk from existing applications A controlled process for preventing vulnerabilities in new releases Reduced costs, delays, and wasted effort from emergency bug fixes and incident clean-up 33

34 ROI

35 Fixing Bugs Earlier in the Lifecycle Cost of Fixing One Vulnerability Based On The Stage It Was Identified $ $14,102 $ $9.000 $6.000 $7, $3.000 $0 $139 $455 $977 Requirements Design Coding Testing Maintenance

36 Example: Cost of Fixing Critical Defects The following case study provides an example of the savings generated by using source code analysis to find vulnerabilities earlier in the SDLC Application Sample Application Size: 2 Million LOC Vulnerabilities Identified Using SCA Defects Identified during SCA: 1,600 Defects Deemed Critical

37 Example: Cost of Fixing Critical Defects Cost of Fixing Vulnerabilities Early Cost of Fixing Vulnerabilities Later Stage Critical Bugs Identified Cost of Fixing 1 Bug Cost of Fixing All Bugs Stage Critical Bugs Identified Cost of Fixing 1 Bug Cost of Fixing All Bugs Requirements $139 Design $455 Coding 200 $977 $195,400 Testing $7,136 Requirements $139 Design $455 Coding $977 Testing 50 $7,136 $356,800 Maintenance $14,102 Maintenance 150 $14,102 $2,115,300 Total 200 $195,400 Total 200 $2,472, Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3MM

38 Thank you 38 Success is foreseeing failure. Henry Petroski

39 Thank you