Work smarter, not harder, to secure your applications Featuring Analyst Research
|
|
- Clinton Wilkins
- 8 years ago
- Views:
Transcription
1 1 Issue Seismic shift needed toward application security Critical differentiator for RASP Access to the code From the Gartner Files: Maverick* Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves About HP Security Work smarter, not harder, to secure your applications Featuring Analyst Research Seismic shift needed toward application security If you are like every other IT professional, you worry about staying out of the news for a cyber security attack. Do you know where you are most exposed? Over 80% of attacks target applications. Joseph Feiman, analyst with Gartner, urges organizations to increase the level of spending and emphasis on application security. In the featured research, he points out the ratio of spending between perimeter security and application security is 23-to-1. HP believes this need is reinforced by findings in the latest Cyber Risk Report from HP. HP Security researchers evaluate the threat landscape annually to offer their perspective on how to minimize security risk. In the most recent HP Security Research Cyber Risk Report, researchers analyzed a sample set of security audits performed by HP Fortify on Demand on 378 mobile apps, 6,504 Web apps, and 138 Sonatype reports from 113 Open Source projects. These audits include results from static, dynamic, and manual analysis. Some conclusions identified include: Vulnerabilities are still pervasive; they found that more Web and mobile apps contained discoverable vulnerabilities. Not surprisingly remediation leads to more secure software. For those applications that are following a secure software development life cycle, applications analyzed more than once had over 68 percent of their vulnerabilities resolved. It is clear that investments in scanning and testing applications can indeed have a big impact. It is a best practice and remains highly recommended. But vulnerabilities may remain in production applications due to time-to-market pressures, lack of access to the code, or lack of resources to remediate. What do you do about the 32 percent where the vulnerabilities are not resolved? Is the traditional approach to application security via scanning and testing enough? Joseph Feiman says, Modern security fails to test and protect all apps. Therefore, apps must be capable of security self-testing, self-diagnostics and self-protection. It should be a CISO top priority. Source: HP Security Featuring research from
2 2 Critical differentiator for RASP Access to the code The method you choose for application selfprotection is important. As Joseph Feiman points out, An ideal RASP implementation would be instrumentation of the runtime engine (e.g., an application server) that leaves the application code untouched, and does not require a programmer s involvement in security issues. Some solutions use an SDK approach enabling programmers to add RASP into the source code. Others instrument binary and/or bytecode by recompiling the application for execution. These approaches are viable solutions IF you have access to the source code. However, most businesses are choosing to focus on their core capabilities and offload nonstrategic enterprise applications to third parties or cloud providers. Of the dwindling number of applications that are developed in-house, a portion of those may have lost their ties to the original source code or be too fragile to update. A major oil and gas company estimates that only 10-15% of their applications are developed in-house. For the majority of the enterprise apps, this renders useless any self-protection that requires source code modification or recompiling. When considering application self-protection solutions, choose one that can address the majority of your enterprise application regardless of whether they were written in-house or by a third party. Learn more about HP Application Defender. Source: HP Security RASP can virtually patch vulnerabilities when: 1. You lack access to the code. It s impossible to fix the code if you cannot access it. 2. Your security scan just found hundreds or even thousands of app vulnerabilities and you cannot imagine how you will fix them all. 3. Your vendor told you a patch will be ready in 3 months. What do you do in the meantime? 4. You have no idea what software vulnerabilities you have. Monitor and protect them now.
3 3 From the Gartner Files: Maverick* Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves Modern security fails to test and protect all apps. Therefore, apps must be capable of security selftesting, self-diagnostics and self-protection. It should be a CISO top priority. (Maverick research deliberately exposes unconventional thinking and may not agree with Gartner s official positions.) Key Findings Infrastructure and perimeter protection technologies inherently lack insight into application logic and configuration, event and data flow, executed instructions and data processing. Thus, they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks. Perimeter protection technologies cannot protect against behind-the-perimeter insider attacks, which are as devastating as outsider attacks. Perimeter protection technologies cannot protect what ceases to exist the perimeter, which dissipates in the mobile, consumeroriented and cloud-oriented world. Technologies and services that we use to test and diagnose our applications for security vulnerabilities fail to scale to test all applications and to test them with the necessary accuracy. There are too many apps, testing skills are scarce, and tools are too complex and inaccurate. Recommendations Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection. Build and buy applications, systems, and IoT devices capable of self-protection. Review existing offerings and plan for adoption. Adopt application self-testing and selfdiagnostics to increase accuracy and to scale security testing of preproduction applications and security diagnostics of production applications. Staff security divisions/teams with more application security specialists, who will be installing/maintaining/tuning self-protection/ testing/diagnostics. Strategic Planning Assumption By 2020, 25% of Web and cloud applications will become self-protecting, up from less than 1% today. Analysis *Maverick Research This is Maverick research, designed to spark new, unconventional insights. Maverick research is unconstrained by our typical broad consensusformation process to deliver breakthrough, innovative and disruptive ideas from our research incubator. We are publishing a collection of more than a dozen Maverick research lines this year, all designed for maximum value and impact. We ll explore each of these lines of research to help you be ahead of the mainstream and take advantage of trends and insights that could impact your IT strategy and your organization (see Note 1 and Note 2). We universally agree that applications (and the data they access) are, by far, our most valuable assets. We heavily invest in (what we think is) their protection, but despite that, they remain pitifully defenseless. We find daily proof of that fact when we read media reports about yet another abused system and stolen data. The existing security paradigm fails to test and diagnose all applications for security vulnerabilities, and then fails again to protect those vulnerable applications: Our application security testing strategy fails because there are too many applications, application security testing skills are too scarce, testing tools are too complex, and their accuracy is not sufficient. Our application security protection strategy fails because we mistakenly believe that we invest in application protection. In reality, instead of investing in making our applications attack-
4 4 resistant, we mainly invest in infrastructure and perimeter defenses, in strengthening protection of networks, computers and passwords. In view of the failure to test and protect our applications, the only viable solution is selftesting and self-protection. Applications must test, diagnose, and protect themselves. There s an Urgent Need to Change Security Priorities There are three areas that CISOs and security managers should re-evaluate in their organizations: 1 The level of spending on application security 2 The reporting structure and the number of application security professionals in the security organization 3 The types of technologies/tools needed to protect applications going forward Gartner estimates that in 2014, enterprises will spend $9.1 billion on firewalls and intrusion prevention systems (IPSs), and $2.4 billion for secure Web gateways, for a total of $11.5 billion. At the same time, they will spend a little more than $500 million on application security, which currently almost entirely consists of security testing (static application security testing [SAST] and dynamic application security testing [DAST]), because there is no dedicated and massively available and adopted application protection technology. The ratio of spending between perimeter security and application security is 23-to-1. Considering the ineffectiveness of perimeter protection in stopping attacks, this ratio cries for a fundamental change. An allocation of $400 million on application self-protection approximately the same budget that is spent yearly on Web application firewalls will give a strong boost to higher application security assurance. We believe that this expectation will become reality by This is not to say that perimeter defense should be abandoned. However, the amount of time and money spent on it should be re-evaluated, with a strong focus on application security. The second change should be made to the personnel reporting to chief information security officer (CISOs). Security divisions/teams should be staffed with more application security specialists. Today, these groups are largely staffed with network, infrastructure and identity and access management (IAM) specialists who do not understand applications, do not know programing languages, and lack an understanding of application methodologies. It creates a gap in application security defenses. Application security specialists should make up about 20% of the security team (considering that the remaining 80% will be staffed with network, data, endpoint and IAM specialists), up from less than 5% today. New personnel should have a strong background in application development. They will be the ones installing/maintaining/ tuning self-protection/testing/diagnostics. Due to the lack of such specialists, if they cannot be hired, they should be recruited from enterprise application development/operation divisions. They can be shared assets of the application and security divisions. Finally, security organizations need to adopt new, innovative, groundbreaking technologies/tools to better protect their applications. Adoption selfprotection is quite achievable. We believe that by 2020, 25% of Web and cloud applications will become self-protecting, up from less than 1% today. The viability of that Strategic Planning Assumption is based on the fact that most applications run on just a very few application runtime engines, which should be instrumented with runtime application self-protection (RASP) features (see Note 3). We are speaking of Java and.net runtime engines: Java Virtual Machine (JVM) and.net Common Language Runtime (CLR), and a few application servers equipped with these virtual machines (such as Tomcat, JBoss and Microsoft Internet Information Services [IIS]). These virtual machines (VMs)/ servers will be distributed by RASP or VM/server vendors, and will be equipped with RASP a reasonably simple development/delivery process. There are two capabilities that should be built into any application s runtime self-protection and self-testing/self-diagnostics. Self-Protection Technologies that we use today, with the expectation that they will protect applications for example, network firewalls, IPSs and Web application firewalls (WAFs) are network traffic and content inspectors. They analyze traffic and/or user sessions to and from applications, but cannot
5 5 see how that input is being processed within applications and databases. Because of that, their protective measures lack much of the accuracy necessary for the termination of malicious sessions. The accuracy of attack detection and protection will greatly advance if applications stop delegating their entire protection to external devices, and adopt self-protection. RASP Definition and Implementations RASP is designed to protect applications by adding protection features into the application runtime environment. The process of adding new features is often called instrumentation. RASP should satisfy these criteria: Be able to protect applications by detecting and blocking attacks. Have deep visibility into application logic flow and data flow, configuration, executed instructions and data processing to accurately identify attacks. Be instrumented into the application runtime environment. This instrumentation should be noninvasive or require no/minimal invasiveness into application code. Two RASP criteria are foundational: (1) the ability to protect; and (2) deep visibility into the application. However, instrumentation into runtime and degree of invasiveness in the code might vary. An ideal RASP implementation would be instrumentation of the runtime engine (e.g., an application server) that leaves the application code untouched, and does not require a programmer s involvement in security issues. Emerging RASP solutions from vendors such as HP, Waratek and Prevoty demonstrate that type of instrumentation. Nevertheless, we expect, and have begun to see, other ways of RASP implementation: Enabling programming to the RASP tool from the source code the approach that requires a developer s involvement. Prevoty demonstrates that type of instrumentation (although Prevoty s other RASP product does instrument runtime engines and does not require programming). Not touching source code at all, but instrumenting binary and/or bytecode after programming is finished, and source code is compiled into byte or binary code that is ready for execution. Instrumentation takes place at that final preproduction stage. It hardens the application, for example, by injecting special protector byte/ binary code into the application s binary/ bytecode. This instrumentation, also called application shielding, is demonstrated by vendors such as Arxan. Using RASP With Other Security Technologies The emergence of RASP does not negate the necessity for multilayered security. Perimeter and infrastructure protection technologies, as well as RASP, have their own strengths and weaknesses. Therefore, they can, and should, be used together for a multilayer security defense. For example, a WAF can serve as an early warning system for RASP, signaling suspected attacks, but RASP would be delegated to make the final decision on session termination. To minimize RASP overhead, WAF can make its own protection decisions when it has high assurance that an attack is real. Among those decisions can be termination of access from the blacklisted IP addresses and geographic locations, or termination of access by the users who were blacklisted in fraud prevention databases. Another area of interaction is between RASP and security information and event management (SIEM). In that interaction, RASP inputs its highly accurate results of detection and protection into SIEM for correlation with input from other security technologies, such as IAM and network security. This approach has been tested by HP for its RASP and SIEM tools. Such interaction will also give RASP additional context, which might enable RASP to protect against advanced attacks, for example, where credentials have been stolen and used in the attack. Interaction between multiple layers of security and correlation of their analyses is the most desirable evolution.
6 6 Self-Protection Maturity Timeline and Adoption Drivers In terms of Gartner s Hype Cycle methodology, we estimate RASP maturity to be Emerging, and expect that it will take RASP up to 10 years to reach the Plateau of Productivity. Time is required to address the technical complexities and stability of this new technology. We address some RASP strengths and challenges in the Runtime Application Self-Protection: Technical Capabilities. We expect that cloud computing and virtualization will contribute to the adoption of RASP. Cloud providers (such as Amazon, Rackspace, salesforce. com, Microsoft Azure and Heroku) have, more or less, full control of the application runtime environment running the cloud applications. Thus, they can establish the process of installing and maintaining RASPs on their VMs/servers. Implementing RASP will increase cloud providers defenses, and enable them to address cloud users security concerns (which are one of the main obstacles to broader cloud adoption). Another driver for increased RASP adoption would be partnerships between RASP and application runtime environment vendors for example, between a RASP vendor and a JVM vendor, such as IBM or Oracle, or a.net CLR vendor, such as Microsoft. The latter will find it beneficial to work on the simplification and safety of installation, testing, and maintenance of the interfaces with RASP. Yet another driver for RASP adoption could be the penetration of the Internet of Things (IoT). Equipping IoT systems with self-protection capabilities seems to be a most viable solution, considering the fact that the IoT will function in homes, household devices (thermostats, sprinklers, etc.), where the use of perimeter protection technologies has limited applicability. Self-Testing/Diagnostics The adoption of application security testing (AST) has begun with the adoption of SAST and/or DAST tools. Soon, most enterprises have come to the realization that they lack the skills, budget and focus to be effective operators of AST tools. In response to their problems, AST vendors have begun offering AST as a service, where DAST and SAST have been conducted by AST vendors from those vendors cloud platforms. However, the use of tools and/or cloud services very often cannot address security testing of the entire (or a large part) of an organization s portfolio of apps, because testing is expensive and time-consuming. Moreover, the turnaround time between a request for a test and return of the test results often cannot meet the requirements of the agile development. The accuracy of a test by DAST and SAST also suffers from high false-positive and false-negative rates. Self-Testing Definition and Implementations The solution to these problems is in application self-testing with interactive application security testing (IAST) technology. An IAST tool consists of two parts agent and inducer. The agent resides inside the application server or application VM (such as JVM,.NET CLR, or on servers such as Apache, Tomcat and IIS). It observes the test, establishes whether it exploits vulnerabilities, and determines where in the code vulnerabilities are located. The inducer simulates attacks on an application (whose application s server is instrumented with an agent). The inducer can be implemented in several ways. In some implementations, a DAST tool is the inducer. In some other implementations, the test is initiated by a special generator of potentially malicious conditions or by a sequence of quality assurance test scenarios. The latter IAST implementation is a self-testing case. A QA test serves as an inducer for IAST. A recording of possible attack scenarios, or a generator of potentially malicious conditions (built into the IAST tool), serves as additional inducers. In that case, each application executed on the test machine automatically undergoes a security test (that is a test runs itself whenever the application runs). Examples of self-testing come from such vendors as Contrast Security and Quotium. IAST technology is also provided by such vendors as Acunetix, HP and IBM.
7 7 Self-Diagnostics A special case of self-testing is production-time self-diagnostics. If an IAST agent is installed on a production server, it can report vulnerabilities and attacks without disrupting the application (on the contrary, DAST can be disruptive when used to test production apps). In that case, an inducer is not required, because the production application s execution becomes that inducer. The same self-diagnostics can be provided by RASP, if RASP turns off its protection feature, and uses only real-time alert and log collection features. It makes sense to mention that server-side RASP and IAST have a great deal of similarity. Serverside RASP, generally speaking, is an IAST with added protection features. IAST instruments test application servers; RASP instruments a production server. IAST produces a report with vulnerabilities found at the test phase; RASP stops execution of exploits detected at the operation phase. Using Self-Testing With Other Security Testing Technologies IAST can be used along with SAST and DAST. SAST can be used earlier in the life cycle, at programming phase, while IAST can be used only when the application runs (which typically starts at test phase). IAST and DAST integration is also possible. One of the IAST implementations is when DAST serves as an inducer for an IAST agent that resides in the application server. Several vendors (e.g., IBM and HP) offer that version of IAST/DAST integration. Self-Testing Maturity Timeline and Adoption Drivers IAST is at the adolescent phase of Gartner s application security Hype Cycle. We expect that it will take more than five years for it to reach the Plateau of Productivity. Self-testing, as a use case of IAST, will mature accordingly. Note 1 Roots of the Word Maverick Derived from the name of Texas rancher Samuel Maverick and his steadfast refusal to brand his cattle, maverick connotes someone who willfully takes an independent and frequently disruptive or unorthodox stand against prevailing modes of thought and action. Note 2 New Ground Broken This research breaks new ground. It introduces a new approach to high-assured application security detection and protection based on enabling applications to test, diagnose and protect themselves.
8 8 Note 3 Sample RASP Implementations Currently, RASP for Web applications is the most developed type of RASP. We have seen its implementation by vendors such as HP (within its Fortify portfolio), Prevoty and Waratek. RASP implementation offered by HP instruments the application server. In other words, it extends the functionality by additional functionality namely, security detection and protection. For example, it can be implemented as an extension of the Java debugger interface or.net CLR profiler, or extends the functionality of Apache Tomcat or JBoss application servers. Thus, it becomes an integral part of an application runtime environment. RASP monitors the execution of an application, gets control when specified security conditions are met and takes the respective protection measures. Those conditions could be an execution of instructions that access a database (which might potentially cause an SQL injection exploit), an attempt to write an excessive volume of data into the application runtime memory (which can cause a buffer overflow exploit) and so on. Taken actions could include user session termination, application termination (without bringing down other applications on the server), an alert sent to security personnel or a warning sent to the user. A different type of server-side RASP is offered by Waratek. Its RASP technology Waratek Application Security for Java is implemented as instrumentation to JVM (and is for Java applications only). It creates a secure Java Virtual Container inside the JVM that acts like an independent, regular JVM. It provides administrators with a rule-based interface to manage and mitigate specific application security problems. Waratek rules can be configured for any kind of instruction, operation, action or event (not just for networking). It uses JVM taint-tracking to validate user input. Waratek rules can be updated live without restarting an application or shutting it down. Prevoty implements its RASP as a filter of the data input into an application. It is programmed as a Java servlet for Java applications or HTTP module for.net applications. This filter gets installed in the application s directory on the server, and analyzes the entire input into the application. The filter s logic is a programmatic expression of the attack s detection and remediation techniques, and it does not need any repository of attack signatures or patterns. Protection consists of actions such as sanitization of the content, and it does not drop connections with the application s users, whose sessions have been sanitized. This offering does not require any changes in the application code, or any developer efforts. It gets installed with prebuilt protection techniques. No customization is required, but each application can have its own custom configuration. Another Prevoty offering is based on using a software development kit (SDK), which enables programming to the Prevoty RASP tool. SDK calls are recommended for programming at the application s code location that receives data input from the outside the application, where Prevoty RASP will sanitize malicious input. The use of SDK enables detail customization of the RASP protection conditions. Currently, both Prevoty offerings protect against persisted and reflected crosssite scripting (XSS) attacks, cross-site request forgery (XSRF) attacks, and input validation exploits. Prevoty also offers protection against SQL Injection attacks from its SDK offering, with the Java and.net filters under development. Prevoty RASP is implemented as a code located in the application s server directory, or as a cloud-based product (in this case an application calls to RASP from its onpremises location). Most of the existing RASP implementations are for Web application protection, although we are watching what can become RASP for mobile from such vendors as Arxan, Bluebox Security, Lacoon Mobile Security and Prevoty. Source: Gartner Research G , Joseph Feiman, 25 September 2014
9 9 About HP Security Today, a global threat marketplace collaborates and innovates to attack our organizations 24/7. It s time to think like a bad guy. HP draws on decades of security experience to take the fight to adversaries before they attack. We can help you predict and disrupt threats, manage risk and compliance, and extend your own security team. The world relies on HP for a smarter approach to enterprise security: #1 in identifying security vulnerabilities and threats Over 10,000 customers worldwide including 9 out of 10 of the largest banks with over $9 trillion in transactions every day 8 security operations centers with over 5000 credentialed security professionals worldwide Get started Learn more about HP s approach to security. HP Enterprise Security Services can help you with your security strategy, planning, and implementation. Explore HP security and compliance software and hardware including TippingPoint, ArcSight, and Fortify. Learn more about HP Application Defender. Work smarter, not harder, to secure your applications published by HP Security. Editorial content supplied by HP Security is independent of Gartner analysis. All Gartner research is used with Gartner s permission, and was originally published as part of Gartner s syndicated research service available to all entitled Gartner clients Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner s endorsement of HP Security s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website,
Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing
Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing The cyber security landscape has become increasingly complex in recent years.
More informationThe Evolution of Enterprise Application Security. Why enterprises need runtime application self-protection
The Evolution of Enterprise Application Security Why enterprises need runtime application self-protection 2 Abstract Enterprise information security encompasses a broad set of disciplines and technologies,
More informationTHE EVOLUTION OF ENTERPRISE APPLICATION SECURITY
THE EVOLUTION OF ENTERPRISE APPLICATION SECURITY THE EVOLUTION OF ENTERPRISE APPLICATION SECURITY Why enterprises need runtime application self-protection 2 ABSTRACT Enterprise information security encompasses
More informationRuntime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing
Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing The cyber security landscape has become increasingly complex in recent years. Threats include
More informationRealize That Big Security Data Is Not Big Security Nor Big Intelligence
G00245789 Realize That Big Security Data Is Not Big Security Nor Big Intelligence Published: 19 April 2013 Analyst(s): Joseph Feiman Security intelligence's ultimate objective, enterprise protection, is
More informationIMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING
IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY How runtime application security monitoring helps enterprises make smarter decisions on remediation 2 ABSTRACT Enterprises today
More informationImproving your Secure SDLC ( SSDLC ) with Prevoty. How adding real-time application security dramatically decreases vulnerabilities
Improving your Secure SDLC ( SSDLC ) with Prevoty How adding real-time application security dramatically decreases vulnerabilities February 2015 Improving your Secure SDLC ( SSDLC ) with Prevoty Table
More informationBe Fast, but be Secure a New Approach to Application Security July 23, 2015
Be Fast, but be Secure a New Approach to Application Security July 23, 2015 Copyright 2015 Vivit Worldwide Copyright 2015 Vivit Worldwide Brought to you by Copyright 2015 Vivit Worldwide Hosted by Paul
More informationWhite Paper. Runtime Application Self Protection Making Apps Self Protecting, Self Diagnosing and Self Testing
White Paper Runtime Application Self Protection April 2015 White Paper: Runtime Application Self Protection Making Aps Self Protecting, Self Diagnosing and Self Testing EXECUTIVE SUMMARY THE JAVA PROBLEM
More informationGetting Started with Web Application Security
Written by Gregory Leonard February 2016 Sponsored by Veracode 2016 SANS Institute Since as far back as 2005, 1 web applications have been attackers predominant target for the rich data that can be pulled
More informationFrom the Bottom to the Top: The Evolution of Application Monitoring
From the Bottom to the Top: The Evolution of Application Monitoring Narayan Makaram, CISSP Director, Security Solutions HP/Enterprise Security Business Unit Session ID: SP01-202 Session 2012 Classification:
More informationIs your software secure?
Is your software secure? HP Fortify Application Security VII konferencja Secure 2013 Warsaw - October 9, 2013 Gunner Winkenwerder Sales Manager Fortify CEE, Russia & CIS HP Enterprise Security +49 (172)
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationРешения HP по информационной безопасности
Решения HP по информационной безопасности Евгений Нечитайло ynechyta@hp.com Mobile: +380 67 464 0218 Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject
More informationThe Web AppSec How-to: The Defenders Toolbox
The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationPut a Firewall in Your JVM Securing Java Applications!
Put a Firewall in Your JVM Securing Java Applications! Prateep Bandharangshi" Waratek Director of Client Security Solutions" @prateep" Hussein Badakhchani" Deutsche Bank Ag London Vice President" @husseinb"
More informationTHE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE
THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE How application threat intelligence can make existing enterprise security infrastructures smarter THE BLIND SPOT IN THREAT INTELLIGENCE
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationIBM Security Strategy
IBM Security Strategy Intelligence, Integration and Expertise Kate Scarcella CISSP Security Tiger Team Executive M.S. Information Security IBM Security Systems IBM Security: Delivering intelligence, integration
More informationThe Evolution of Application Monitoring
The Evolution of Application Monitoring Narayan Makaram, CISSP, Director, Solutions Marketing, HP Enterprise Security Business Unit, May 18 th, 2012 Rise of the cyber threat Enterprises and Governments
More informationALERT LOGIC FOR HIPAA COMPLIANCE
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
More informationBusiness white paper. Missioncritical. defense. Creating a coordinated response to application security attacks
Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly
More informationWHITE PAPER SPLUNK SOFTWARE AS A SIEM
SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationReal-time hybrid analysis:
Real-time hybrid : Find more, fix faster Technology white paper Brian Chess, Ph.D., Distinguished Technologist, HP Founder and Chief Scientist, HP Fortify Summary Real-time hybrid marks a substantial evolution
More informationChanging the Enterprise Security Landscape
Changing the Enterprise Security Landscape Petr Hněvkovský Presales Consultant, ArcSight EMEA HP Enterprise Security Products 2012 Hewlett-Packard Development Company, L.P. The information contained herein
More informationSecurity Operation Centre 5th generation
Security Operation Centre 5th generation transition Cezary Prokopowicz Regional Manager SEE HP Enterprise Security Products 2 3 4 5 Challenges you are facing 1 Nature and motivation of attacks (Fame to
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationI D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!
I D C T E C H N O L O G Y S P O T L I G H T S e r ve r S e c u rity: N o t W h a t It U s e d t o Be! December 2014 Adapted from Worldwide Endpoint Security 2013 2017 Forecast and 2012 Vendor Shares by
More informationOnline Vulnerability Scanner Quick Start Guide
Online Vulnerability Scanner Quick Start Guide Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted.
More informationSecurity Assessment of Waratek AppSecurity for Java. Executive Summary
Security Assessment of Waratek AppSecurity for Java Executive Summary ExecutiveSummary Security Assessment of Waratek AppSecurity for Java! Introduction! Between September and November 2014 BCC Risk Advisory
More informationThe monsters under the bed are real... 2004 World Tour
Web Hacking LIVE! The monsters under the bed are real... 2004 World Tour Agenda Wichita ISSA August 6 th, 2004 The Application Security Dilemma How Bad is it, Really? Overview of Application Architectures
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationAdvanced Threat Protection with Dell SecureWorks Security Services
Advanced Threat Protection with Dell SecureWorks Security Services Table of Contents Summary... 2 What are Advanced Threats?... 3 How do advanced threat actors operate?... 3 Addressing the Threat... 5
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationHow To Protect Your Cloud From Attack
A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to
More informationBreaking down silos of protection: An integrated approach to managing application security
IBM Software Thought Leadership White Paper October 2013 Breaking down silos of protection: An integrated approach to managing application security Protect your enterprise from the growing volume and velocity
More informationBest Practices - Remediation of Application Vulnerabilities
DROISYS APPLICATION SECURITY REMEDIATION Best Practices - Remediation of Application Vulnerabilities by Sanjiv Goyal CEO, Droisys February 2012 Proprietary Notice All rights reserved. Copyright 2012 Droisys
More informationFortify. Securing Your Entire Software Portfolio
Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,
More informationUnderstanding the Security Vendor Landscape Using the Cyber Defense Matrix
SESSION ID: PDIL-W02F Understanding the Security Vendor Landscape Using the Cyber Defense Matrix Sounil Yu sounil@gmail.com @sounilyu Disclaimers The views, opinions, and positions expressed in this presentation
More informationClosing the Biggest Security Hole in Web Application Delivery
WHITE PAPER DECEMBER 2014 Closing the Biggest Security Hole in Web Application Delivery Addressing Session Hijacking with CA Single Sign-On Enhanced Session Assurance with DeviceDNA Martin Yam CA Security
More informationEnd-to-End Application Security from the Cloud
Datasheet Website Security End-to-End Application Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed
More informationThe Value of Automated Penetration Testing White Paper
The Value of Automated Penetration Testing White Paper Overview As an information security and the security manager of the company, I am well aware of the difficulties of enterprises and organizations
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationMetrics that Matter Security Risk Analytics
Metrics that Matter Security Risk Analytics Rich Skinner, CISSP Director Security Risk Analytics & Big Data Brinqa rskinner@brinqa.com April 1 st, 2014. Agenda Challenges in Enterprise Security, Risk
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationOctober 10, 2013. Report on Web Applications #13-205
Office o f Auditi n g & Advisory Services The University of Texas Health Scie n ce Ce nter a t Ho us to n October 10, 2013 Report on Web Applications #13-205 We have completed our audit of web application
More informationEnd to End Security do Endpoint ao Datacenter
do Endpoint ao Datacenter Piero DePaoli & Leandro Vicente Security Product Marketing & Systems Engineering 1 Agenda 1 Today s Threat Landscape 2 From Endpoint: Symantec Endpoint Protection 3 To Datacenter:
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper Trend Micro, Incorporated» A detailed account of why Gartner recognizes Trend Micro as a leader in Virtualization and Cloud
More informationTrend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard
Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationSafeguarding the cloud with IBM Dynamic Cloud Security
Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from
More informationBeyond passwords: Protect the mobile enterprise with smarter security solutions
IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationAnti-exploit tools: The next wave of enterprise security
Anti-exploit tools: The next wave of enterprise security Intro From malware and ransomware to increasingly common state-sponsored attacks, organizations across industries are struggling to stay ahead of
More informationDevising a Server Protection Strategy with Trend Micro
Devising a Server Protection Strategy with Trend Micro A Trend Micro White Paper» Trend Micro s portfolio of solutions meets and exceeds Gartner s recommendations on how to devise a server protection strategy.
More informationTechnology Blueprint. Protect Your Email Servers. Guard the data and availability that enable business-critical communications
Technology Blueprint Protect Your Email Servers Guard the data and availability that enable business-critical communications LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security
More informationWorldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares
EXCERPT Worldwide Security and Vulnerability Management 2009 2013 Forecast and 2008 Vendor Shares IN THIS EXCERPT Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015
More informationIBM Security re-defines enterprise endpoint protection against advanced malware
IBM Security re-defines enterprise endpoint protection against advanced malware Break the cyber attack chain to stop advanced persistent threats and targeted attacks Highlights IBM Security Trusteer Apex
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationHP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise
HP ENTERPRISE SECURITY Protecting the Instant-On Enterprise HP SECURITY INTELLIGENCE AND RISK MANAGEMENT PLATFORM Advanced Protection Against Advanced Threats 360 Security Monitoring to Detect Incidents
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationIBM Security. 2013 IBM Corporation. 2013 IBM Corporation
IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationEnterprise-Grade Security from the Cloud
Datasheet Website Security Enterprise-Grade Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed security
More informationWHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION
WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION Table of Contents Executive Summary...3 Vulnerability Scanners Alone Are Not Enough...3 Real-Time Change Configuration Notification is the
More informationHow we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)
How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz) Domain.Local DC Client DomainAdmin Attack Operator Advise Protect Detect Respond
More information2015 Vulnerability Statistics Report
2015 Vulnerability Statistics Report Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service
More informationNow Is the Time for Security at the Application Level
Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now
More information5 reasons hackers love your application security strategy. February 2015
5 reasons hackers love your application security strategy February 2015 1 Overview We ve all seen the headlines: pretty much every week there s a new Global 2000 enterprise or government agency in the
More informationWeb Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com
Web Application Security Radovan Gibala Senior Field Systems Engineer F5 Networks r.gibala@f5.com Security s Gaping Hole 64% of the 10 million security incidents tracked targeted port 80. Information Week
More informationA white paper analysis from Orasi Software. Enterprise Security. Attacking the problems of application and mobile security
A white paper analysis from Orasi Software Enterprise Security Attacking the problems of application and mobile security Introduction: Securing the Mobile Enterprise The mobile enterprise has created vast
More informationeguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life
Executive s Guide to Windows Server 2003 End of Life Facts About Windows Server 2003 Introduction On July 14, 2015 Microsoft will end support for Windows Sever 2003 and Windows Server 2003 R2. Like Windows
More informationlocuz.com Professional Services Security Audit Services
locuz.com Professional Services Security Audit Services Today s Security Landscape Today, over 80% of attacks against a company s network come at the Application Layer not the Network or System layer.
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More information2012 North American Managed Security Service Providers Growth Leadership Award
2011 South African Data Centre Green Excellence Award in Technology Innovation Cybernest 2012 2012 North American Managed Security Service Providers Growth Leadership Award 2011 Frost & Sullivan 1 We Accelerate
More informationIBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer
IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationHow to Instrument for Advanced Web Application Penetration Testing
How to Instrument for Advanced Web Application Penetration Testing Table of Contents 1 Foreword... 3 2 Problem... 4 3 Background... 4 3.1 Dynamic Application Security Testing (DAST)... 4 3.2 Static Application
More informationOVERVIEW. Enterprise Security Solutions
Enterprise Security Solutions OVERVIEW For more than 25 years, Trend Micro has innovated constantly to keep our customers ahead of an everevolving IT threat landscape. It s how we got to be the world s
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationSecure in 2010? Broken in 2011!
Secure in 2010? Broken in 2011! Matias Madou Principal Security Researcher Abstract In 2010, a security research firm stumbled on a couple of vulnerabilities in Apache OFBiz, a widely used open source
More informationCloud and Data Center Security
solution brief Trend Micro Cloud and Data Center Security Secure virtual, cloud, physical, and hybrid environments easily and effectively introduction As you take advantage of the operational and economic
More informationSIEM and IAM Technology Integration
SIEM and IAM Technology Integration Gartner RAS Core Research Note G00161012, Mark Nicolett, Earl Perkins, 1 September 2009, RA3 09302010 Integration of identity and access management (IAM) and security
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationFrom Secure Virtualization to Secure Private Clouds
From Secure Virtualization to Secure Private Clouds Gartner RAS Core Research Note G00208057, Neil MacDonald, Thomas J. Bittman, 13 October 2010, RV2A108222011 As enterprises move beyond virtualizing their
More informationHow McAfee Endpoint Security Intelligently Collaborates to Protect and Perform
How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform McAfee Endpoint Security 10 provides customers with an intelligent, collaborative framework, enabling endpoint defenses to
More informationDeveloping Secure Software in the Age of Advanced Persistent Threats
Developing Secure Software in the Age of Advanced Persistent Threats ERIC BAIZE EMC Corporation DAVE MARTIN EMC Corporation Session ID: ASEC-201 Session Classification: Intermediate Our Job: Keep our Employer
More informationBleacher Report boosts its security game plan with self-protecting applications. Enterprise Application Security Case Study April 2015
Bleacher Report boosts its security game plan with self-protecting applications Enterprise Application Security Case Study April 2015 Bleacher Report s Challenges 1 2 3 Foster a safe, trusted community
More informationInformation Technology Policy
Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review
More informationObserveIT User Activity Monitoring
KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2015 ObserveIT provides a comprehensive solution for monitoring user activity across the enterprise. The product operates primarily based on
More information