HP Fortify application security

Transcription

1 HP Fortify application security Erik Costlow Enterprise Security

2 The problem

3 Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router security Firewalls Customer NIPS/NIDS Data VPN Net-Forensics Anti-Virus/Anti-Spam Business DLP Processes Host FW Host IPS/IDS Trade Vuln. Assessment Secrets tools 3

4 Application security challenges In-house development Securing legacy applications Demonstrating compliance Procuring secure software Certifying new releases Outsourced Commercial Open source 4

5 Fixing things late is frustrating 30x more costly to secure in production 30X Cost 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into production, it costs 30x more than during design. Source: NIST 5

6 The solution

7 The right approach > systematic, proactive Embed security into SDLC development process 1 In-house Outsourced Commercial Open source Leverage Security Gate to validate resiliency of internal or external code before Production 2 3 Improve SDLC policies Monitor and protect software running in Production This is application security 7

8 HP Fortify Software Security Center Identifies and eliminates risk in existing applications and prevents the introduction of risk during application development, in-house or from vendors. Protects business critical applications from advanced cyber attacks by removing security vulnerabilities from software IN-HOUSE COMMERCIAL OUTSOURCED OPEN SOURCE Accelerates time-to-value for achieving secure applications Increases development productivity by enabling security to be built into software, rather than added on after it is deployed Delivers risk intelligence from application development to improve operational security 8

9 Minimizing risk, driving business agility Application security benefits Reduce risk with minimal effort and operational costs Deliver measurable business and strategic value Meet government and industry compliance regulations Build a security culture throughout your organization 9

10 Competitive differentiators We enable companies to build a holistic application security program from the ground up to secure all their software from development to production regardless of who and where it is developed, and whatever device, form factor or environment it is running on. Breadth: the most complete software security solution with static, dynamic and hybrid testing, along with collaborative remediation and proactive SDLC governance. Depth: 492 unique vulnerability categories discovered across 21 programming languages and over 750,000 individual platform and framework APIs. Services: expert guidance to custom-tailor and integrate software security into your unique development, testing and production environments 10

11 Summary: HP Fortify Software Security Center Comprehensive application security solutions That proactively identifies and eliminates the immediate risk in legacy applications, as well as the introduction of systemic risk during application development To ensure that all software is trustworthy and in compliance with internal and external security mandates Scaling to protect all your business-critical desktop, mobile and cloud applications Available on-premise or on-demand, and with managed services 11

12 Evaluating security

13 Review: Fixing things late is frustrating 30X Cost 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production 13

14 Manage everything together: production, testing, coding, manual Coding Testing Production Actual attacks Source code Mgt system Static analysis via build integration Dynamic testing in QA or production Real-time protection of running application Hackers Software Security Center 14 Remediation IDE Plug-ins (Eclipse, Visual Studio, etc.) Developers (onshore or offshore) Correlatw target vulnerabilities with common guidance and scoring Normalization (Scoring, guidance) Vulnerability database Correlation (Static, dynamic, runtime) Threat intelligence Rules management Defects, metrics and kpis used to measure risk Application Lifecycle Development, project and management stakeholders

15 Manual penetration testers Some are good, but often unpredictable quality. Cannot scale Good at finding logic flaws: Must know business domain (e.g. cannot trade stocks on Saturday) Even after they re done, how do you: A. Remediate identified issues B. Verify proper remediation Let s work ground-up: Find vulnerabilities Fix vulnerabilities 15

16 Scan wizard easy, repeatable scans During development Simplifies onboarding Training Predictable process Compare results over time 16

17 SCA Find results in code Developers understand their own code Show vulnerabilities in developer s language. Details what is this? Recommendations how do i fix? Auditable annotate the risk. 17

18 Fortify RTA Would this attack have worked? If so, stop it and guide remediation. Constant monitoring. API-level. Ignore probing attacks (not vulnerable) Normal behavior Probing attack attempt Dedicate resources to fix active exploits. Application Actual Attack 18

19 Bring it all together: Software Security Center Fortify SCA WebInspect Fortify RTA Actual attacks Source code Mgt system Static analysis via build integration Dynamic testing in QA or production Real-time protection of running application Hackers Software Security Center 19 Remediation IDE Plug-ins (Eclipse, Visual Studio, etc.) Developers (onshore or offshore) Correlatw target vulnerabilities with common guidance and scoring Normalization (Scoring, guidance) Vulnerability database Correlation (Static, dynamic, runtime) Threat intelligence Rules management Defects, metrics and kpis used to measure risk Application Lifecycle Development, project and management stakeholders

20 Educational, self-service Customizable quick-start Security fits: agile or waterfall 20

21 Track security results Development teams submit results into Software Security Center: HP Fortify SCA HP WebInspect 3 rd Party Analyzers Are we getting better or worse? 21

22 Thank you