Fortify. Securing Your Entire Software Portfolio

Similar documents
Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA

Vulnerabilities: A 360 Degree Approach

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

Application Security Center overview

Assuring Application Security: Deploying Code that Keeps Data Safe

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Open Source Security Study How Are Open Source Development Communities Embracing Security Best Practices?

Is your software secure?

Seven Practical Steps to Delivering More Secure Software. January 2011

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Continuous Network Monitoring

HP Fortify Software Security Center

Your world runs on applications. Secure them with Veracode.

HP Application Security Center

HP Fortify application security

WHITEPAPER Executive Summary Fortify Software

How To Buy Nitro Security

IBM Security QRadar Risk Manager

Vulnerability Management

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Cenzic Product Guide. Cloud, Mobile and Web Application Security

IBM Security Intelligence Strategy

The SIEM Evaluator s Guide

Integrated Threat & Security Management.

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Preemptive security solutions for healthcare

Vulnerability. Management

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Clavister InSight TM. Protecting Values

Passing PCI Compliance How to Address the Application Security Mandates

Extreme Networks Security Analytics G2 Vulnerability Manager

Passing PCI DSS Section 6 Compliance

Average annual cost of security incidents

The Evolution of Application Monitoring

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Securing SharePoint 101. Rob Rachwald Imperva

Capturing the New Frontier:

Demonstrating the ROI for SIEM: Tales from the Trenches

PCI Compliance for Cloud Applications

2012 North American Managed Security Service Providers Growth Leadership Award

Protecting What Matters Most. Bartosz Kryński Senior Consultant, Clico

CORE Security and GLBA

SharePoint Governance & Security: Where to Start

Managing non-microsoft updates

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

DEMONSTRATING THE ROI FOR SIEM

IBM Security QRadar Risk Manager

Network Test Labs (NTL) Software Testing Services for igaming

Addressing FISMA Assessment Requirements

High End Information Security Services

SecurityMetrics Business Associate HIPAA compliance program

Application Security 101. A primer on Application Security best practices

Optimizing Network Vulnerability

Governance, Risk, and Compliance (GRC) White Paper

Realize That Big Security Data Is Not Big Security Nor Big Intelligence

8 Key Requirements of an IT Governance, Risk and Compliance Solution

SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Rational AppScan: Application security and risk management

Obtaining Enterprise Cybersituational

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

Enterprise Security Solutions

2011 Forrester Research, Inc. Reproduction Prohibited

$ Drive awareness and increase participation. National account program. Flexible managed Security Solutions for hospitality

1 Introduction Product Description Strengths and Challenges Copyright... 5

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

ALERT LOGIC FOR HIPAA COMPLIANCE

Extreme Networks Security Analytics G2 Risk Manager

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

Changing the Enterprise Security Landscape

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

The Importance of Cybersecurity Monitoring for Utilities

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Boosting enterprise security with integrated log management

NEC Managed Security Services

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

Empowering Your Business in the Cloud Without Compromising Security

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

IBM Security QRadar Vulnerability Manager

How To Monitor Your Entire It Environment

How to Secure Your SharePoint Deployment

Managing Vulnerabilities For PCI Compliance

How To Manage Log Management

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Bringing Continuous Security to the Global Enterprise

End-user Security Analytics Strengthens Protection with ArcSight

Avoiding the Top 5 Vulnerability Management Mistakes

What is Penetration Testing?

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Attack Intelligence: Why It Matters

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Metrics that Matter Security Risk Analytics

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Transcription:

Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard, CISO, CIGNA

Software Security Assurance (SSA) Removing the Risk Within Software Our mission is to help our customers ensure that their entire software portfolio whether it s built in house, outsourced, purchased from vendors or acquired from the open source community is secure. Attacks on software by hackers, criminals and insiders can result in business interruption, brand damage, tremendous financial loss and harm to innocent people. The targets of these attacks are hidden vulnerabilities within software applications. The results of years of security-blind programming practices, these vulnerabilities have accumulated within software, waiting to be exploited. To make matters worse, new vulnerabilities are continuing to be introduced into organizations from their own internal software development groups as well as through procurements from vendors, outsourcing firms and open-source projects. Alarmed by the potential for widespread social and commercial damage, government and industry regulatory bodies have been strengthening mandates in the area of application security. Many organizations are now required to address the risk posed by their applications and to demonstrate compliance. Software Security Assurance, or SSA is a systematic approach for eliminating the security risk in software and complying with relevant government and industry mandates. Where Software Quality Assurance ensures that software will function and perform as required, SSA ensures that software can not be used in a way that might cause harm to the organization. SSA addresses the immediate challenge of removing vulnerabilities from deployed applications as well as the ongoing systemic challenge of producing and procuring secure software. With its market-leading combination of products and services, Fortify has helped more than 500 organizations throughout the world achieve measurable reductions of risk with an effective SSA program. Fortify provides Fortify 360, the leading suite of products for SSA. Fortify s Global Services organization provides SSA implementation guidance and expertise, and Fortify s Security Research Group ensures that customer s SSA capabilities are sufficient to meet the ever-evolving threat landscape. The single biggest step for businesses to reduce risk today is to force major improvements in poorly designed and insecure software and applications. John Pescatore, Senior Analyst, Gartner

Fortify 360 The Market-Leading Suite of Solutions to Contain, Remove and Prevent Vulnerabilities in Software Fortify 360 provides the critical analytic, remediation and management capabilities necessary for a successful, enterprise-class SSA program. Identification Comprehensive root -cause identification of more than 400 categories of security vulnerabilities in 17 development languages Remediation Brings Security, Development and Management together to remediate existing software vulnerabilities Governance Monitors organization-wide SSA program performance and prevents the introduction of new vulnerabilities from internal development, outsourcers and vendors through automating Secure Development Lifecycle processes Application Defense Quickly contains existing vulnerabilities so they can t be exploited Compliance Easily demonstrates compliance with government and industry mandates as well as internal policies Auditor CISO Developer Risk Officer 3 WWW.FORTIFY.COM

Vulnerability Detection and Remediation Maximum Reduction of Risk at the Source Fortify 360 identifies the root cause of software security vulnerabilities in both source code and running applications, detecting more than 400 types of vulnerabilities across 17 development languages and 600,000 componentlevel APIs. Vulnerabilities can be collected during the development or quality assurance phase of a project or even after an application has been put into production, minimizing the risk that a serious problem goes undetected. To ensure that the most serious issues are addressed first, Fortify 360 correlates and prioritizes results from its analyzers to deliver an accurate, risk-ranked list of issues. Harmonize Expertise and Remediate More Code Fortify 360 offers a complete set of collaborative capabilities for quickly triaging and fixing vulnerabilities identified by its three analyzers. Application security professionals, developers and their managers can work together in the way that best suits them using role-specific interfaces. Designed specifically for the application security professional, Fortify 360 Audit Workbench provides the means to analyze individual vulnerabilities, assign them Fortify 360 Presents Integrated Results from Static and Dynamic Analyzers out for remediation and track activities to completion. Fortify 360 s web-based Collaboration Module provides a shared workspace and repository for application security professionals, developers and managers to work together on code reviews and remediation activities. Developers can address issues in their preferred development environment while collaborating with the security team using plug-ins for Eclipse and Microsoft Visual Studio. With Fortify 360 developers learn about secure coding practices while they are fixing vulnerabilities. For every vulnerability, Fortify 360 delivers reference information to the developer describing the problem and ways to fix it in the developer s specific programming language. For identifying vulnerabilities in both source code and running applications, Fortify 360 offers the following static and dynamic analyzers: Analyzer Type Description Usage Source Code Analyzer (SCA) Static Analysis The SCA component of Fortify 360 examines an application s source code for potentially exploitable vulnerabilities. Used during Development Phase for identifying vulnerabilities early in the development cycle, when they are less costly to address. Program Trace Analyzer (PTA) Dynamic Analysis PTA identifies vulnerabilities that can be found only when an application is running and to verify and further prioritize results found using SCA. During Quality Assurance phase to discover vulnerabilities as part of the normal test process. Real-Time Analyzer (RTA) Dynamic Analysis RTA monitors deployed applications, identifying how the application is getting attacked, by whom and when. It delivers detailed inside-the-application information that identifies which vulnerabilities are being exploited. While application is in production to reveal new exploitable vulnerabilities or ones that may have been missed during development. WWW.FORTIFY.COM 4

Fortify 360 SSA Governance Fortify 360 SSA Governance Module provides visibility and control of organization-wide SSA programs SSA Governance Managing the Business of Software Security Assurance Organization-wide SSA programs present many challenges for the security team. As the number of SSA projects increases, the security team may experience difficulty in meeting the demands put on it by development teams, auditors and management. Creation and implementation of repeatable processes such as Secure Development Lifecycle (SDL) are an essential first step in getting control of the situation. Yet, without effective automation, delivery and tracking of the security activities defined in a SDL, organizations may still find the situation to be unmanageable. For staying on track with multi-project SSA programs, there is Fortify 360 SSA Governance Module. It provides a single system-of-record with views into the assets, activities and results related to the organization s entire SSA effort. For individual projects, SSA Governance Module provides a convenient web portal where risk-mitigation activities and artifacts can be logged and communicated. For every project in the organization, Fortify 360 SSA Governance Module automatically assigns the correct activities based on the project s specific risk profile. The application security team can than track project effort and receive alerts based upon completed or missed milestones. With these capabilities in place, the security team can begin to move towards a management-by-exception approach to SSA, freeing up valuable time to support other activities. Advanced reporting and viewing capabilities provide the means to quickly consolidate results across all projects, deliver executive-quality reports and identify areas of improvement. For those organizations that are seeking a fast-start Secure Development Lifecycle, SDL templates and artifacts based on Fortify best practices are provided. These templates provide an effective SDL that can be implemented outof-the box. This can eliminate the research and expertise required to develop an SDL. Insecure Applications Harm Businesses 80% of companies report a loss of customers due to data breaches. Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime. 5 WWW.FORTIFY.COM

Threat Intelligence Application Defense Stay Ahead of the Ever-Changing Threat Active Defense for Java and.net Applications Cyber-criminals continue to seek out new ways to exploit Fortify 360 Application Defense Module protects high-risk software. Fortify ensures that a customer s investment is Java and.net applications from attacks. Application Defense capable of meeting these new threats by providing a variety Module s inside-the-application approach to application of regular updates to Fortify 360. These updates are delivered defense accurately shields an application from attacks through Fortify s Security Research Group. This internal team with no tuning required. Users can see which specific of security experts is dedicated to leveraging cutting-edge vulnerabilities hackers are attempting to exploit and create research into the latest hacking techniques and vulnerability customized responses to attacks. Critical insight into the trends to build security knowledge into Fortify 360. They type and frequency of all attacks against an application is represent the security-frontline at Fortify Software and their also provided. Data generated from this component can be research into how real-world systems fail allows them to delivered to Fortify 360 for developing a more complete view identify the most effective solutions to address the threats of application security. that Fortify customers face. The Security Research Group releases quarterly updates to the Fortify Secure Coding Rulepacks, which drive the Fortify 360 Analyzers. These updates embody the latest trends in software security and programming techniques and keep Fortify customers ahead of hackers, organized crime, rogue governments and other adversaries. In total, the Security Research Group has identified over 400 vulnerability categories across 17 programming languages and have scanned more than 600,000 Application Programming Interfaces (APIs). Recent research by Fortify Security Research Group has resulted in the discovery of two entirely new categories of vulnerabilities (JavaScript Hijacking and Cross-Build Injection) as well as groundbreaking work in the area of Service Oriented Architecture and system backdoor detection. A 100K record data breach could cost between $10 and $30 million. Forrester WWW.FORTIFY.COM 6

Compliance The security infrastructure we have implemented at Financial Engines is extremely important to our business since protecting our customer s sensitive financial data is mission critical. Fortify 360 allows us to integrate source code analysis, dynamic testing and real-time monitoring in a single comprehensive package that plays a key part in our overall approach to application security. Gary Hallee, EVP Technology, Financial Engines Attacks Are on the Rise Cybercrime was up 53% in 2008. The number of malicious programs circulating on the Internet tripled in 2008. Exceed Application Security Compliance Mandates Fortify 360 enables companies to pass key compliance mandates, such as PCI, FISMA, HIPAA, SOX, NERC and many others. Pass PCI Compliance Fortify 360 comes fully configured for meeting the demands associated with the application security portions of PCI compliance projects (sections 3, 6, and 11). All vulnerabilities can be ranked according to their PCI relevance. Fortify 360 Application Defense Module provides a precision defensive option for supporting web-application firewall (WAF) provision. Fortify 360 SSA Governance Module provides an out-of-the-box PCI Compliance process complete with auditor-quality PCI reports. Pass FISMA Compliance Government entities must pass tight restrictions for application security. Fortify 360 identifies application security issues and guides the user through the process of fixing issues and reporting on progress. SOX, NERC, HIPAA and Others Fortify 360 has helped numerous organizations pass compliance mandates across a range of industries, including retail, healthcare, energy, finance, government and more. 7 WWW.FORTIFY.COM

In February 2009, Gartner positioned Fortify in the Leaders Quadrant in the Magic Quadrant for Static Application Security Testing (SAST). The report is available at http://www.fortify.com/magicquadrant. About Fortify Fortify s Software Security Assurance solutions protect companies and organizations from today s greatest security risk: the software that runs their businesses. Fortify reduces the threat of catastrophic financial loss and damage to reputation as well as ensuring timely compliance with government and industry mandates. Fortify s customers include government agencies and Global 2000 leaders in financial services, healthcare, e-commerce, telecommunications, publishing, insurance, systems integration and information technology. For more information, please visit us at www.fortify.com. Fortify Software Inc. More information is available at www.fortify.com 2215 Bridgepointe Pkwy. Tel: (650) 358-5600 Suite 400 Fax: (650) 358-4600 San Mateo, California 94404 Email: contact@fortify.com WWW.FORTIFY.COM

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information