Is your software secure? HP Fortify Application Security VII konferencja Secure 2013 Warsaw - October 9, 2013 Gunner Winkenwerder Sales Manager Fortify CEE, Russia & CIS HP Enterprise Security +49 (172) 443 7795 Skype: GCHW-HPESP gunnner.winkenwerder@hp.com 1 Copyright Copyright 2013 2013 Hewlett-Packard Development Company, Company, L.P. L.P. The information The information contained contained herein herein is subject is subject to change to change without without notice. notice.
Cyber crime is increasing Threats and risks are expanding in frequency, intensity and sophistication 2 Copyright 2012 Hewlett-Packard Development Company, L.P.
Why Software Is Attacked Root cause of security problems Gartner 82% of breaches due to security flaws in software NIST 92% of vulnerabilities are in software RSA 2013 86% of successful breaches happen on application layer Cenzic 99% of web applications are vulnerable to attac Yet, 90% of security spending is on perimeter protection Hardware Software & Data Intellectual Property OBJECTIVE: Protect everything Network Customer Data OBJECTIVE: Exploit one vulnerability Business Processes Trade Secrets 3
The Growing Cost of Cyber Crime! Despite widespread awareness of the impact of cyber crime, cyber attacks continue to occur more frequently and result in serious Cyber financial threats and consequences. risks are expanding The HP Ponemon in : 2012 Cost of Cyber Crime Study revealed that cyber attacks have Frequency more than doubled and the financial impact has increased by nearly 40 percent in a three year Intensity period. At HP, we believe a better understanding of the cost of cyber crime can assist organizations Sophistication in taking proactive measures to identify, combat and mitigate the potentially devastating consequences Cost of an attack. 4
When should we address software security? As early as possible! 5
Basic components of a mature SSA program 6
Fortify Application Security Assessments Delivery Options On Demand On Premise HP Fortify on Demand HP Fortify SSC 7
Continuous Security Research (SRG, DV Labs etc.) Update the Fortify/ESP Secure Coding Rulepacks to identify the latest categories of software vulnerabilities on a quarterly basis Growth in Vulnerability Categories 2005 2013, 563 Categories to Date 21 Supported Programming Languages SCA, Binary & FoD 8 Command Injection Privacy Violation Session Fixation SQL Injection System Information Leak Unhandled Exception LDAP Injection Cross-Build Injection Cross-Site Request Forgery Cross-Site Scripting HTTP Response Split JavaScript Hijacking For a complete list go to: www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html plus more than 720.000 supported API s/frameworks ABAB * Actionscript ASP.NET Java C, C++ C# COBOL* Cold Fusion * T-SQL PL/SQL JavaScript/AJAX, XML/HTML Classic ASP JSP PHP Python * VB.NET VBScript VB6 Objective C (IOS)
HP Fortify Source Code Analyzer (SCA) Architectural Overview 9
Best-Practice Implementation (Example) Development Teams AWB 2. Audit Repeat Bug Tracker Security Monitor Project Security Lead 3. Assign Development Manager Developer 4. Fix Source Code Repository(s) Central Build Server(s) Build Tool Fortify SCA 1. Identify Fortify SSC Fortify SSC Server CISO 5. Validate for Release AWB Security Tester 10
Innovation Driven by Major Customer Deployments Banking & Finance Infrastructure Public & Government Healthcare E-commerce & Retail Telco & Energy Other 11
Gartner Magic Quadrant 2013 HP Fortify is Leader in Application Security Testing HP offers comprehensive SAST capabilities with Fortify's strong brand name and breadth of languages tested. The company has innovative IAST capability with Fortify SecurityScope, which integrates with its WebInspect DAST. There is strong integration within HP's security portfolio, such as integration of AST knowledge into ArcSight and DAST knowledge into TippingPoint's IPS for WAF-like protection. HP uniquely offers runtime application self-protection (RASP) technology (see "Runtime Application Self- Protection: A Must-Have, Emerging Security Technology"). 12
Sneak Pre-View: Look & Feel HP Fortify SCA - Audit Work Bench (AWB) & - Integrated Dev. Environment (IDE) Copyright 2012 Hewlett-Packard Development Company, L.P.
The Scanning Process waiting until the scan is completely finished. 14
Auditing (AWB and IDE) - Overview Functions and Rulewriting wizard (only in AWB) Filtering Priorization Categorization Overview Issue - Groups 15
Auditing (AWB and IDE) Trace the issue Sourcecode Analysis Trace Diagram 16
Auditing (AWB and IDE) - Result Store Analysis See other comments and make comments yourself File a bug 17
Auditing (AWB and IDE) Training on the job Detailed description of the issue 18
Auditing (AWB and IDE) Training on the job Detailed recommendation to fix the issue 19
HP Fortify Software Security Center WebInspect (GUI) Copyright 2012 Hewlett-Packard Development Company, L.P.
Live scan visualization Start remediation of vuln s immediately Live Scan Dashboard Site tree Live Scan Statistics 21 Excluded and Allowed Hosts Section Copyright 2012 Hewlett-Packard Development Company, L.P. Vulnerabilities found in application Detailed Attack Table
Fortify my Application HP Fortify on Demand (FoD) assessment services is offering a limited free trial where customers can get an example Java code of theirs assessed free of charge. The free FoD is out of California but is accessible from anywhere. The following are the limitations on the free version: Up to 5 assessments per month Java and.net only Up to 75 MB per assessment Cross-Site Scripting (Up to 10 vulnerabilities) Access: https://www.fortifymyapp.com In the menu on the right there's a link to TRY NOW: 22 Copyright 2012 Hewlett-Packard Development Company, L.P.
Thank you Gunner Winkenwerder Sales Manager Fortify CEE, Russia & CIS HP Enterprise Security +49 (172) 443 7795 Skype: GCHW-HPESP gunnner.winkenwerder@hp.com 23