Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com

Similar documents
From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Enterprise-Grade Security from the Cloud

The New PCI Requirement: Application Firewall vs. Code Review

HP Application Security Center

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

IT Security & Compliance. On Time. On Budget. On Demand.

From the Bottom to the Top: The Evolution of Application Monitoring

White Paper The Dynamic Nature of Virtualization Security

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Breaking down silos of protection: An integrated approach to managing application security

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Reducing Application Vulnerabilities by Security Engineering

End-to-End Application Security from the Cloud

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

How to Secure Your SharePoint Deployment

PCI-DSS Penetration Testing

A Network Administrator s Guide to Web App Security

Bringing Continuous Security to the Global Enterprise

NE T GENERATION CLOUD SECURITY PLATFORM

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Leveraging OWASP to Reduce Web App Data Breach Risk

Continuous Network Monitoring

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

White Paper. Managing Risk to Sensitive Data with SecureSphere

10 Things Every Web Application Firewall Should Provide Share this ebook

Cutting the Cost of Application Security

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Current IBAT Endorsed Services

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Vulnerability Management

ensuring security the way how we do it

Risk-based solutions for managing application security

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Web Applications The Hacker s New Target

Adobe Systems Incorporated

Devising a Server Protection Strategy with Trend Micro

WHITEPAPER. Nessus Exploit Integration

CyberSecurity Innovation Assessing your Organizations Vulnerability to a Cyber breach

Devising a Server Protection Strategy with Trend Micro

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Making Database Security an IT Security Priority

BeyondInsight Version 5.6 New and Updated Features

How To Perform An External Security Vulnerability Assessment Of An External Computer System

External Supplier Control Requirements

Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

WebGoat for testing your Application Security tools

How Web Application Security Can Prevent Malicious Attacks

Global Web Application Firewall Market

IBM QRadar Security Intelligence April 2013

The Top Web Application Attacks: Are you vulnerable?

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Applications and data are the main targets for modern attacks. Adoption of dedicated application and data security concepts, technologies and

Extreme Networks Security Analytics G2 Vulnerability Manager

IBM Rational AppScan: Application security and risk management

A Decision Maker s Guide to Securing an IT Infrastructure

Take Control of Your Company s Expenses

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Securing SharePoint 101. Rob Rachwald Imperva

2012 North American Managed Security Service Providers Growth Leadership Award

Intelligent Security Design, Development and Acquisition

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Unicenter Asset Intelligence r11

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Preemptive security solutions for healthcare

New IBM Security Scanning Software Protects Businesses From Hackers

APPLICATION SECURITY: ONE SIZE DOESN T FIT ALL

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

5 Lines of Defense You Need to Secure Your SharePoint Environment SharePoint Security Resource Kit

Overview of F5 Networks. Fatih Bilger Senior Systems Engineer, Prolink.

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

05.0 Application Development

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

Akamai Security Products

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Modular Network Security. Tyler Carter, McAfee Network Security

How To Protect A Web Application From Attack From A Trusted Environment

Transcription:

Production Security and the SDLC Mark Kraynak Sr. Dir. Strategic Marketing Imperva mark@imperva.com

Building Security Into the Development Process Production Test existing deployed apps Eliminate security exposure in live applications Define/Design Continuous security education of architects, developers etc. on Web Application Security Development Test apps for security issues in Development identifying issues at their earliest point Realize optimum security testing efficiencies (cost reduction) Deploy Test apps before going to production Deploy secure web applications Test Test apps for security issues in QA organization along with performance and functional testing Reduce costs of security testing 2 *Graphics from OWASP.com, Text Bubbles from IBM/Watchfire

Fixing Production Vulnerabilities is Costly Cost Increases Over Life Cycle Cost and Time to Fix Vulnerability Many Vulnerabilities Only Found in Production Environment + Complexity of entire infrastructure + Identified by new attacks and probes Cost = Fix and Test + Risk + Cost diverting development & QA staff + Risk of attack before fix in production + Risk of rush fix without full testing Design Development QA Production 3 *Chart also from IBM (but much older)

and Difficult 92% of Web applications have vulnerabilities + Cross Site Scripting (XSS) 80% + SQL Injection 62% + Parameter Tampering 60% 93% of vulnerable sites - still vulnerable after code fixes Do not take my word for it + Check other sources + Ask your security operations team 4 *Stats from Imperva ADC Research

Why Can t We Get This Right? Ideal Custom code is immediately fixed by programmers and application is redeployed Reality Resource allocation + New Projects & Staff Turnover Coding & Deployment time span Cost Patches for 3 rd party components are immediately installed Patch (non) availability Deployment time span Stability AS 5

Address Risks through External Mitigation Assess Scan application for vulnerabilities Describe remediation steps for app developers Export vulnerability results for proactive protection Measure Built in & custom reports Roll-up & drill down of data Security event analysis PRODUCTION APPLICATION SECURITY LIFECYCLE Set Policies/Controls Dynamically learn app structure Apply granular controls based on discovered vulnerabilities Recognize application changes Implement code fixes on developers schedule Monitor and Enforce Alert and block in real-time Ensure end user accountability Capture full details Provide security at all layers 6

Example 1 Integrating WAF and Scanning

Web Security Lifecycle Step 1: Initial Deployment Unknown security state Web Scanner 8

Web Security Lifecycle Step 2: Assessment Applications scanned Vulnerabilities found Scanner notifies WAF Web Scanner 9

Web Security Lifecycle Step 3: Remediation Virtual patches applied Fix planned and scheduled Web Scanner 10

Web Security Lifecycle Step 4: Application Fixed Fixed code deployed Web Scanner 11

Web Security Lifecycle Step 5: Application Change New or modified pages WAF detects changes Scanner notified Web Scanner 12

Web Security Lifecycle Step 6: Re-Scan Scan only new sections New vulnerability found Scanner notifies WAF Web Scanner 13

Web Security Lifecycle Step 7: Remediation Virtual patches applied Fix planned and scheduled Web Scanner 14

Web Security Lifecycle Step 8: Coffee Time Everyone Happy Web Scanner 15

Example 2: Web Activity Monitoring Feeding SDLC

WAM Step 1: User Input Potential Malicious Behavior WAF security triggered Web Developer 17

Web Security Lifecycle Step 2: Response Application responds to input WAF listens for response Web Developer 18

Web Security Lifecycle Step 3: Response Capture Response sent to user Response sent to developer Web Developer 19

Web Security Lifecycle Step 4: Application Fixed Fixed code deployed Web Developer 20

The Market Leader in Application Data Security Only complete solution for visibility and control over business data Consistent industry recognition of technical superiority Veteran leadership with deep industry expertise Approximately 200 employees Only research team dedicated to application data security More application data security deployments than any other vendor Over 600 direct customers 54 Fortune 1000 86 Global 2000 Over 4500 protected organizations Consistent growth fueled by: Surge in data breaches Regulatory compliance requirements Tightening Data Security legislation 21

Imperva Product Line Database Monitor Agent Management Server (MX) ADC Insights Database Database Security Gateway Web Application Firewall Web Internet Database Monitoring Gateway 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information