HP Fortify application security

Similar documents
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify Software Security Center

HP Application Security Center

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Application Security Center overview

HP Yazılım Zirvesi - İstanbul 20 May Wyndham Grand Levent Burak DAYIOĞLU, Hüseyin ÖZEL Uygulamalarım Ne Kadar Güvende?

The Evolution of Application Monitoring

Assuring Application Security: Deploying Code that Keeps Data Safe

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

From the Bottom to the Top: The Evolution of Application Monitoring

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Seven Practical Steps to Delivering More Secure Software. January 2011

Is your software secure?

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Testing the Security of your Applications

Continuous Network Monitoring

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Application Security Testing as a Foundation for Secure DevOps

Vistara Lifecycle Management

Testing the Security of your Applications

Building Assurance Into Software Development Life- Cycle (SDLC)

Application Security 101. A primer on Application Security best practices

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

IBM Rational AppScan: Application security and risk management

Development Testing for Agile Environments

Capturing the New Frontier:

Orange County Convention Center Orlando, Florida June 3-5, Architecturing the cloud for your SAP landscape Florian Stilkerich

HP ESP Partner Enablement Fortify Proof of Concept Boot Camp Training

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Vulnerabilities: A 360 Degree Approach

Software Application Control and SDLC

Company Overview. Enterprise Cloud Solutions

Application Security in the Software Development Lifecycle

Application Security Testing. Jesper Kråkhede

Passing PCI Compliance How to Address the Application Security Mandates

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Changing the Enterprise Security Landscape

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Simply Sophisticated. Information Security and Compliance

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA

Learning objectives for today s session

ALM/Quality Center. Software

Application Security Testing Powered by HPE Fortify on Demand. Managed application security testing available on demand

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

A COMPLETE APPROACH TO SECURITY

2012 North American Managed Security Service Providers Growth Leadership Award

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Решения HP по информационной безопасности

MIS Systems & Infrastructure Lifecycle Management 1. Week 13 April 14, 2016

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Remote Management Services Portfolio Overview

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Meeting the challenge of software quality and maximizing return on investment Performance driven. Quality assured.

Effective Software Security Management

Application Backdoor Assessment. Complete securing of your applications

HP Application Lifecycle Management

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Cloud Computing and Data Center Consolidation

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Practical Applications of Software Security Model Chris Nagel

Keeping your data yours

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Open Source Security Study How Are Open Source Development Communities Embracing Security Best Practices?

API Management: Powered by SOA Software Dedicated Cloud

Trusted Geolocation in The Cloud Technical Demonstration

Your world runs on applications. Secure them with Veracode.

Cybersecurity The role of Internal Audit

CyberArk Privileged Threat Analytics. Solution Brief

Hosting JDE EnterpriseOne in the Cloud Hear how one company went to the cloud

Application Security Testing How to find software vulnerabilities before you ship or procure code

PCI DSS Overview and Solutions. Anwar McEntee

Transcription:

HP Fortify application security Erik Costlow Enterprise Security

The problem

Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router security Firewalls Customer NIPS/NIDS Data VPN Net-Forensics Anti-Virus/Anti-Spam Business DLP Processes Host FW Host IPS/IDS Trade Vuln. Assessment Secrets tools 3

Application security challenges In-house development Securing legacy applications Demonstrating compliance Procuring secure software Certifying new releases Outsourced Commercial Open source 4

Fixing things late is frustrating 30x more costly to secure in production 30X Cost 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production After an application is released into production, it costs 30x more than during design. Source: NIST 5

The solution

The right approach > systematic, proactive Embed security into SDLC development process 1 In-house Outsourced Commercial Open source Leverage Security Gate to validate resiliency of internal or external code before Production 2 3 Improve SDLC policies Monitor and protect software running in Production This is application security 7

HP Fortify Software Security Center Identifies and eliminates risk in existing applications and prevents the introduction of risk during application development, in-house or from vendors. Protects business critical applications from advanced cyber attacks by removing security vulnerabilities from software IN-HOUSE COMMERCIAL OUTSOURCED OPEN SOURCE Accelerates time-to-value for achieving secure applications Increases development productivity by enabling security to be built into software, rather than added on after it is deployed Delivers risk intelligence from application development to improve operational security 8

Minimizing risk, driving business agility Application security benefits Reduce risk with minimal effort and operational costs Deliver measurable business and strategic value Meet government and industry compliance regulations Build a security culture throughout your organization 9

Competitive differentiators We enable companies to build a holistic application security program from the ground up to secure all their software from development to production regardless of who and where it is developed, and whatever device, form factor or environment it is running on. Breadth: the most complete software security solution with static, dynamic and hybrid testing, along with collaborative remediation and proactive SDLC governance. Depth: 492 unique vulnerability categories discovered across 21 programming languages and over 750,000 individual platform and framework APIs. Services: expert guidance to custom-tailor and integrate software security into your unique development, testing and production environments 10

Summary: HP Fortify Software Security Center Comprehensive application security solutions 1 2 3 4 That proactively identifies and eliminates the immediate risk in legacy applications, as well as the introduction of systemic risk during application development To ensure that all software is trustworthy and in compliance with internal and external security mandates Scaling to protect all your business-critical desktop, mobile and cloud applications Available on-premise or on-demand, and with managed services 11

Evaluating security

Review: Fixing things late is frustrating 30X Cost 10X 15X 5X 2X Requirements Coding Integration/ component testing System testing Production 13

Manage everything together: production, testing, coding, manual Coding Testing Production Actual attacks Source code Mgt system Static analysis via build integration Dynamic testing in QA or production Real-time protection of running application Hackers Software Security Center 14 Remediation IDE Plug-ins (Eclipse, Visual Studio, etc.) Developers (onshore or offshore) Correlatw target vulnerabilities with common guidance and scoring Normalization (Scoring, guidance) Vulnerability database Correlation (Static, dynamic, runtime) Threat intelligence Rules management Defects, metrics and kpis used to measure risk Application Lifecycle Development, project and management stakeholders

Manual penetration testers Some are good, but often unpredictable quality. Cannot scale Good at finding logic flaws: Must know business domain (e.g. cannot trade stocks on Saturday) Even after they re done, how do you: A. Remediate identified issues B. Verify proper remediation Let s work ground-up: Find vulnerabilities Fix vulnerabilities 15

Scan wizard easy, repeatable scans During development Simplifies onboarding Training Predictable process Compare results over time 16

SCA Find results in code Developers understand their own code Show vulnerabilities in developer s language. Details what is this? Recommendations how do i fix? Auditable annotate the risk. 17

Fortify RTA Would this attack have worked? If so, stop it and guide remediation. Constant monitoring. API-level. Ignore probing attacks (not vulnerable) Normal behavior Probing attack attempt Dedicate resources to fix active exploits. Application Actual Attack 18

Bring it all together: Software Security Center Fortify SCA WebInspect Fortify RTA Actual attacks Source code Mgt system Static analysis via build integration Dynamic testing in QA or production Real-time protection of running application Hackers Software Security Center 19 Remediation IDE Plug-ins (Eclipse, Visual Studio, etc.) Developers (onshore or offshore) Correlatw target vulnerabilities with common guidance and scoring Normalization (Scoring, guidance) Vulnerability database Correlation (Static, dynamic, runtime) Threat intelligence Rules management Defects, metrics and kpis used to measure risk Application Lifecycle Development, project and management stakeholders

Educational, self-service Customizable quick-start Security fits: agile or waterfall 20

Track security results Development teams submit results into Software Security Center: HP Fortify SCA HP WebInspect 3 rd Party Analyzers Are we getting better or worse? 21

Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information