Assuring Application Security: Deploying Code that Keeps Data Safe



Similar documents
HP Fortify Software Security Center

next generation privilege identity management

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

HP Fortify application security

How To Protect Your Mobile Device From Attack

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Board Portal Security: How to keep one step ahead in an ever-evolving game

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Simplifying the Challenges of Mobile Device Security

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

IBM Security Intelligence Strategy

Mobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program

A white paper analysis from Orasi Software. Enterprise Security. Attacking the problems of application and mobile security

Cybersecurity and internal audit. August 15, 2014

Media Shuttle s Defense-in- Depth Security Strategy

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Technical Testing. Network Testing DATA SHEET

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Application Security Testing. Jesper Kråkhede

Securing Corporate on Personal Mobile Devices

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Vulnerabilities: A 360 Degree Approach

Eliminating Cybersecurity Blind Spots

Connected Intelligence and the 21 st Century Digital Enterprise

Continuous Network Monitoring

Protect Your Business and Customers from Online Fraud

End-user Security Analytics Strengthens Protection with ArcSight

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

2015 Vulnerability Statistics Report

THE TOP 4 CONTROLS.

Marble & MobileIron Mobile App Risk Mitigation

Rational AppScan & Ounce Products

Mobile Application Security Study

Securing Virtual Desktop Infrastructures with Strong Authentication

Application Security Center overview

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

SecurityMetrics Vision whitepaper

CHECK POINT Mobile Security Revolutionized. [Restricted] ONLY for designated groups and individuals

What Do You Mean My Cloud Data Isn t Secure?

Changing the Enterprise Security Landscape

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Data Protection Act Bring your own device (BYOD)

Leveraging Privileged Identity Governance to Improve Security Posture

Kaspersky Security for Mobile

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

SANS Top 20 Critical Controls for Effective Cyber Defense

Application Security in the Software Development Lifecycle

Cisco Advanced Malware Protection for Endpoints

Obtaining Enterprise Cybersituational

How To Manage Security On A Networked Computer System

The Cloud App Visibility Blindspot

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

Managing Web Security in an Increasingly Challenging Threat Landscape

GFI White Paper PCI-DSS compliance and GFI Software products

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

The Benefits of an Integrated Approach to Security in the Cloud

Secret Server Qualys Integration Guide

Information Security for Modern Enterprises

Chris Boykin VP of Professional Services

How To Test For Security On A Network Without Being Hacked

The Business Case for Security Information Management

MTP. MTP AirWatch Integration Guide. Release 1.0

The SIEM Evaluator s Guide

EasiShare Whitepaper - Empowering Your Mobile Workforce

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

Cisco Advanced Malware Protection for Endpoints

Managing non-microsoft updates

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Privilege Gone Wild: The State of Privileged Account Management in 2015

Average annual cost of security incidents

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Teradata and Protegrity High-Value Protection for High-Value Data

Breaking down silos of protection: An integrated approach to managing application security

Agenda , Palo Alto Networks. Confidential and Proprietary.

Information Technology Security Review April 16, 2012

managing SSO with shared credentials

Privilege Gone Wild: The State of Privileged Account Management in 2015

Transcription:

Assuring Application Security: Deploying Code that Keeps Data Safe

Assuring Application Security: Deploying Code that Keeps Data Safe 2 Introduction There s an app for that has become the mantra of users, developers, and IT alike. The explosion of applications whether homegrown, developed with outside teams, commercial off-the-shelf, or open source is clear. Just look at the icons populating phones, tablets, and computers everywhere. But all that code can bring new risks. Unprotected web applications that communicate with mobile apps, unencrypted login information flying around wi-fi hotspots, and consumer applications and games that try to gain access to corporate contact lists, data, and settings can lead to data leakage, compromised systems, and full-blown breaches. As such, developers, DevOps, and IT must ensure that the applications they create and run do not put the enterprise at risk. To put the urgency of the matter into perspective, just consider the financial consequences of cyber attacks. The Ponemon Institute 2014 Cost of Cyber Crime Study, based on survey of 257 organizations in six countries, found that attacks cost U.S. companies an average of $12.7 million in 2013. Any efforts that can be taken to harden apps during development, and better secure and test apps and their associated data during deployment and beyond, will return great value in cost avoidance. Meeting Today s New App Security Challenges Why do companies need to pay special attention to security when it comes to developing modern apps? The problem is that native and web-based applications intended for today s mobile workforce and customer base can introduce new risks. The best way to address these risks and minimize the chance of a breach, data leakage, or a system being compromised is to build security into the apps from the ground up, and to then repeatedly test the security of the app when it is in the field. Essentially, companies need to take today s cyber-risks into account at every stage of development, deployment, and usage. This can represent quite a challenge. New risks are increasingly complex and new threats are ever-more sophisticated than their predecessors of just a few years ago. Some of the common risks associated with new applications today include: Evolving Malware Threats: Malware aimed at mobile devices and backend servers continues to become more sophisticated, targeting data that can be used to commit fraud, identity theft, or compromise corporate systems. With many companies supporting bring-your-own-device (BYOD) policies and providing access to corporate applications and data via cloud services, a compromised mobile device or app can provide unfettered access to all forms of data. Unfortunately, malware designed to attack mobile devices is on the rise. With companies having less control over mobile devices, users have greater freedom to download and install any application whether or not it has been vetted for safety by IT. This is particularly troublesome because more and new types of data are being made accessible to mobile devices by corporations every day.

Assuring Application Security: Deploying Code that Keeps Data Safe 3 Systems Increasingly Exposed: When creating mobile applications, companies often expose systems that had not previously been accessible from outside of their networks. This introduces two potential problems. First, since the backend system had previously only been accessible internally through the corporate network, the security measures in place may not be as strong as required when access is opened up. Second, a common way to provide access to backend systems is via an API, which could interact with the backend system. If proper security steps are not enacted, a hacker might exploit an API for nefarious purposes. Insecure Data Storage: In trading off convenience for security, some apps automatically connect to their backend services without the need for the user to enter the credentials on a mobile device. In many cases, this is accomplished by storing user account information (username, password, email address, geo-location data, etc.) in clear text. This is clearly a weakness that has the potential to be exploited by hackers. An example of this weakness in some commonly used apps was discovered early this year by security researcher Daniel Wood. A ComputerWorld article on his findings noted that the very widely used Starbucks payment app had been storing usernames, email addresses, and passwords in clear text. If an app employs this approach, it exposes that account and the data associated with the app to risk. Additionally, since many people use the same username and password for all or many of their apps, a hacker who obtains the one app s credentials could then use them to log into other apps including corporate apps. This could provide a conduit to data and resources that should not be available to unauthorized users. Yet, the hacker using an employee s login credentials would go undetected appearing to have suitable access rights and privileges. Unintended Data Leakage: When an application processes sensitive information taken as input from the user or any other source that data may end up in an insecure location in the device. This insecure location could be accessible to other malicious apps running on the same device, thus exposing that data and the device to increased risk. The critical point to consider is that leaky apps have the potential to be exploited to gather incredible amounts of personal and corporate information. For example, an app might have permission and rights to access a user s contact list or a corporate database. Once that data is collected, the app might not have the same high levels of security measures in place as was the case before the data was acquired. So, data that seemed adequately protected on a backend server might be exposed by exploiting weaknesses in the app itself. Citizen Developers: Business units increasingly are trying to accelerate development times by handling the process themselves. While this might allow them to be more responsive to changing market conditions, it can introduce security problems. To that point, a rapidly developed app created by a citizen developer might not go through the normal testing and governance checks that a traditionally developed application would.

Assuring Application Security: Deploying Code that Keeps Data Safe 4 What s Needed? With these points in mind, companies need an application security testing solution that covers everything from the backend web applications to the mobile apps themselves. The solution must cover the development stage and offer testing after an application is put into use to monitor for potential problems. In particular, a solution must be capable of testing web applications for exploitable vulnerabilities, have the ability to analyze code, help manage the security and development management processes by coordinating efforts and enabling collaboration between the various stakeholders, and it must offer easy-to-use-and-deploy application security testing. These are all areas where HP Fortify can help. HP Fortify offers application security testing and management solutions, available on-premise or on-demand. The products within the solution line can help companies secure their software applications including legacy, mobile, third-party, and open source applications. The HP Fortify offerings included static application security testing and dynamic application security testing products, as well as products and services to support Software Security Assurance, or repeatable and auditable secure behaviors, over the course of a software application s life cycle. Furthermore, HP Fortify testing technologies are complemented with timely security intelligence from the HP Security Research team. The solutions include: HP Fortify Static Code Analyzer, which helps companies reduce security risks by building better software. In particular, HP Fortify Static Code Analyzer helps verify that software is trustworthy and allows companies to implement secure coding best practices. Static Code Analyzer scans source code, identifies root causes of software security vulnerabilities and correlates and prioritizes results giving line of code guidance for closing gaps in security. To verify that the most serious issues are addressed first, it correlates and prioritizes results to deliver an accurate, risk-ranked list of issues. The software reduces costs and increases IT productivity in several ways. It is easy to install, configure, and administer. It automatically monitors applications and collects data on attacks. And it requires no customization, training, or coding to use. All of these factors eliminate many manual chores that IT would ordinarily be required to carry out to protect against vulnerabilities. Additionally, the software s ease of use and automation features makes the chores that IT must still handle simpler and faster to complete. This means fewer IT staff hours are needed to manage security, reducing costs and freeing up IT staff to work on other projects. HP Fortify Software Security Center Server, which helps security and development teams collaborate to resolve security issues. With HP Fortify Software Security Center Server, security and development teams can quickly triage and fix vulnerabilities identified by HP static and dynamic analyzers. A collaborative web-based workspace and repository lets teams work together using role-specific interfaces. Detailed reference information, delivered to developers, describes problems, and gives detailed instructions for fixing them.

Assuring Application Security: Deploying Code that Keeps Data Safe 5 HP Fortify on Demand, a managed application security testing service in the cloud, enables any organization to quickly test the security of a few applications or launch a comprehensive security program without additional investment in on-premises software and personnel. HP Fortify on Demand is the right choice for organizations that need a flexible solution and do not have the resources (time, experience, or budget) to implement an application security program in-house. The HP Fortify solution is considered among the best on the market. In particular, HP Fortify is ranked as a leader in the 2014 Gartner Magic Quadrant for Application Security Testing (AST). To gain that level of recognition, a solution provider must demonstrate breadth and depth of AST products and services. Leaders must also provide organizations with AST-as-a-service delivery models for testing, or with a choice of a tool and AST-as-a-service, using a single management console and an enterprise-class reporting framework supporting multiple users, groups, and roles. In addition, leaders should provide capabilities for testing mobile applications. HP Fortify does all of this and more. HP Fortify can be deployed in-house, as a managed service or in a hybrid model taking advantage of the best of both worlds. This flexible delivery model allows security groups to get started quickly and scale in response to business changes while protecting their assets and investments in application security. For more information about HP Fortify and how it can help you secure your applications, visit hp.com/go/fortify

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information