Application Security Testing Powered by HPE Fortify on Demand. Managed application security testing available on demand

Similar documents
Testing the Security of your Applications

Testing the Security of your Applications

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Application Backdoor Assessment. Complete securing of your applications

Get Significant Application Quality Improvement without Major Investment Performance driven. Quality assured.

Cybersecurity Strategic Consulting

TAKT Engine for Telecoms and Media

Get Significant Application Quality Improvement Without Major Investment. Performance driven. Quality assured.

Test Automation. Full service delivery for faster testing at optimum cost

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Digital Transformation and the future of QA & Testing. March 3 rd, 2016 Jérôme Cadiou

Get Significant Application Quality Improvement without Major Investment Performance driven. Quality assured.

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Meeting the challenge of software quality and maximizing return on investment Performance driven. Quality assured.

Combating a new generation of cybercriminal with in-depth security monitoring

A collaborative and customized approach to sourcing testing and quality assurance services Performance driven. Quality assured.

Address C-level Cybersecurity issues to enable and secure Digital transformation

Cisco Security Optimization Service

At a Glance. Key Benefits. Data sheet. A la carte User Module. Administration. Integrations. Enterprise SaaS

Information Security: Enabling the Business Developing an Effective Application Security Program

Preemptive security solutions for healthcare

Information Security Services

Integrated Threat & Security Management.

SkySight: New Capabilities to Accelerate Your Journey to the Cloud

G-Cloud Enterprise Applications for a Mobile Workforce. October G-Cloud. service definitions

HP Fortify Software Security Center

Application Security 101. A primer on Application Security best practices

security changes with Orange focus on your business, we focus on your security

F5 Silverline Web Application Firewall Onboarding: Technical Note

NSFOCUS Web Vulnerability Scanning System

Keeping your data yours

Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Automotive Suppliers and Cybersecurity

Enterprise Mobility Orchestrator. Your Business. Always On.

Is your software secure?

THE BLUENOSE SECURITY FRAMEWORK

My Experience. Serve Users in a Way that Serves the Business.

Capgemini BizLender 360 SM An Integrated Straight Through Processing Solution for Business Lending Origination

2012 North American Managed Security Service Providers Growth Leadership Award

CA Clarity PPM - RallyDev Integrator

Cenzic Product Guide. Cloud, Mobile and Web Application Security

SANS Top 20 Critical Controls for Effective Cyber Defense

Test Data Management. Representative data, compliant for test environments

HP Fortify application security

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

Application Code Development Standards

Capgemini s Guidewire Services. Leading services and solutions to support your Guidewire initiatives

Cybersecurity and internal audit. August 15, 2014

Test Environment Management. Full Lifecycle Delivery and Support

5 Partner Benefits and Requirements Benefits Requirements... 8

Moving Beyond the Basics: Key Considerations for Successful Adoption of a Mobile Platform

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Vulnerability Management

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

How To Buy Nitro Security

Keeping your data yours

SOA Testing Services. Enabling Business Agility and Digital Transformation

High End Information Security Services

Project, Program & Portfolio Management Help Leading Firms Deliver Value

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

SWASCAN ALL in ONE. SWASCAN Web Application SWASCAN Network SWASCAN Code Review

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Capgemini Big Data Analytics Sandbox for Financial Services

On Demand Penetration Testing Applications Networks Compliance.

Advanced Threat Protection with Dell SecureWorks Security Services

Enterprise level security, the Huddle way.

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Cisco Mobile Collaboration Management Service

SECURE YOUR BUSINESS WHEREVER IT TAKES YOU. Protection Service for Business

SAST, DAST and Vulnerability Assessments, = 4

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches.

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

Managed Security Services for Data

Securing Remote Vendor Access with Privileged Account Security

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Endpoint Security for DeltaV Systems

G-Cloud Big Data Suite Powered by Pivotal. December G-Cloud. service definitions

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Cisco Advanced Malware Protection for Endpoints

Seven Practical Steps to Delivering More Secure Software. January 2011

A COMPLETE APPROACH TO SECURITY

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Solutions and IT services for Oil-Gas & Energy markets

BEST PRACTICES RESEARCH

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

END TO END DATA CENTRE SOLUTIONS COMPANY PROFILE

RAPID ENGINEERING WITH AGILE RIGHTSHORE DELIVERY (REWARD)

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Application Security Testing. Jesper Kråkhede

Transcription:

Application Security Testing Powered by HPE Fortify on Demand Managed application security testing available on demand

Powered by HPE Fortify on Demand, Sogeti Application security testing is a managed service that makes it simple to initiate security tests on a few applications or launch a comprehensive security program without upfront investment of technology and resources. Combining HPE s advanced dynamic and static security testing technologies with Capgemini/Sogeti world leader experience in testing and cybersecurity services, it brings professional-level software security expertise to organizations of any size. 1 Initiate 2 Test 3 Review Customer uploads software to the Sogeti platform or provides the URL of the application. The Sogeti platform conducts a thorough security test (dynamic or static) of the application. Our experts reviews and analyzes the results of the application test in the form of a detailed report or dashboard. Enterprise application risk management Assessing internal applications With internally developed applications, Sogeti Application security testing helps in two primary ways. For companies with a secure development lifecycle already in place, we can provide a final test before deployment. For organizations new to security, Sogeti Application security can provide a quick and accurate application security test to baseline applications and prioritize efforts to improve application security. In addition, code assessments can be provided at any time during the development work. Outsourced and open source application security testing and management To accelerate time to market, companies are increasingly relying upon outsourced development resources and open source software. Third party developers may not follow the same best practices instituted with in-house developers while open source code can be filled with known or unknown vulnerabilities. Sogeti Application security testing enables companies to identify and assess the security risk of outsourced or open source content and implement the necessary security control strategies. Vendor application security testing and management Third-party code, including commercial software, represents a large percentage of deployed software, and therefore, a substantial area of potential risk. Yet most software vendors provide little or no visibility into the security state of their products and are, for a variety of reasons, resistant to having their software analyzed by anyone but themselves. They are concerned about providing access to their most precious intellectual property, their source code. Companies should ensure their third-party software is tested for vulnerabilities during the procurement or upgrade process, and request that critical issues be addressed prior to acceptance. Sogeti Application security testing provides an easy way to use security-as-a-service based approach that doesn t require source code; it allows the vendor to test applications, resolve issues, and then publish a final report to the procurer. Sogeti Application security testing serves as an independent third party and system of record for conducting a consistent, unbiased analysis of vendor software. 2 Application Security Testing

Cybersecurity the way we see it Service features and benefits Managed service Fast and easy to start an application security program with minimal upfront investment that has the flexibility to scale with changing business needs. There is no need to install, procure, and maintain hardware or hire and retain a large staff of application security experts. Fast results Accurate, detailed results delivered on many assessments in just a few days. Centralized portal User-friendly dashboards and reporting make it simple to manage an application portfolio and collaborate across distributed teams. Assess risk, initiate scans, analyze results, and remediate vulnerabilities based on prioritized recommendations. Europe-based Sogeti Application security testing is provided from Europe, the platform is hosted in a Sogeti infrastructure in a European secure (Tier IV) datacenter in Luxemburg, out of scope of any Patriot Act legislation. It is entirely administered from Sogeti so that assessed applications and vulnerability reports are fully secure. Software security research The Sogeti Application security testing platform benefits from threat intelligence updates from HPE Security Research. Personalized support Results are manually reviewed by application security experts. A technical account manager (usually a local Capgemini/ Sogeti consultant) ensures overall customer satisfaction, drives adoption of the service, addresses issues, connects to experts and provides best practice guidance. Comprehensive security testing solution Integrate with security software offerings including HPE Software Security Center to build a powerful security program. IDE plug-ins, build server integration, WAF, digital vaccines, and bug tracking are supported as well. 3

Service description: A flexible model based on Assessment Units Application security testing Sogeti dynamic, static, and mobile application security testing services are available by purchasing Sogeti Application security testing Assessment Units. Assessment Units are pre-paid credits that are redeemed for single assessments or application subscriptions, offering flexibility to allocate your investment throughout the year. Assessment Units are valid for 12 months starting at the purchase order (PO) effective date and may be redeemed individually. For each single assessment or subscription requested, the customer chooses a combination of one assessment type (dynamic, static, or mobile) and one assessment service level. Customers that perform a single assessment can request one remediation validation scan within one month of the assessment. An application subscription allows for one application to be assessed an unlimited number of times for a period of 12 months starting at the PO effective date (irrespective of when Sogeti Application security testing Assessment Units are redeemed). Customers can purchase multiple years worth of assessment units on a single PO (two or three years). Multi-year commitments, as well as bulk Assessment Units purchases, reduce customer costs. For multi-year commitments, a set annual allotment of assessment units is purchased and each year s allotments are issued on the anniversary of the PO effective date. Each year s allotment of assessment units must be used within 12 months and are not rolled over to subsequent years. Table 1: Assessment Units Assessment service level Single assessment Application subscription Basic 2 Assessment Units 6 Assessment Units Standard 4 Assessment Units 12 Assessment Units Premium 8 Assessment Units 25 Assessment Units 4 Application Security Testing

Cybersecurity the way we see it Table 2: Assessment Service Levels Basic Standard Premium Dynamic assessments Technique Full automated Full automated + manual Full automated + manual False positive removal Yes Yes Yes Authentication Yes Yes Yes Logic No No Yes Source code No No Yes (1 assessment) Web services No No 10 endpoints Target turnaround 3 days 5 days 7 days Static assessments Languages 21+* N/A N/A Upload file size All sizes N/A N/A Vulnerability categories All categories N/A N/A Audit review Yes N/A N/A False positive removal Yes N/A N/A Target turnaround 2 days N/A N/A Mobile assessments Platforms ios, Android, Windows, BlackBerry ios, Android ios, Android, Windows, BlackBerry Client: automated binary No Yes Yes Client: manual binary No OWASP top 10 All categories Client: source code Yes No Yes Network No OWASP top 10 All categories Server: Web services No OWASP top 10 All categories (dynamic) Server: Web services No No Yes (source code) False positive removal Yes Yes Yes Target turnaround 2 days 2 days 7 days * Supported languages for static basic assessments are ABAP/BSP, ASP.NET, C, C#, C++, COBOL, Classic ASP, ColdFusion, FLEX, HTML, Java (with Android), JavaScript/AJAX, JSP, Objective-C, PHP, PL/SQL, Python, Ruby, Transact-SQL, VB.NET, VB6, VBScript, or XML. Web services assessment Web services assessments are offered in buckets of 10 endpoints and can be added to any level of dynamic testing. A customer can request a Web services assessment by redeeming four (4) Assessment Units. Digital risk assessment Sogeti Application security testing offers an internal or external digital discovery assessment on domains and Internet protocol space assets owned by the customer. This assessment helps the customer determine how many live or unknown websites the company owns, which of those websites house unknown application functionality, and the risk profile of these sites. A customer can request a digital risk assessment by redeeming fifty (50) Assessment Units. 5

Comprehensive operational services Sogeti Application security testing delivers ongoing support services including the following: Customer support Sogeti maintains a team of support staff, which will be the single point of contact for all issues related to the Sogeti Application security testing service. The severity of the request determines the response and resolution time. Technical account manager All accounts include the service of a technical account manager (TAM) to help drive the success of a customer s application security program. The TAM (usually a local Capgemini/Sogeti consultant) serves as the customer s liaison via the platform and the testers; manages contract issues, renewals, and support requests; and coordinates Sogeti resources including system and process experts as necessary to drive adoption and customer success. Availability service-level objective Sogeti Application security testing is designed for an availability service-level objective of 99.5 percent. The availability service-level objective shall not apply to performance issues: Caused by overall Internet congestion, slowdown, or unavailability of generic Internet services (e.g., DNS servers) due to virus or hacker attacks, etc. That resulted from actions or inactions of the customer (unless undertaken at the express direction of Sogeti) or third parties beyond the control of Sogeti; That resulted from the customer s equipment or third-party computer hardware, software, or network infrastructure not within the sole control of Sogeti; That resulted from scheduled infrastructure maintenance downtime to implement major version upgrades. Capacity and performance management All tiers of the Sogeti Application security testing infrastructure are proactively monitored for capacity and performance. Our architecture allows for addition of capacity to applications, databases, and storage. Capacity is increased as required as the customer s utilization of Sogeti Application security testing expands. Additional security testing services Other Sogeti security testing services can smoothly complement Sogeti Application security testing: Manual code review can add additional security expertise for highly critical software on top of static application security testing; Penetration testing can find and exploit remaining vulnerabilities, including infrastructure vulnerabilities, once the application is in production in the real deployment infrastructure; Product security evaluation, performed from our licensed IT Security Evaluation Facility, can guaranty best-in-class security and lead to official security certification (Common Criteria...); Security consulting can help remediate vulnerabilities and improve the secure software development lifecycle; Application security training and awareness can help developers adopt better security practices. 6 Application Security Testing

Cybersecurity the way we see it Assumptions For static assessments, an application is defined as a deployable unit of code consisting of a collection of source and/or byte code instruction files that: Can deliver some or all of the functionality of a business application Is written in the same technology family Is built on a single platform Does not include any loosely coupled components Can be configured to run on an application server (e.g., a Web Application Archive [WAR] or Enterprise Archive [EAR] file for a Java application) or, for a.net application, is defined as a solution in team foundation server. Mobile applications must meet the minimum requirements for the supported language version. How do I start? Sogeti Application security testing service makes it simple and fast to initiate fundamental security controls, without upfront investment, whether you have just a few applications or are looking to launch a comprehensive security program across your organization. You contract with your local Capgemini or Sogeti company to buy the number of Assessment Units your need, we install your customer portal within days and you re ready to start! There is no minimum quantity, you can begin with a small number and buy additional Assessment Units when the service has proved efficient in your organization and needs to be extended; or you can buy a large number to reduce costs. Just contact us and let s get started! For dynamic assessments, an application is defined as a fully qualified domain name (FQDN) and has a single authentication management system. Customer must confirm that its Web application and user credentials are functioning prior to the security assessment. In addition, all functional and performance testing should be completed by this time, and the application s code should be frozen for the duration of the security test engagement. The customer is required to provide a formal authorization to perform a security assessment of the application. A subscription is valid for a single application, which cannot be changed during the subscription term purchased. The customer is in charge of maintaining the list of authorized users who may access the system, including creation of usernames and passwords and keeping list accurate and confidential according to the customer s internal policies. Sogeti Application security testing service will be performed remotely by Sogeti testers. Sogeti may choose to utilize qualified HPE testers to perform the services. Sogeti Application security testing service does not contemplate the sale of products or support services, which shall require the necessary terms and conditions for such purchase pursuant to separate agreement between the parties. Any software that Sogeti uses to provide security assessments will not be provided to the customer. 7

For more details contact: Mervyn Jackson Director of ADNT Sogeti UK mervyn.jackson@uk.sogeti.com +44 (0) 330 588 8200 About Capgemini and Sogeti With more than 180,000 people in over 40 countries, Capgemini is one of the world s foremost providers of consulting, technology and outsourcing services. The Group reported 2015 global revenues of EUR 11.9 billion. Together with its clients, Capgemini creates and delivers business, technology and digital solutions that fit their needs, enabling them to achieve innovation and competitiveness. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experience TM, and draws on Rightshore, its worldwide delivery model. Sogeti is a leading provider of technology and software testing, specializing in Application, Infrastructure and Engineering Services. Sogeti offers cutting-edge solutions around Testing, Business Intelligence & Analytics, Mobile, Cloud and Cyber Security. Sogeti brings together more than 23,000 professionals in 15 countries and has a strong local presence in over 100 locations in Europe, USA and India. Sogeti is a wholly-owned subsidiary of Cap Gemini S.A., listed on the Paris Stock Exchange. Capgemini and Sogeti are experts in IT infrastructure and application integration. Together, we offer a complete range of cybersecurity services to guide and secure the digital transformation of companies and administrations. Our 2,500 professional employees support you in defining and implementing your cybersecurity strategies. We protect your IT, industrial systems, and the Internet of Things (IoT) products & systems. We have the resources to strengthen your defenses, optimize your investments and control your risks. They include our security experts (Infrastructures, Applications, Endpoints, Identity and Access Management), and our R&D team that specializes in malware analysis and forensics. We have ethical hackers, eight security operations centers (SOC) around the world, a Information Technology Security Evaluation Facility, and we are a global leader in the field of testing. Find out more: www.capgemini.com/cybersecurity or www.uk.sogeti.com/services/cyber-security/application-security The information contained in this document is proprietary. 2016 Capgemini. All rights reserved. Rightshore is a trademark belonging to Capgemini. MCOS_GI_AP_20160602

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information