Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC



Similar documents
HP Fortify Software Security Center

Learning objectives for today s session

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

What Do You Mean My Cloud Data Isn t Secure?

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

HP Application Security Center

NNIT Cybersecurity. A new threat landscape requires a new approach

HP Fortify application security

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Closing the Vulnerability Gap of Third- Party Patching

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

HP ENTERPRISE SECURITY. Protecting the Instant-On Enterprise

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

CloudCheck Compliance Certification Program

Testing the Security of your Applications

Capturing the New Frontier:

The Benefits of an Integrated Approach to Security in the Cloud

CGI Cyber Risk Advisory and Management Services for Insurers

The business case for managed next generation firewalls. Six reasons why IT decision makers should sit up and take notice

Application Security Testing. Jesper Kråkhede

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Content Security: Protect Your Network with Five Must-Haves

Why You Need to Test All Your Cloud, Mobile and Web Applications

BIG SHIFT TO CLOUD-BASED SECURITY

SOLUTION BRIEF. Next Generation APT Defense for Healthcare

Changing the Enterprise Security Landscape

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Anti-exploit tools: The next wave of enterprise security

Report. Bromium: Endpoint Protection Attitudes & Trends Increasing Concerns Around Securing End Users

From the Bottom to the Top: The Evolution of Application Monitoring

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

INTRODUCING isheriff CLOUD SECURITY

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Endpoint Security Management

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Patch and Vulnerability Management Program

Managing IT Security with Penetration Testing

Carbon Black and Palo Alto Networks

BACKUP ESSENTIALS FOR PROTECTING YOUR DATA AND YOUR BUSINESS. Disasters happen. Don t wait until it s too late.

2012 Endpoint Security Best Practices Survey

Testing the Security of your Applications

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Vulnerability Management

Internet threats: steps to security for your small business

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Enterprise Cybersecurity: Building an Effective Defense

Practical Applications of Software Security Model Chris Nagel

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

External Supplier Control Requirements

How To Protect Your Online Backup From Being Hacked

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

HP Security Solutions for Microsoft

The Evolution of Application Monitoring

Braindumps QA

The Value of Automated Penetration Testing White Paper

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

WebGoat for testing your Application Security tools

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Small businesses: What you need to know about cyber security

Tackling Third-Party Patches

McAfee Server Security

AVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management

Building a Business Case:

SMALL BUSINESS. the basics. in telecommunications solutions

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

CASE STUDY. NEXON ASIA PACIFIC Nexon Securely Onboards 25 Cloud Customers in Only Eight Months

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

IT Risk Management: Guide to Software Risk Assessments and Audits

Cloud Computing for SCADA

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Transcription:

From Security Assessment to Vulnerability Remediation: The Realities of Deploying a Cloud-Based Application Risk Management Solution Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Setting the Tone The dramatic rise in cyber crime and web application security threats make it more important than ever to know the security state of the essential business applications that run your operations. But software testing can involve time, expertise, and software investments that make it impractical for many IT organizations. Deploying a Cloud-based Application Risk Management Solution can provide a way to quickly, accurately, and affordably test the security of applications without any software to install or manage. This automated, turnkey service requires no special security assessment expertise. When it comes to IT security, it is painfully obvious that both government and industry focus too heavily on the perimeter and endpoint protection network security, host security, virus protection, trusted internet connections, core configurations, firewalls and identity management. Meanwhile, the applications that protect vital information and automate critical processes remain too vulnerable.

Poll the Group How many with me today are deploying a cloud based SSA Solution? One Yes, Everyone else NO And how many are considering it? None What about just an SSA Solution? Fortify, IBM-Appscan, Coverity, WebInspect

Key Definitions Static Analysis Users simply and securely upload either source code or executables and SSA Cloud Application completes a static analysis detecting more than a myriad of vulnerability categories. Dynamic Analysis Users provide the URL of any application either in QA or production and test is scheduled automatically at via different levels of service.

Discussion Point #1 Who is at Risk? Overlooking vulnerabilities within software that already has been deployed puts government agencies and industry at tremendous risk for attacks, data loss and process interruption. Research by both US- CERT and a 2009 government study found that 79 percent or more of the attacks that led to data loss in 2009 were on applications.

Discussion Point #1 Who is at Risk? - Comments COST What is Priority Focus has been on Network Security Physical Firewalls, IDS No Policy Guidance No Metrics Education long term benefit into frontloading security in to SDLC Pull out of Contract too costly Old School Mentality ; Need new wave of thinking

Discussion Point #2 Software Superiority? One needs to look no further than the attack on Google by hackers in China that enabled by a zero-day vulnerability in Microsoft's Internet Explorer, for a sobering reminder of how even the biggest software companies with the best processes can produce insecure code. According to evidence from code-level analysis performed for a recent study published in SC Magazine, automated static and dynamic security testing on nearly 1,600 applications over 18 months prior to February 2009, half of all government applications failed to demonstrate acceptable security, compared to slightly more than half for all applications.

Discussion Point #2 Software Superiority? - Comments No Way more people to test larger applications like Microsoft that identify vulnerabilities GOTS Limited Funding, limited documentation, limited resourcesx COTS Continuous funding What's the level of the program Different reqs for different apps A lot of apps have no specific STIG

Discussion Point #3 Dispelling the Myths of Perimeter Security to Promote SSA Data breaches are shifting more to the application layer, putting software at the root of federal cyber vulnerabilities. Economic and time-to-value imperatives have driven agencies to reuse code and purchase software wherever possible. Vulnerabilities in any piece of software can be a door that bypasses network and endpoint controls and gives an attacker access to everything. Until government agencies and industry secure both their application development efforts and their software supply chain, they're vulnerable. We patch software with known vulnerabilities because we know our perimeter and endpoint security cannot protect from many software vulnerabilities. The only solution is fixing the root cause in the software with a patch.

Discussion Point #3 Dispelling the Myths of Perimeter Security to Promote SSA Culture Change SSA will take a long time to move Don t agree with the Myth of Perimeter Security C&A Network Security Education Develop Process Software driven by schedule IA & Security Moving on to software from Network oh no not another IA thing that I have to do Industry is doing this; DOD needs to be doing this. Huge money going into Software Security

Discussion Point #4 Advantages and Disadvantages of SSA in the Cloud I think we have heard today that it is not possible to know the security state of all our critical software. And the idea that application risk management is time-consuming, complicated and disruptive is anchored in an outdated understanding of what is possible. With cloud-based security testing and revolutionary technical innovations that enable automated testing on software in its final form rather than in source code, it is possible to assess hundreds of applications within one year or even a few months. By prioritizing applications based on each one's level of business criticality, government agencies quickly can test the most mission-critical applications. The right application risk management solution can fit easily into current internal certification and accreditation processes and integrate easily into the many different software development lifecycles (SDLC) used across the enterprise, without causing disruptions. Third-party applications and code can be evaluated, too, so that agencies can cost-effectively evaluate the security of every application behind the firewall. Application risk management solutions delivered through a cloud-based model and able to evaluate every application regardless of its supplier are able to scale globally across teams and geographies without the need for any hardware or software, leading to lower operational expenditures, more complete coverage and a more accurate understanding of risk and compliance.

Discussion Point #4 Advantages and Disadvantages of SSA in the Cloud Gov t Provided Cloud might work would be difficult to have contractors pushing / pulling software up because of intellectual property Time Increase ; Issues with NDA ; Stingy ; Vendor Black Box Virtualization Intellectual Property Life of company may come into play; what if they are bought out by another company? Third Party Start chucking code over the fence Who Coded the cloud? Is it secure? How do I know? Pro s On cloud, could have version control & geographically dispersed units Pro s less internal resources / service licenses Many thought this was the first time this concept was introduced to them Providing data to next contract could be an issue; may not be held accountable

Discussion Point #5 Concluding Thoughts Complying with Government Standards Without a change in the way government agencies and industry are protecting themselves from the exploitation of software vulnerabilities, progress can't be made. Patching quicker and updating anti-virus and IDS/IPS signatures faster is not stemming the tide. The threat space moves too quickly. And, while no software will ever be perfectly secure, understanding the nature of software vulnerabilities across your entire portfolio of critical applications and how they contribute to enterprise security risk is crucial for protecting your organization.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information