IBM Innovate 2011 Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance AppScan: Introducin g Security, a first June 5 9 Orlando, Florida
Agenda Defining Application Security Tools to help: AppScan Leveraging AppScan in the Software Development Life Cycle 2
Defining Application Security Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. ~Wikipedia NOT Firewalls NOT SSL 3
False sense of security What could happen? Data leaked Customer, partner, and/or own company Identity theft Elevated access to system Site defacement Impacts brand reputation, unsatisfied customers, etc Application goes down Unable to perform business Un-trusted code execution Arbitrary code ran on server 4
We had a security breach! What s the damage? Bad publicity Security breach has to be disclosed Public opinion/company brand decline Deeper look into security of application Audits Outside services/monitoring Financial impact Legal fees Local/Federal penalties Unbudgeted security spending (Much more now!) Customer lawsuits Customer loss 5
Example breach and disclosure Data breach of data warehouse company March 30 th, 2011 Several companies effected Impact Media coverage Individual companies respond to customers Likely phishing attacks, more damage possible http://www.businessinsurance.com/article/20110410/issue01/304109976 6
Checkpoint Defining Application Security Security throughout application life cycle Risks of a breach Costs of a breach Tools to help: AppScan Up next Leveraging AppScan in the Software Development Life Cycle 7
Tools to help: AppScan AppScan Source Edition Statically looks at source code for flaws AppScan Standard/Enterprise Edition Reviews running web application AppScan Tester Edition Tie in to QA environment AppScan Build Edition Add security to continuous integration builds AppScan Reporting Console Aggregate all security reports 8
AppScan built on industry standards Open Web Application Security Project (OWASP) They are dedicated to finding and fighting the causes of insecure software Official Web site: www.owasp.org Web Application Security Consortium (WASC) Their purpose is to develop, adopt, and advocate standards for Web application security Official Web site: www.webappsec.org Threat ranking DREAD: Damage potential, Reproducibility, Exploitability, Affected users, Discoverability Rank = (D + R + E + A + D) / 5 Reporting 9
Pick the right tool for the job Security affects everyone Roles: developers, testers, leads, managers, etc Editions of AppScan are tailored for a purpose Resources small, large, on demand Scope local or across enterprise Automated with build process or manually started Consolidated or local reports 10
www.ibm.com/software/rational 11
IBM Rational AppScan 12
IBM Rational AppScan: Advisory 13
IBM Rational AppScan: Fix Recommendation 14
IBM Rational AppScan: Request/Response 15
IBM Rational AppScan: Scan Configuration 16
IBM Rational AppScan: Create Report Security Report 17
IBM Rational AppScan: Create Report Regulatory Compliance 18
IBM Rational AppScan: Sample Report Executive Summary 19
IBM Rational AppScan: Sample Report HIPAA 20
www.ibm.com/software/rational 21
Checkpoint Defining Application Security Completed Tools to help: AppScan Several editions exist to fit your environment and need Built on industry standards Leveraging AppScan in the Software Development Life Cycle Up next 22
Software Development Life Cycle Represents various phases of realizing a business need in an application Capture business requirement Analysis and design Implement functionality Verify and test Deploy and maintain 23
Agile Software Development Life Cycle A lightweight, iterative, and adaptable approach to the SDLC Requirements are User Stories and stored on a Product Backlog Analysis and design on smaller sections of Product Backlog (Sprint Backlog) Implement Sprint Backlog User Stories Conditions of Satisfaction serve to verify User Story requirements Deploy, maintain, and increment to next Sprint 24
Agile Security Software Development Life Cycle Security can be implemented in an Agile fashion Cost versus value of Security SDLC Agile allows small iterations to re-evaluate and rank threats Prioritize and account for security flaws early and often Develop with security in mind instead of huge fallout from security breach Great to start with security in mind but can be introduced to existing projects Groom Product Backlog using AppScan reports Identify responsibilities within team regarding security 25
Building an Agile Security SDLC Existing process won t change overnight Show value It s not an afterthought to prevent heartache later Easy to communicate reports with entire team Introduce in small understandable steps Find a champion in management Concise steps builds team support Work backwards in SDLC 26
Building an Agile Security SDLC: Deployed Application Run AppScan against an existing deployed web application Familiarize security/qa team with AppScan run configuration Review report styles and ways to communicate with team and managers Establish baseline and patterns Next steps Review and document potential flaws for Product Backlog, involve Testers First runs of AppScan on deployed app 27
Building an Agile Security SDLC: Verify and Testing Expose AppScan to Testers Setup AppScan with established baseline and patterns Distribute reports to team Start thinking in terms of Conditions of Satisfaction Next steps Remediate and assign potential security flaws to User Stories Testers using AppScan on Sprint review 28
Building an Agile Security SDLC: Implementation Allow developers to review AppScan reports Bring user story in - understand the security issue Review suggested fixes Incorporate security concerns with future development Next steps Adjust best practices; Analysis and design include security Developers recognize security patterns 29
Building an Agile Security SDLC: Analysis & Design Developers and business analysts have security in focus Build user stories with security in mind at the beginning Conditions of Satisfaction are security aware Demonstrate with AppScan reports conditions of satisfaction are met Continue Agile Security SDLC Scan, triage, and assign during each Sprint Best practices include security concerns 30
Agile Security Software Development Life Cycle: Value Value vs cost preposition Avoid negative press due to security exploit Keep confidence of customers, partners, and company Value of iterative approach to discover, rank, and handle security flaws early rather than in a reactive fashion Introducing Security to an Agile SDLC is an iterative process Have key buy in from management Build team support without overwhelming them Demonstrate ease to integrate AppScan Use appropriate AppScan edition(s) 31
Key Takeaways Defining Application Security Security throughout application life cycle Not SSL & Firewalls Understanding risks and costs associated with them Tools to help: AppScan Based on industry standards Reporting, role based, and flexible Leveraging AppScan in the Software Development Life Cycle Communicate value of having Security in the Software Development Life Cycle Introducing Security as part of the process not an afterthought 32
www.ibm.com/software/rational 33
Daily ipod Touch giveaway Complete your session surveys online each day at a conference kiosk or on your Innovate 2011 Portal! SPONSORED BY Each day that you complete all of that day s session surveys, your name will be entered to win the daily IPOD touch! On Wednesday be sure to complete your full conference evaluation to receive your free conference t-shirt! 34
www.ibm.com/software/rational Copyright IBM Corporation 2011. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 35