Slide 1

Report
HP Fortify
Software Security
Claudio Merloni
Software Security Solution Architect
HP Enterprise Security Products
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Adversary Marketplace
Research
Infiltration
Discovery
Their
ecosystem
Our
enterprise
Capture
Exfiltration
2
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Organize our capability to disrupt the market
Educating users
Research
Counter
intel
Infiltration
Stopping
access
Discovery
Finding
them
Their
ecosystem
Protecting
the
Capture
target access
Planning
Exfiltration
damage
mitigation
3
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Our
enterprise
Organize our capability to disrupt the market
Educating users
Research
Counter
intel
Infiltration
Stopping
access
Discovery
Finding
them
Their
ecosystem
• Intrusion Prevention
• Network Security, Digital Vaccine
Fortify Solutions
• Software security assessment
Protecting
the
Capture
target access
Planning
Exfiltration
damage
mitigation
4
TippingPoint Solutions
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Our • Software security assurance
• Application events & protection
enterprise
ArcSight Solutions
• Real-time security Intelligence
• SIEM, Logger
HP Security Research
•
SANS, CERT, NIST, OSVDB, software & reputation vendors
•
2650+ Researchers
•
2000+ Customers sharing data
•
www.hp.com/go/HPSRblog
•
6X the Zero Days than the next 10 competitors combined.
HP Global Research
•
Top security vulnerability research organization for the past three
years
—Frost & Sullivan
ESS
•
HP Security Research Teams: DV Labs, ArcSight, Fortify, HPLabs,
Application Security Center and Enterprise Security Services
•
Collect network and security data from around the globe
Ecosystem
Partner
FSRG
5
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The problem
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cyber attackers are targeting applications
Networks
Hardware
Applications
Intellectual
Security Measures
Property
•
•
•
•
•
•
•
•
•
•
7
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Switch/Router security
Firewalls Customer
NIPS/NIDS Data
VPN
Net-Forensics
Business
Anti-Virus/Anti-Spam
Processes
DLP
Host FW
Host IPS/IDSTrade
Vuln. Assessment
tools
Secrets
84%
of breaches occur at the
application layer
9/10
8
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
mobile applications are
vulnerable to attack
What’s the Worst that Could Happen?
The Incident
• PlayStation Network breach reported April 2011
• 77M customer accounts compromised
• PS Network completely offline for 25 days
• Total cost of damages / loss > $171M
• …could be as high as $24B…
The Attack
• DDoS attack followed by SQL Injection
• 130+ servers completely compromised
• Account data, credit cards, email addresses stolen
• Required full network shutdown to contain
• More than just PlayStation Network…
9
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Application security challenges
Monitoring / Protecting
Production Software
Securing legacy
applications
Existing Software
In-house development
Procuring secure
software
Outsourced
10
Demonstrating
compliance
Certifying new
releases
Commercial
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Open source
Today’s approach > expensive, reactive
Somebody builds
bad software
1
IT deploys the
bad software
2
4
We convince &
pay the developer
to fix it
11
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
We are breached or
pay to have someone
tell us our code is bad
3
Why it doesn’t work
30x more costly to secure in production
30X
Cost
15X
10X
5X
2X
Requirements
Coding
Integration/
component testing
System
testing
Production
After an application is released into Production, it costs 30x more than during design.
Source: NIST
12
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Application Security Testing Techniques
RASP
30X
IAST
DAST
Cost
SAST
15X
10X
5X
2X
Requirements
Coding
Integration/
component testing
SAST: Static Application Security Testing
IAST: Interactive Application Security Testing
System
testing
Production
DAST: Dynamic Application Security Testing
RASP: Runtime Application Security Protection
Source: NIST
13
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Application Security Testing Fortify Solutions
RTA
Cost
WebInspect / WebInspect Agent
SCA
Education
30X
15X
10X
5X
2X
Requirements
SCA: Static Code Analyzer
Coding
Integration/
component testing
System
testing
Production
RTA: RunTime Analyzer (AppDefender/AppView)
Source: NIST
14
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The right approach > systematic, proactive
Embed security into SDLC
development process
In-house
1
Outsourced Commercial Open source
2
Leverage Security Gate to validate
resiliency of internal or external
code before Production
3
Improve SDLC policies
Monitor and protect software
running in Production
This is application security
15
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The solution
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fortify’s Software Security Vision
1
2
Application
Assessment
3
Software Security
Assurance (SSA)
In-house
17
Outsourced
Commercial
Application Protection
Open source
Assess
Assure
Protect
Find security vulnerabilities in
any type of software
Fix security flaws in source
code before it ships
Fortify applications against
attack in production
Mobile, Web, Infrastructure
Secure SDLC
Logging, Threat Protection
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify – Software Security Assurance
On-Premise and On-Demand
18
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fortify on Demand Security Gate
on Demand
Secure ALL your applications before
deployment
• Web, Facebook, Mobile
• In-house, out-sourced, third-party
Security Testing Service
Code
Test
Deploy
Contract/Outsource
Procure
Security Gate
19
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify on Demand
Get results fast with security testing software-as-a-service
Simple
Fast
Flexible
Launch your application
security initiative in <1 day
Scale to test all applications in
your organization
Test any application from
anywhere
• No hardware or software
investments
• No security experts to hire,
train and retain
• 1 day turn-around on application
security results
• Support 1000s of applications for
the desktop, mobile or cloud
• Secure commercial, open source
and 3rd party applications
• Test applications on-premise or
on demand, or both
20
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify on Demand at a glance
Comprehensive and accurate
•
•
•
•
•
•
•
Powerful remediation
Static Testing
Dynamic Testing
Audit & Analysis
HP Fortify
SCA
HP
WebInspect
Manual
Broad support
ABAP
C/C++
Cold Fusion
Java
Objective C
Python
VB6
•
•
•
•
•
•
•
ASP.NET
Classic ASP
Flex
JavaScript/AJAX
PHP
T-SQL
VBScript
•
•
•
•
•
•
•
Analysis & Reports
Fast, secure & scalable
C#
COBOL
HTML
JSP
PL/SQL
VB.NET
XML
1 Day Static
Turnaround
Mobile Security Testing
All platforms
• Apple iOS
• Android
• Windows, Blackberry
Multiple analysis types
• Source Code
• Running Application
• Protocol Analysis
21
Client
Network
Online Collaboration
Virtual Scan
Farm
Encryption
Breadth of testing
Server
•
•
•
•
•
•
10,000+ applications
18 different industries represented
5 Continents
Civilian and Defense Agencies across US Government
Vendor Management and Internal Management
Development teams from 1 to 10,000s
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Third Party
Reviews
Thank you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Testing
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify Static Code Analyzer (SCA)
Static analysis – find and fix security issues in your code during development
Features:
• Automate static application security testing
to identify security vulnerabilities in
application source code during development
• Pinpoint the root cause of vulnerabilities
with line of code details and remediation
guidance
• Prioritize all application vulnerabilities by
severity and importance
• Supports 21 languages, 500+ vulnerability
categories
24
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP WebInspect
Dynamics analysis – find critical security issues in running applications
Features:
• Quickly identify risk in existing applications
• Automate dynamic application security testing
of any technology, from development through
production
• Validate vulnerabilities in running applications,
prioritizing the most critical issues for rootcause analysis
• Streamline the process of remediating
vulnerabilities
25
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Secure Development
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify Software Security Center server
Management, tracking and remediation of enterprise software risk
Features:
• Specify, communicate and track security
activities on software projects
• Role-based, process-driven management of
software security program
• Integrations into key development environments
•
Build integration, defect tracking, source control, 3rd party
analysis engines
• Flexible repository and reporting platform for
security status, trending and compliance
•
•
27
Normalized, correlated vulnerability repository
Aggregated risk metrics
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Secure Development Tools
Manage remediation and audit workflows
Online collaboration
•Reduce overhead of engaging development
•
•
Easy web-based, IDE-like navigation
Consistent Presentation & Auditing
•Defect-Tracking Integration
•
•
One-click integration
Deep link back for details
Developer IDE plug-ins
• View results and manage remediation
Audit Workbench
• Security auditor view of the process
28
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protect
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fortify Runtime Technology
An action can change the state of the target program. It could throw an
exception, show a message, or modify variable values.
Target Program
Monitor
<Rule>
Event
Program
Point
Application
Server
Event
Handler
Action
30
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Event Handler
Chain
Log
Application Visibility is Limited
OS, databases, storage
IPS, routers, switches, firewalls, DLP
Servers, IAM, networking
Application Logs:
• Few or uninteresting details
• No logs at all
• Require custom connectors
Applications
31
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IT SOC
ArcSight ESM with Application View
Introducing Application View
Know you apps. Know your users. Know your data!
OS, databases, storage
IPS, routers, switches, firewalls, DLP
Servers, IAM, networking
Applications
32
• Retro-fits applications with security event logs
• No change to application required
• Out-of-box ready for ArcSight ESM
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
IT SOC
Application View: What is it?
Application View provides software application log visibility for security event analysis and correlation to help you:
Know your apps
Know your users
Know your data
1010101001010101101
0101001010101001010
1101010100101011010
1010101001010101101
0101001010101001010
1101010100101011010
1010101001010101101
0101001010101001010
1101010100101011010
•
•
•
•
33
Remove the blind spot
Application intelligence
Application monitoring
Out of the box views
•
•
•
•
Monitor user access
Identity fraud
Track user activity
Protect against ID theft
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
• Track resource access
• Identify data leakage
• Review security forensics
• Identify application errors
Application View: How does it work?
Application Events
Apps
10101010010101011010
10100101010100101011
01010100101011010101
00101011010101001010
110101010011001
Users
Runtime Agent installed
on App Server
Java & .Net Apps
34
Security events are logged
and sent to ESM
CEF format via syslog
connector
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight ESM gathers,
correlates and reports on
triggered events
Out-of-the-box dashboards
and reports
HP Application Defender – Application Security Simplified
1,2,3
Visibility
Actionable
information
through
interactive
dashboards
and alerts
HP Application
Defender
Protection
Stop attacks from inside the application.
35
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Simplicity
Install quickly
and easily with
a three-step
deployment,
get protection
up and running
in minutes
HP Application Defender Solution
Simplicity
Visibility
Secure Command/Event Channel (443)
Applications
36
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protection
Simplicity
•
•
•
37
Quick Installation
• Up and running in less than
5 minutes
• 3 easy steps
Easy “In Service” Updates
• Rulepack
• Agent Binary
Accurate application protection
and grouping
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Visibility
•
•
•
38
Quick access to specific
vulnerability events
Easy filtering of realtime and historical data
Accurate presentation of
event trigger and stack
trace detail
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protection
•
•
•
39
Quick protection against attacks
from within your application
Easy identification of top
vulnerability events by criticality
Accurate results from within
application logic and data flows
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Summary
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Summary: Find, Fix and Fortify
HP Fortify Software Security Center
41
1
Find & Fix security issues in development
2
Fortify applications against attack
3
Save money in development
4
Reduce risk from applications
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

similar documents