0
HP Fortify
Software Security Center
et Microsoft VS .Net
Haleh Nematollahy
Security Solutions Architect

HP Enterprise Sec...
LES APPLICATIONS CIBLES CYBERATTAQUE
Networks

Hardware

Applications
Intellectual
Security Measures
Property

•
•
•
•
•
•...
LE PROBLEME

84%
*Gartner, 2013

#mstechdays

Sécurité

des brèches sont
au niveau de
l’application
SECURITÉ LE DEFI
Sécurisation des
applications
héritées

In-house
Development

Certification
Nouvelles
Releases

Validatio...
L'APPROCHE ACTUELLE> RÉACTIVE,
CHÈRE

2

Quelqu'un construit
logiciel avec des failles

In-house

Outsourced

Commercial

...
FIXING THINGS LATE IS
30x more costly to secure in production
FRUSTRATING
Cost

30X

15X
10X
5X
2X
Requirements

•

Coding...
APPROCHE INTÉRIMAIRE> PLUS SÛR
ET RENTABLE

In-house

Outsourced

Commercial

Mettre en œuvre des points de
sécurité pour ...
HP FORTIFY SOFTWARE SECURITY
Trouver et corriger les problèmes de sécurité dans le
CENTER Fortify les applications contre ...
Fortify Solutions
Static Analysis

Dynamic Analysis

Runtime Analysis
Actual Attacks

Source Code
Mgt System

Static Analy...
SOFTWARE SCANNING PROCESS
Check in Code
Scheduled Check-out, Code Repository
Build and Scan
Build / Scan on TFS

MS VS Dev...
#mstechdays

Sécurité

Design/UX/UI
HP FORTIFY SOFTWARE SECURITY
CENTER ET MS VS .NET
•

Scan/Analyser Webgoat.Net avec Fortify SCA dans MS VS 2013 .Net

•

R...
FIND, FIX AND FORTIFY
HP Fortify Software Security Center

1

Find & Fix Trouver et corriger les problèmes de sécurité dan...
Thank you
Digital is
business

Merci
Thank you
Développement sécurisé avec Microsoft.Net et HP Fortify
Upcoming SlideShare
Loading in...5
×

Développement sécurisé avec Microsoft.Net et HP Fortify

767

Published on

Intégration de la sécurité applicative dans le cycle de vie logiciel: maîtrise des risques et réduction des coûts HP Fortify Static Code Analyzer, plug-in Microsoft.Net pour la détection automatique et l’éradication à la source, les erreurs de codage qui pourraient donner lieu à des brèches de sécurité. Session présentée par le partenaire : HP.

Speakers : Haleh Nematollahy (HP)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
767
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Hi, my name is [Name]. I work as a [Title/ Role] at HP, in the Enterprise Security Products business unit. Today, I’ll be talking about application security and why governments and modern enterprises need it. What is application security? Simply put, it is about ensuring that every single line of code is secure and every single software application– whether it is built for the desktop, cloud or mobile device— is safe from cyber attackers and hackers. The goal here is about eliminating exploitablesecurity risk in software at the application code level, making it immune to attack even if intruders get past perimeter defenses.
  • As an industry we have become much more effective at protection at the network and operating systems level. From NIPS, AV and DLP, these security have served a purpose and continue to do so. However, the bad guys continue to innovate, infiltrate and attack. They are increasingly attacking the new ‘weakest link’….the applications. According to Gartner, 84% new of breaches take advantage of threat that are associated with the applications. A February 2013 Frost & Sullivan study released in Information Week stated that 69% of CISOs listed application security as their biggest threatThe are a number of reasons why applications are the new weakest link 3 key takeaways are:The proliferation of software apps. From legacy SW to mobile apps for your iPhone, security teams now have to try to keep up with fast application delivery. Not all applications are tested before launched.Security teams have not historically been responsible for software securityWhen you combine this with the increased leverage of attack tools like Zeus, or the favorite of Anonymous…..something different is going on and we need to pay attention to these changes if we are going to improve our success rate. The challenge then centers on applications and visibility into the risks…
  • Fortify gives you advanced technologies to ensure your applications are secure. Fortify inspects applications at the source code level (static testing) and while they are running (dynamic testing). Fortify supports more languages than any other application security vendor with significant strengths in the area of mobile application security. But it’s not just built for custom applications, Fortify and determine if vulnerabilities exist in commercial, custom and open source activities. And even more differentiated, Fortify can be delivered as a software you purchase or as a service. With unmatched flexibility and depth of coverage, Fortify ensures you have a world class application security program in place.
  • Fortify gives you advanced technologies to ensure your applications are secure. Fortify inspects applications at the source code level (static testing) and while they are running (dynamic testing). Fortify supports more languages than any other application security vendor with significant strengths in the area of mobile application security. But it’s not just built for custom applications, Fortify and determine if vulnerabilities exist in commercial, custom and open source activities. And even more differentiated, Fortify can be delivered as a software you purchase or as a service. With unmatched flexibility and depth of coverage, Fortify ensures you have a world class application security program in place.
  • Transcript of "Développement sécurisé avec Microsoft.Net et HP Fortify"

    1. 1. HP Fortify Software Security Center et Microsoft VS .Net Haleh Nematollahy Security Solutions Architect HP Enterprise Security Products Fortify Sécurité
    2. 2. LES APPLICATIONS CIBLES CYBERATTAQUE Networks Hardware Applications Intellectual Security Measures Property • • • • • • • • • • #mstechdays Sécurité Switch/Router security Firewalls Customer NIPS/NIDS Data VPN Net-Forensics Business Anti-Virus/Anti-Spam Processes DLP Host FW Host IPS/IDS Trade Vuln. Assessment tools Secrets
    3. 3. LE PROBLEME 84% *Gartner, 2013 #mstechdays Sécurité des brèches sont au niveau de l’application
    4. 4. SECURITÉ LE DEFI Sécurisation des applications héritées In-house Development Certification Nouvelles Releases Validation Comformité Achat de logiciels Securisées Outsourced Open source Commercial #mstechdays Sécurité
    5. 5. L'APPROCHE ACTUELLE> RÉACTIVE, CHÈRE 2 Quelqu'un construit logiciel avec des failles In-house Outsourced Commercial IT déploie le mauvais logiciel 1 3 Open source $ $$ 4 convaincre et payer un développeur pour corriger #mstechdays Sécurité Nous nous faisons pirater ou nous payons quelqu'un pour nous dire que notre code est mauvais
    6. 6. FIXING THINGS LATE IS 30x more costly to secure in production FRUSTRATING Cost 30X 15X 10X 5X 2X Requirements • Coding Integration/ component testing System testing Production Une fois qu’une application est en production, le cout de remédiassions est 30x plus élevé . Source: NIST #mstechdays Sécurité
    7. 7. APPROCHE INTÉRIMAIRE> PLUS SÛR ET RENTABLE In-house Outsourced Commercial Mettre en œuvre des points de sécurité pour déterminer si le logiciel est résistant avant de déployer en production Open source 4 Surveiller et protéger les logiciels fonctionnant en production #mstechdays 2 1 Logiciels existants ou nouvellement créés 3 Travailler avec les Développeurs afin de localiser et de corriger les vulnérabilités Sécurité Good code
    8. 8. HP FORTIFY SOFTWARE SECURITY Trouver et corriger les problèmes de sécurité dans le CENTER Fortify les applications contre les attaques développement, • Économiser la sécurité, les audits et les pen tests IN-HOUSE COMMERCIAL #mstechdays OUTSOURCED OPEN SOURCE • Réduit les risques de logiciel avec un minimum d'effort et de coût • Protèger les applications contre les attaques en supprimant les failles de sécurité lors du développement Sécurité
    9. 9. Fortify Solutions Static Analysis Dynamic Analysis Runtime Analysis Actual Attacks Source Code Mgt System Static Analysis Via Build Integration Dynamic Testing In QA Or Production Real-Time Protection Of Running Application Vulnerability Management Normalization Remediation IDE Plug-ins for MS Visual Studio Application Lifecycle (Scoring, Guidance) Correlate Target Vulnerabilities With Common Guidance and Scoring Vulnerability Database Correlation Defects, Metrics And KPIs Used To Measure Risk (Static, Dynamic, Runtime) Developers (onshore or offshore) Threat Intelligence Rules Management Development, Project and Management Stakeholders Hackers
    10. 10. SOFTWARE SCANNING PROCESS Check in Code Scheduled Check-out, Code Repository Build and Scan Build / Scan on TFS MS VS Developers .fpr file Static Code Analysis (SCA) Repeat as Necessary Upload Scan Results Developer Fixes Bug / Security Finding Bug Tracking using MS TFS Submit Findings to Bug Tracker Fortify SSC #mstechdays Scan Fix Auditor Reviews Results Sécurité Auditor /Security
    11. 11. #mstechdays Sécurité Design/UX/UI
    12. 12. HP FORTIFY SOFTWARE SECURITY CENTER ET MS VS .NET • Scan/Analyser Webgoat.Net avec Fortify SCA dans MS VS 2013 .Net • Réviser résultats dans VS 2013 • Fix SQLi, XSS dans VS 2013 • Scan/analyser avec Fortify SCA dans MS VS 2013 • Upload/télécharger les résultats sur Fortify Software Security Center • Démonstration de Software Security Center • Générer des Reports #mstechdays Sécurité Design/UX/UI
    13. 13. FIND, FIX AND FORTIFY HP Fortify Software Security Center 1 Find & Fix Trouver et corriger les problèmes de sécurité dans MS. Net développement 2 Fortify Fortifier les applications contre les attaques 3 Save Économiser le développement 4 Reduce Réduire le risque des applications #mstechdays Sécurité
    14. 14. Thank you Digital is business Merci Thank you
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×