Your SlideShare is downloading. ×
Enkitec eSERT Overview
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Enkitec eSERT Overview

537

Published on

Security in information technology is more critical today than it ever has been. Breaches are unfortunately all too common. As an APEX developer, securing your applications falls squarely on your …

Security in information technology is more critical today than it ever has been. Breaches are unfortunately all too common. As an APEX developer, securing your applications falls squarely on your shoulders. However, often times security becomes an afterthought; if it gets addressed at all. For this reason, we developed eSERT. eSERT is an APEX application that quickly evaluates your APEX applications for common security vulnerabilities and provides step-by-step instructions on how to mitigate them. eSERT is not just an evaluation tool, but it’s also designed to be used by your developers during your development process, as it has complete integration with the APEX development environment. Whether you have a single APEX application or hundreds of them, eSERT can help ensure you that they are as secure as they can possibly be.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
537
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Welcome to the sumnevaSERT demonstration. sumnevaSERT is an APEX-based tool that evaluates your APEX applications for common security vulnerabilities and provides the requires steps to fix them.\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • here millions of e-mail addresses and their corresponding owner names were compromised.\n\nMost, if not all of these events could have been prevented. However, we live in a reactive society; we don’t make changes until the breach occurs, which is always too late.\n
  • In today’s world, our customers expect quick turnaround for all things IT - including the applications which we’re all charged with developing. This pressure falls squarely on our shoulders, and we often knowingly take shortcuts that we know are wrong, as that’s the only way we can meet our deadlines.\n
  • Unfortunately, we have all become quite the experts at making excuses for taking these shortcuts:\n - Not enough time\n - No one care enough about the application to steal the data\n - It’s internal only - which is the biggest threat, since most data is stolen from authorized users\n - Our users can barely use the system, let alone hack it. But what you may not be considering is their willingness to give their credentials to someone who can hack it\n - We run Oracle, Oracle is secure, thus our applications are secure\n
  • All of these excuses spell out a recipe for disaster. Given the stresses that we’re under combined with the lack of time we have to complete our development, its not only possible - but probable that our applications - APEX & otherwise - have security vulnerabilities that we could easily fix - if we only had the time to identify them.\n
  • \n
  • This is why we developed sumnevaSERT - which stands for Security Evaluation & Review Tool. sumnevaSERT is designed to quickly evaluate & identify common security vulnerabilities in your APEX applications. \n\nIt will run on both APEX 3.2 & 4.0, and support any edition of the Oracle Database, as long as it’s 10gR2 or greater.\n\nIt can even be completely customized to meet your organization’s specific security and/or QA requirements.\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • sumnevaSERT will not secure everything. It is simply a layer in your security plan. But it’s a powerful layer, as the threats that it will identify and help you mitigate will make your APEX applications much more secure.\n\nYou’ll still need a strong overall security policy, which should include but not be limited to strong passwords, physical access control, code audity and security best practices.\n
  • \n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • Licensing will be done on a per-instance basis. If you have any questions about pricing, please contact Sumneva at sales@sumneva.com or by calling us at 703-879-4615.\n\n
  • \n
  • \n
  • \n
  • Thank you for taking the time to watch this overview of sumnevaSERT. Please visit sumneva.com for more information on our services.\n
  • Transcript

    • 1. Enkitec eSERT v2 Scott Spendolini Executive Director, Enkitec 1
    • 2. WELCOME 2
    • 3. About Enkitec Oracle Platinum Partner  Established in 2004  Headquartered in Dallas, TX  Locations throughout the US & EMEA Specialties include  Exadata Implementations  Development Services  PL/SQL / Java / APEX  DBA/Data Warehouse/RAC  Business Intelligence 3
    • 4. Sumneva Acquisition On June 22nd, 2012, Enkitec acquired Sumneva  sumnevaSERT now called eSERT  sumnevaFramework now called eFramework Enkitec is as committed as ever to APEX products, services & training  eSERT v2  eSERT Cloud  At least two more products for APEX developers in CY2012 4
    • 5. Agenda Overview eSERT 2.0 eSERT Cloud Summary 5
    • 6. OVERVIEW 6
    • 7. Insecurities We live in a time where the security of data is the most emphasized yet least practiced thing It is almost impossible to keep up with how many sites have been compromised anymore Unfortunately, adding security to our applications is almost always event driven or reactive 7
    • 8. Customer Demand Despite this, we’re all tasked with quickly developing applications for our customers/ clients  Often times, we take shortcuts and leave out things, like security  Not because we want to, because we have to 8
    • 9. Excuses, Excuses... We make many, many excuses to ourselves as to why we didn’t adequately secure our applications:  Not enough time  No one cares about the data/application  It’s “internal only”  Our users are not smart enough to do anything malicious  False sense of security 9
    • 10. Recipe for Disaster Given:  The stresses of getting our applications released quickly  The lack of time we have to do so Our applications - APEX & otherwise - are likely to have potential security vulnerabilities that we could easily fix  If we only knew what they were and had the time... 10
    • 11. ESERT 2.0 11
    • 12. eSERT 2.0 eSERT: Security Evaluation & Recommendation Tool APEX application designed to evaluate and identify potential security issues in other APEX applications  Supports both APEX 4.0 & 4.1  APEX 4.2 support shortly after release  Oracle Database 10gR2 or later  Runs in and is integrated with your APEX Workspace  Single Workspace Install in eSERT 2.1  Designed to be a part of your development process 12
    • 13. How it Works eSERT evaluates your application’s metadata for potential security issues  Takes only a few seconds to run Result is an interactive APEX application that allows developers to easily explore and mitigate potential threats  Each application is scored based on eSERT’s findings Designed to clearly identify what needs attention and steer developers or managers in that direction 13
    • 14. Classifications eSERT inspects APEX applications and reports on threats in five classifications: URL Tampering App Settings Cross Site Scripting Page Settings SQL Injection 14
    • 15. Scoring Evaluations in eSERT will produce three scores:  Raw  Actual results of the evaluation  Pending  Raw score plus any exception - approved or not - that developers have put in place to justify existing threats  Approved  Raw score plus all approved exceptions 15
    • 16. Results eSERT will assign a status & color code to every component which it evaluates:  Pass  Approved  Pending  Fail  Rejected  Stale 16
    • 17. Complete Evaluation eSERT evaluates all components of an application, regardless of their condition & authorization scheme  Nothing gets skipped eSERT can be pre-configured with a set of valid values  Which can be changed or augmented depending on your interpretation or business needs 17
    • 18. “Security is not a product, but rather a process.” 18
    • 19. Ongoing Evaluation eSERT allows developers to add exceptions for false positives and acceptable risks All exceptions must be reviewed & approved by a manager before the “approved” score increases As exceptions are logged, the value of the attribute in question is also captured  If this value changes at any time, the exception will be instantly flagged as “stale” and require re-approval 19
    • 20. Without eSERT  Correcting each additional security vulnerability may cause other functional issues  Thus, a high number of vulnerabilities corrected at once will yield more functional defectsVulnerabilities Time 2007 2008 2009 Untitled 1 Untitled 2 20
    • 21. With eSERT  Using eSERT to keep security vulnerabilities to a minimum reduces the number of functional defects introducedVulnerabilities Time 2007 2009 Untitled 1 21
    • 22. New Features SummaryFeature Version 2.0 (APEX 4.0) Version 2.1 (APEX 4.1)Exceptions & Notations ✓ ✓Social Stream ✓ ✓Enhanced UI ✓ ✓PDF Reports ✓ ✓Import/Export ✓ ✓Scheduled Evaluations ✓Single Workspace Install ✓SaaS (eSERT Cloud) Cloud Only 22
    • 23. ESERT V2D E M O N S T R A T I O N 23
    • 24. ESERT CLOUD 24
    • 25. eSERT Cloud eSERT cloud is a affordable hosted service where anyone can upload their APEX applications and get an instant security evaluation via eSERT  Interactive Dashboard with summary results  PDF Summary Report (typically 100+ pages) 25
    • 26. How it Works - 5 Simple Steps1) Create an account at http://enkitec.com/sert2) Request a workspace to upload your APEX applications into3) Purchase evaluation credits (1 credit = 1 application evaluation)4) Select an application to evaluate5) View and/or download the results 26
    • 27. ESERT CLOUDD E M O N S T R A T I O N 27
    • 28. SUMMARY 28
    • 29. Summary eSERT provides you with the ability to easily and quickly identify and remedy most APEX security vulnerabilities  Its designed to be used both during and after development, not as a checkpoint at the end  As a side-effect, your developers will become more security-conscious by using eSERT and incorporate secure best practices by default 29
    • 30. Customers Across All Industries Private Sector  Public Sector  Multi-Channel Retailer  Intelligence Agency  Massive application with Over 300  Over 100 internal applications Concurrent Users  Local Government  Major Defense Contractor  Internal Applications  Hundreds of applications  Civilian Agency  Major Healthcare Provider  Internet Facing  Infrastructure Management e-Commerce Application Higher Education  DOD Agency  Logistical Reports & Info  Multiple Major Universities  Access to student & research information 30
    • 31. Statement of Direction Version 2.2 - Q4 2012  APEX 4.2 Support  Based on actual release date  Additional Reports & Analytics  Scheduled Evaluation Enhancements  Team Development Integration 31
    • 32. Licensing eSERT  Per Instance of APEX  Per APEX Workspace  Per APEX Application eSERT Cloud  Per Evaluation of an Application  Volume discounts available 32
    • 33. Want More Details? Contact us for details & pricing  sales@enkitec.com  Americas  +1 972 607 3751  EMEA  +44 7944 654510  http://www.enkitec.com/sert 33
    • 34. http://www.enkitec.com 34

    ×