Web applications are the greatest source of risk for organizations today. And Rational application security can allow organizations to address the root cause of this risk. That’s a significant statement because there are different application security solutions out there that are more protection and patch that don’t address the root case. recard). We leverage a mix of technologies both static and dynamic to enable the right use cases. So not only do we speak to the technologies but we focus on building the right solution for the right stakeholder whether you’re talking to a security auditor, build manager, developer, QUA tester. We’ve built our portfolios to support these different - these cases. And beyond that AppScan is the key part of IBM’s full solution view of application security so we’re not just a point solution like many of thetier two competitors that we see in the market. We’re a full solution for application vulnerability management but we’re also full solution for application security from vulnerability management to identity and access management to application firewalls and IPSs. So there’s a full story that we’ll get into shortly but in summary: we’re a comprehensive application vulnerability management solution.
some new stats that may be new to your customer f they’re not already aware of the severity and prevalence. Verizon business report, in their report from 2009 they found that there were 285 million records that were compromised. We married this data point with Ponemon’s research that cost of a compromised record cost to an organization is $204 per record and that translates to over $58 billion cost to corporations. That’s a pretty significant problem and one that CIOs, (CSOs) can’t ignore
There’re multiple sources of breach cost but the key point on this slide is that you should fix security issues early in the process. If that doesn’t happen, if this gets in the field and there’s a breach as a result, the cost of a security flaw is exponentially higher then what is typically seen for a functional flaw. And these cost organizations come in in many different forms from government litigation, brand damage, revenue, cost repair and audits
More data from IBM X source year end report. About half - Web application vulnerabilities is the largest category. Vulnerability disclosures represent about half of all vulnerabilities that exist for the organization.
Why are applications so vulnerable? Developers are mandated to deliver functionality on time and on budget, not to develop secure applications. So security is not a priority for them. They’re also not generally education in secure code practices. Additionally, product innovation, the whole smarter planet discussion is driving development of increasingly complex software. We’re all over that. When developers limits are being stretched, they’re focusing on the functionality of those applications, not the security, and increasing complexity generally increases risk within these applications. And of course the discussion that we continue to see, network scanners don’t find application vulnerabilities and the firewall IPSs don’t block application attack. So what’s happening is that we just continue to see volumes of applications that are deployed which are riddled with security flaws and they’re also non-compliant in industry regulations.
These new risks are significant drivers for security products. There’s increase in complexity. And then of course, compliance continues to be a main focal point in these discussions.
Security should be build into the development process vs. bolted on. Testing for vulnerabilities should be a seamless part of development that happens throughout the development lifecycle.Integrated testing solution for developers, QA, Security and Compliance stakeholdersIntegrated solution that allows for testing at all steps of Software Delivery from coding, build, QA, audit to production. Leverage best of both leading testing technologiesSolutions leverage a combination of Blackbox + Whitebox technologiesEffortless Security Developers should not have to be security experts Tools should be easy to configure, results should be accurateGovernance, reporting and dashboardsCentral control over test policiesVisibility through dashboards and reportsFacilitate collaboration between development and security teamsIssues can be assigned and tracked
Transcript of "Rational application-security-071411"
IBM Security Solutions<br />IBM Rational Application Security<br />
Executive Summary<br />Web applications are the greatest source of risk for organizations<br />Rational Application Security enables organizations to address root cause of this risk<br />AppScan leverages a mix of technologies (static & dynamic)<br />AppScan is a key part of IBM Security’s full solution view of application security <br />3<br />Rational AppScan Suite<br />enables<br />Comprehensive Application Vulnerability Management<br />
The Costs from Security Breaches are Staggering<br />4<br />285 Million records compromised in 2008<br />Verizon 2009 data Breach Investigations Report<br />$204 Cost per Compromised Record<br />Ponemon 2009-2010 Cost of a data Breach Report<br />Translates to $58.1B<br />Cost to CoRporations<br />
Sources of Security Breach Costs<br />5<br />Unbudgeted Costs:<br /><ul><li> Customer notification / care
Cost to repair</li></ul>1,000,000x<br />10x<br />1x<br />Security Flaw<br />Damage to Enterprise<br />Functional Flaw<br />Development<br />Test<br />Deployment<br />
Web Applications are the greatest risk to organizations<br />6<br /><ul><li>Web application vulnerabilities represented the largest category in vulnerability disclosures
In 2009, 49% of all vulnerabilities were Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot</li></ul>IBM Internet Security Systems 2009 X-Force®Year End Trend & Risk Report<br />
Why are Web Applications so Vulnerable?<br />7<br />Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications<br />Developers are not generally educated in secure code practices<br />Product innovation is driving development of increasingly complicated software for a Smarter Planet<br />Network scanners won’t find application vulnerabilities and firewalls/IPS don’t block application attacks<br />Volumes of applications continue to be deployed that are riddled with security flaws… <br />…and are non compliant with industry regulations<br />
8<br />Clients’ security challenges in a smarter planet <br />Key drivers for security projects<br />Increasing Complexity<br />Rising Costs<br />Ensuring Compliance <br />Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billionin 2010<br />Soon, there will be 1 trillionconnected devices in the world, constituting an “internet of things”<br />The cost of a data breach increased to $204 per compromised customer record <br />Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html<br />
Market Drivers<br />Regulatory & Standards Compliance<br />eCommerce: PCI-DSS, PA-DSS<br />Financial Services: GLBA<br />Energy: NERC / FERC<br />Government: FISMA<br />User demand <br />Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures<br />Cost cutting in current economic climate <br />Demands increased efficiencies<br />Cyber Blitz Hits U.S., Korea Websites <br />-WSJ<br />July 9th, 2009<br />“Web-based malware up 400%, 68% hosted on legitimate sites” <br />— ZDnet, June 2008<br />Hackers Break Into Virginia Health Website, Demand Ransom<br /> — Washington Post, May, 2009<br />
Can facilitate collaboration between development and security teams</li></ul>11<br />
Cost is a Significant Driver<br />80% of development costs are spent identifying and correcting defects!*<br />Once released as a product <br />$7,600/defect<br />+<br />Law suits, loss of customer trust,<br />damage to brand<br />During the QA/Testing phase<br />$960/defect<br />During the build phase <br />$240/defect<br />During the coding phase <br />$80/defect<br />The increasing costs of fixing a defect….<br />*National Institute of Standards & Technology <br />Source: GBS Industry standard study<br />Defect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.<br />
Make Applications Secure, by DesignCycle of secure application development<br />Manage,<br />Monitor<br />& Defend<br />Design Phase<br /><ul><li>Consideration is given to security requirements of the application
Issues such as required controls and best practices are documented on par with functional requirements</li></ul>Development Phase<br /><ul><li>Software is checked during coding for:
Compliance with security requirements</li></ul>Build & Test Phase<br /><ul><li>Testing begins for errors and compliance with security requirements across the entire application
Applications are also tested for exploitability in deployment scenario</li></ul>Deployment Phase<br /><ul><li>Configure infrastructure for application policies
Deploy applications into production</li></ul>Operational Phase<br /><ul><li>Continuously monitor applications for appropriate application usage, vulnerabilities and defend against attacks</li></ul>Design<br />Functional Spec<br />Develop<br />Deploy<br />Build & Test<br />Outsourcing Partner<br />Software<br />13<br />
ROI Opportunity of Application Security Testing<br />Cost Savings – of testing early in the development process (ALM)<br />80% of development costs are spent identifying and correcting defects<br />Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense<br /><ul><li>Cost of finding & fixing problems:
Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage. </li></ul>Cost Savings – of automated vs. manual testing<br /><ul><li>Outsourced audits can cost $10,000 to $50,000 per application
With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)</li></ul>Automated testing provides tremendous productivity savings over manual testing<br />Automated source code testing with periodic penetration testing allows for cost effective security analysis of applications <br />Cost Avoidance – of a security breach<br />The cost to companies is $204per compromised record**<br />The average cost per data breach is $6.6 Million**<br />Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage<br /> * Source: GBS Industry standard study<br /> ** Source: Ponemon Institute 2009-10<br />
Build<br />Coding<br />QA<br />Security<br />Production<br />Security Testing Within the Software Lifecycle<br />SDLC<br />Most Issues are found by security auditors prior to going live.<br />% of Issue Found by Stage of SDLC<br />
Build<br />Coding<br />QA<br />Security<br />Production<br />Security Testing Within the Software Lifecycle<br />SDLC<br />Desired Profile<br />% of Issue Found by Stage of SDLC<br />
IBM Web application security for a smarter planet<br />Rational <br />AppScan<br />Secure code development and vulnerability management<br /><ul><li>Identify vulnerabilities and malware
Actionable information to correct the problems</li></ul>Tivoli <br />I&AM<br />Manage secure Web applications<br />Protect Web applications from potential attacks<br />End-to-end Web application security<br /><ul><li>Ongoing management and security with a suite of identity and access management solutions
Block attacks that aim to exploit Web application vulnerabilities
Integrate Web application security with existing network infrastructure</li></ul>Deliver security and performance in Web services and SOA<br />ISS IPS<br /><ul><li>Purpose-built XML and SOA solutions for security and performance</li></ul>WebSphere<br />Datapower<br />24<br />