Rational application-security-071411
Upcoming SlideShare
Loading in...5
×
 

Rational application-security-071411

on

  • 1,054 views

 

Statistics

Views

Total Views
1,054
Views on SlideShare
1,054
Embed Views
0

Actions

Likes
0
Downloads
27
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Web applications are the greatest source of risk for organizations today. And Rational application security can allow organizations to address the root cause of this risk. That’s a significant statement because there are different application security solutions out there that are more protection and patch that don’t address the root case. recard).  We leverage a mix of technologies both static and dynamic to enable the right use cases. So not only do we speak to the technologies but we focus on building the right solution for the right stakeholder whether you’re talking to a security auditor, build manager, developer, QUA tester. We’ve built our portfolios to support these different - these cases.  And beyond that AppScan is the key part of IBM’s full solution view of application security so we’re not just a point solution like many of thetier two competitors that we see in the market. We’re a full solution for application vulnerability management but we’re also full solution for application security from vulnerability management to identity and access management to application firewalls and IPSs. So there’s a full story that we’ll get into shortly but in summary: we’re a comprehensive application vulnerability management solution.
  • some new stats that may be new to your customer f they’re not already aware of the severity and prevalence. Verizon business report, in their report from 2009 they found that there were 285 million records that were compromised. We married this data point with Ponemon’s research that cost of a compromised record cost to an organization is $204 per record and that translates to over $58 billion cost to corporations. That’s a pretty significant problem and one that CIOs, (CSOs) can’t ignore
  • There’re multiple sources of breach cost but the key point on this slide is that you should fix security issues early in the process. If that doesn’t happen, if this gets in the field and there’s a breach as a result, the cost of a security flaw is exponentially higher then what is typically seen for a functional flaw.  And these cost organizations come in in many different forms from government litigation, brand damage, revenue, cost repair and audits
  • More data from IBM X source year end report. About half - Web application vulnerabilities is the largest category. Vulnerability disclosures represent about half of all vulnerabilities that exist for the organization.
  • Why are applications so vulnerable? Developers are mandated to deliver functionality on time and on budget, not to develop secure applications. So security is not a priority for them.  They’re also not generally education in secure code practices. Additionally, product innovation, the whole smarter planet discussion is driving development of increasingly complex software. We’re all over that. When developers limits are being stretched, they’re focusing on the functionality of those applications, not the security, and increasing complexity generally increases risk within these applications.  And of course the discussion that we continue to see, network scanners don’t find application vulnerabilities and the firewall IPSs don’t block application attack.  So what’s happening is that we just continue to see volumes of applications that are deployed which are riddled with security flaws and they’re also non-compliant in industry regulations. 
  • These new risks are significant drivers for security products. There’s increase in complexity. And then of course, compliance continues to be a main focal point in these discussions.
  • Security should be build into the development process vs. bolted on. Testing for vulnerabilities should be a seamless part of development that happens throughout the development lifecycle.Integrated testing solution for developers, QA, Security and Compliance stakeholdersIntegrated solution that allows for testing at all steps of Software Delivery from coding, build, QA, audit to production. Leverage best of both leading testing technologiesSolutions leverage a combination of Blackbox + Whitebox technologiesEffortless Security Developers should not have to be security experts Tools should be easy to configure, results should be accurateGovernance, reporting and dashboardsCentral control over test policiesVisibility through dashboards and reportsFacilitate collaboration between development and security teamsIssues can be assigned and tracked

Rational application-security-071411 Presentation Transcript

  • 1. IBM Security Solutions
    IBM Rational Application Security
  • 2. 2
    Agenda
    Current Trends in Application Security
    The Solution
    Strategies for Customer Success
    Rational AppScan Suite
    IBM Application Security Coverage
  • 3. Executive Summary
    Web applications are the greatest source of risk for organizations
    Rational Application Security enables organizations to address root cause of this risk
    AppScan leverages a mix of technologies (static & dynamic)
    AppScan is a key part of IBM Security’s full solution view of application security
    3
    Rational AppScan Suite
    enables
    Comprehensive Application Vulnerability Management
  • 4. The Costs from Security Breaches are Staggering
    4
    285 Million records compromised in 2008
    Verizon 2009 data Breach Investigations Report
    $204 Cost per Compromised Record
    Ponemon 2009-2010 Cost of a data Breach Report
    Translates to $58.1B
    Cost to CoRporations
  • 5. Sources of Security Breach Costs
    5
    Unbudgeted Costs:
    • Customer notification / care
    • 6. Government fines
    • 7. Litigation
    • 8. Reputational damage
    • 9. Brand erosion
    • 10. Cost to repair
    1,000,000x
    10x
    1x
    Security Flaw
    Damage to Enterprise
    Functional Flaw
    Development
    Test
    Deployment
  • 11. Web Applications are the greatest risk to organizations
    6
    • Web application vulnerabilities represented the largest category in vulnerability disclosures
    • 12. In 2009, 49% of all vulnerabilities were Web application vulnerabilities
    • 13. SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
    IBM Internet Security Systems 2009 X-Force®Year End Trend & Risk Report
  • 14. Why are Web Applications so Vulnerable?
    7
    Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications
    Developers are not generally educated in secure code practices
    Product innovation is driving development of increasingly complicated software for a Smarter Planet
    Network scanners won’t find application vulnerabilities and firewalls/IPS don’t block application attacks
    Volumes of applications continue to be deployed that are riddled with security flaws…
    …and are non compliant with industry regulations
  • 15. 8
    Clients’ security challenges in a smarter planet
    Key drivers for security projects
    Increasing Complexity
    Rising Costs
    Ensuring Compliance
    Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billionin 2010
    Soon, there will be 1 trillionconnected devices in the world, constituting an “internet of things”
    The cost of a data breach increased to $204 per compromised customer record
    Source  http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html
  • 16. Market Drivers
    Regulatory & Standards Compliance
    eCommerce: PCI-DSS, PA-DSS
    Financial Services: GLBA
    Energy: NERC / FERC
    Government: FISMA
    User demand
    Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures
    Cost cutting in current economic climate
    Demands increased efficiencies
    Cyber Blitz Hits U.S., Korea Websites
    -WSJ
    July 9th, 2009
    “Web-based malware up 400%, 68% hosted on legitimate sites”
    — ZDnet, June 2008
    Hackers Break Into Virginia Health Website, Demand Ransom
    — Washington Post, May, 2009
  • 17. 10
    Agenda
    Current Trends in Application Security
    The Solution
    Strategies for Customer Success
    Rational AppScan Suite
    IBM Application Security Coverage
  • 18. The Solution - Security for Smarter Products
    • Smarter Products require secure applications
    • 19. Security needs to be built into the development process and addressed throughout the development lifecycle
    • 20. Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:
    • 21. Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders
    • 22. Leveragemultiple appropriate testing technologies (static & dynamic analysis)
    • 23. Provide effortless security that allows development to be part of the solution
    • 24. Supportgovernance, reporting and dashboards
    • 25. Can facilitate collaboration between development and security teams
    11
  • 26. Cost is a Significant Driver
    80% of development costs are spent identifying and correcting defects!*
    Once released as a product
    $7,600/defect
    +
    Law suits, loss of customer trust,
    damage to brand
    During the QA/Testing phase
    $960/defect
    During the build phase
    $240/defect
    During the coding phase
    $80/defect
    The increasing costs of fixing a defect….
    *National Institute of Standards & Technology
    Source: GBS Industry standard study
    Defect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.
  • 27. Make Applications Secure, by DesignCycle of secure application development
    Manage,
    Monitor
    & Defend
    Design Phase
    • Consideration is given to security requirements of the application
    • 28. Issues such as required controls and best practices are documented on par with functional requirements
    Development Phase
    • Software is checked during coding for:
    • 29. Implementation error vulnerabilities
    • 30. Compliance with security requirements
    Build & Test Phase
    • Testing begins for errors and compliance with security requirements across the entire application
    • 31. Applications are also tested for exploitability in deployment scenario
    Deployment Phase
    • Configure infrastructure for application policies
    • 32. Deploy applications into production
    Operational Phase
    • Continuously monitor applications for appropriate application usage, vulnerabilities and defend against attacks
    Design
    Functional Spec
    Develop
    Deploy
    Build & Test
    Outsourcing Partner
    Software
    13
  • 33. ROI Opportunity of Application Security Testing
    Cost Savings – of testing early in the development process (ALM)
    80% of development costs are spent identifying and correcting defects
    Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense
    • Cost of finding & fixing problems:
    • 34. code stage is $80, QA/Testing is $960*
    • 35. Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage.
    Cost Savings – of automated vs. manual testing
    • Outsourced audits can cost $10,000 to $50,000 per application
    • 36. At $20,000 an app, 50 audits will cost $1M.
    • 37. With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)
    Automated testing provides tremendous productivity savings over manual testing
    Automated source code testing with periodic penetration testing allows for cost effective security analysis of applications
    Cost Avoidance – of a security breach
    The cost to companies is $204per compromised record**
    The average cost per data breach is $6.6 Million**
    Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage
    * Source: GBS Industry standard study
    ** Source: Ponemon Institute 2009-10
  • 38. 15
    Agenda
    Current Trends in Application Security
    The Solution
    Strategies for Customer Success
    Rational AppScan Suite
    IBM Application Security Coverage
  • 39. Application Security Maturity Model
    CORRECTIVE
    BOLT ON
    BUILT IN
    UNAWARE
    PHASE
    PHASE
    PHASE
    Security testing before deployment
    Fully integrated security testing
    Doing nothing
    Outsourced testing
    View of application testing coverage
    Time
    Duration 1-2 Years
  • 40. Build
    Coding
    QA
    Security
    Production
    Security Testing Within the Software Lifecycle
    SDLC
    Most Issues are found by security auditors prior to going live.
    % of Issue Found by Stage of SDLC
  • 41. Build
    Coding
    QA
    Security
    Production
    Security Testing Within the Software Lifecycle
    SDLC
    Desired Profile
    % of Issue Found by Stage of SDLC
  • 42. Build
    Coding
    QA
    Security
    Production
    Security Testing Within the Software Lifecycle
    SDLC
    Developers
    Developers
    Developers
    Application Security Testing Maturity
  • 43. 20
    Agenda
    Current Trends in Application Security
    The Solution
    Strategies for Customer Success
    Rational AppScan Suite
    IBM Application Security Coverage
  • 44. Rational ALM Integrations
    Rational AppScan:
    • Source for Automation
    • 45. Standard Ed
    Application Developer
    Build
    Build Forge
    Development
    Rational AppScan:
    • Source Ed Developer
    • 46. Source Ed Remediation
    • 47. Enterprise QuickScan
    QA
    Rational AppScan Tester Ed for RQM
    Rational AppScan Enterprise portal
    Rational AppScan Source Ed Core
    Quality Manager
    ClearQuest
    Rational AppScan:
    • Standard Ed
    • 48. Source Ed for Security
    Compliance
    Security
  • 49. Security Testing Technologies... Combination Drives Greater Solution Accuracy
    Static Code Analysis (Whitebox )
    Scanning source code for security issues
    Total Potential
    Security Issues
    Dynamic
    Analysis
    Static
    Analysis
    Best Coverage
    Dynamic Analysis (Blackbox)
    • Performing security analysis of a compiled application
    22
  • 50. 23
    Agenda
    Current Trends in Application Security
    The Solution
    Strategies for Customer Success
    Rational AppScan Suite
    IBM Application Security Coverage
  • 51. IBM Web application security for a smarter planet
    Rational
    AppScan
    Secure code development and vulnerability management
    • Identify vulnerabilities and malware
    • 52. Actionable information to correct the problems
    Tivoli
    I&AM
    Manage secure Web applications
    Protect Web applications from potential attacks
    End-to-end Web application security
    • Ongoing management and security with a suite of identity and access management solutions
    • 53. Block attacks that aim to exploit Web application vulnerabilities
    • 54. Integrate Web application security with existing network infrastructure
    Deliver security and performance in Web services and SOA
    ISS IPS
    • Purpose-built XML and SOA solutions for security and performance
    WebSphere
    Datapower
    24
  • 55. 25