Hp Fortify On Demand

  • 4,461 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,461
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • My name is [Name]. I work at HP as a [Title] in the Enterprise Security Products group.Today, we’ll talk about application security, particularly around our cloud testing solution. HP Fortify on Demand is a Security-as-a-Service testing solution that allows any organization to test the security of software quickly, accurately, and affordably. Our automated on-demand service helps solve two key challenges facing organizations, large and small:• Ensuring the security of applications licensed from 3rd parties• Increasing the speed and efficiency of building security into a development lifecycle
  • What problem are we solving?
  • In the information economy, applications are everywhere. You have: Applications that are being designed and conceptualized by your business leaders Applications that are being coded and developed by your engineers and IT analysts Applications that are running and supported in the Production environment. These legacy applications can be developed in-house or procured from 3rd party sources
  • For applications developed internally, you have more control over the quality and security. However, no doubt, the majority of your applications come from 3rd party vendors: purchased and licensed from commercial off-the-shelf (COTS) vendors, outsourced to contractors across different geographies, and obtained from the open source community.With 3rd party applications, you do not have access to the source code. With your 3rd party applications, ask yourself these questions:COTS: How do you know that the mission-critical software you purchased is secure? Outsource: Has your outsourced code been rigorously developed and tested to your standards? Open Source: Who is ultimately responsible for security when code is open source?
  • You need to start testing all your applications immediately. However, this can be an overwhelming endeavor. You need large upfront capital and human investments: Hardware to procure, setup and maintain for the test/ staging environment Software to procure, install and maintain to automate the testing People with the right expertise and experience in security to hire, train and retain Process to define and refine so that everything is standardized and efficient
  • Meanwhile,hackers and cyber attackers are not sitting idly on the sidelines. They will continue to test your defenses to find a way in.At the same time, you have to keep your business running. Your applications are still being developed, procured from vendors and supported in production.
  • So what are you going to do? You need to get started right away.
  • The solution: HP Fortify on Demand: Simple: application security results in days with no costly upfront investments. Fast:get results in < 1 day for all your mobile, desktop and cloud applications. Flexible: application testing your way– on premise or on demand
  • How Does it Work? Fortify on Demand offers a very quick and easy process. You upload your code – the executable (we don’t need the source code), or you provide the URL if you also want dynamic penetration testing. Fortify on Demand conducts 3 different types of analysis – static analysis, dynamic analysis, and manual penetration testing All results are reviewed to ensure they are accurate by our team of world class security experts. Results are released to your own private website, and a detailed Web interface and report are available
  • You select the type of testing you want: Static testing of the source code Dynamic testing or penetration testing of the production codeBoth are verified and reviewed by our team of Security Experts to ensure that you get the best results.
  • Additionally, we offer multiple levels of Dynamic Testing to better suit your business needs: Baseline Standard PremiumStatic Assist means we will perform a Static Assessment and leverage that during our Dynamic AssessmentSecurity Scope means we will install security scope and run it as part of the assessment
  • In addition to our testing technologies, HP Fortify on Demand also provides the security intelligence you need to effectively and definitively resolve the application security problem. Dashboards provides an at-a-glance view of all your application security testing projects Detailed reports to ensure that you meet security compliance Collaboration and recommendation tools to help developers be more productive
  • Additionally, Fortify on Demand integrates with the leading products in the application development and security space, to ensure that security is built into the development process without any disruptions.
  • HP Fortify on Demand has mobile application support. As companies develop apps for their smart phones, HP Fortify on Demand ensures that the whole application stack is protected. Whether it’s the applications sitting on the client device (iPhone/ iPad, Android, Blackberry or Microsoft) or the network communications to the backend server, HP Fortify on Demand secures all three tiers in the technology stack.
  • Our application testing as a service is Scalable, Fast and Secure. Whether you’re testing 1 application or 1000s, we can scale to ensure that every desktop, mobile and cloud application is secure.
  • Our application testing as a service support and operations is global. We have experts and staff on 4 continents, across a myriad of applications, geographies and industries
  • With HP Fortify, we can secure your application in the cloud or on premise, or you can do both. Don’t let the technology dictate how you operate your business.
  • Which delivery method is right for you? Let’s review the major use cases
  • To iterate, HP Fortify on Demand allows any company to test any application – whether it was developed in-house or procured from 3rd party sources.Let’s talk in more details about our vendor security management solution.
  • How can HP Fortify on Demand test 3rd party applications? You COTS vendor creates an account with us Your COTS vendor uploads their application to our the FOD testing cloud We run a static and/ or dynamic test of the application Our security experts manually review the results We provide a detailed report with Automated Testing and Manual Review of the application test Your COTS vendor releases/ publishes the detailed report to your FOD account for you to review
  • Here are some Best Practices on testing your vendor applications.
  • Here are some sample references for our vendor management program
  • Let’s look at a real world example or case study of FOD. This company is an international producer and marketer of food, agricultural, financial, and industrial products and services. It employs over 139,000 people, is one of the five largest private companies in the United States, and continues to grow through both organic means as well as aggressive acquisition.
  • This company was interested in purchasing 3rd party applications. However, as part of the due diligence, this company needed to ensure they are purchasing secure code. This company signed a $20k contract with HP Fortify to scan the COTS vendor application. The result: 6000 security vulnerabilities were found. The cost to fix all the vulnerabilities was approximately $150k.
  • Armed with the HP Fortify on Demand results, the Company gave their vendor 2 choices. The COTS vendor selected to fix the vulnerabilities themselves.In the end, the Company saved $130k, representing an ROI of 650%. Additionally, the results from the HP Fortify on Demand project was such an overwhelming success that the Company instituted a company-wide policy of embedding FOD into all future contracts and purchases.
  • In summary, HP Fortify on Demand can test any desktop, mobile or cloud application.

Transcript

  • 1. HP Fortify on DemandApplication Security in the CloudNameTitleEnterprise Security© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 2. The problem© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 3. Applications are everywhere APP APP APP • New applications • Current applications • Legacy applications conceptualized in coded in Development running in Production Design3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 4. No access to 3rd party source codeMajority of an enterprise’s applications come from third party vendors Outsourced to Commercial vendors Open sourced contractors Without access to third party source code, how can you trust these applications?4 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 5. Getting started can be overwhelmingLarge upfront investments:• Hardware to procure, setup and maintain for Software People the test/ staging environment• Software to procure, install and maintain to Hardware Process automate the testing• People with the right expertise and experience in security to hire, train and retain• Process to define so that everything is standardized and efficient5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 6. But you need to get started immediatelyHackers are not sitting idle.Applications arecontinuously beingdeveloped, procured anddeployed in the enterprise.6 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 7. What are you going to do?• How to launch a security program quickly?• How to scale to get all applications tested?• How to manage risk for applications when source code is unavailable?7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 8. The solution© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 9. The answer: HP Fortify on Demand Simple Fast FlexibleLaunch your application Scale to test all Test any application fromsecurity initiative in < 1 applications in your anywhereday organization • Secure commercial, open• No hardware or software • 1 day turn-around on source and 3rd party investments application security results applications• No security experts to • Support 1000s of applications • Test applications on-premise hire, train and retain for the desktop, mobile or or on demand, or both cloud9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 10. Application security in three easy steps Upload Test Review Customer uploads software to HP Fortify on Demand conducts Customer reviews the results of the HP Fortify on Demand cloud security tests (dynamic, static or the application test in the form manual) on the application of a detailed report or dashboard10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 11. Comprehensive and accurate testing Static Analysis Dynamic Analysis Manual Review HP Fortify Static Code Analyzer HP WebInspect Security Experts • Enterprise proven • Production safe • Manual expert audit technology • Three testing levels • Reduce false positives • 100% code coverage • QA or production • Support for 21 development environments languages11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 12. Multiple levels of FOD dynamic testing Dynamic Analysis Baseline Standard Premium Low Medium High App Risk Level Marketing Site Personally Identifiable Credit card / SSN WebInspect scan    False Positive Removal    Remediation Scan    Manual Testing   Business Logic Testing  Web Services  Static Assist or  SecurityScope12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 13. Powerful remediation and guidance Insightful Dashboard Detailed Reports Collaboration • Executive Summary • Star Rating • Line of code details • Most prevalent vulnerabilities • Remediation roadmap - Web based IDE • Top 5 applications • Detailed vulnerability data - IDE Plug-in • Heat Map • Recommendations • Assign issues to developers13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 14. Out of box integrationsIntegrate with leading productsand partners:• Developer IDEs –AWB, IDE Plug-in or SSC Server Collaboration• Build Server Integration• Quality Center Defect Management• Excel and XML14 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 15. Mobile application security supportMobile support for: Client Network Server• Objective-C (Apple iPad/ iPhone)• Android• Windows• BlackberryUtilize Hybrid Analysis • Credentials in • Cleartext credentials • SQLi• Source Code memory • Cleartext data • XSS• Running Application • Credentials on • Backdoor data • LFI filesystem • Data leakage • Authentication • Data stored on • Session Management filesystem • Logic FlawsTest all three tiers • Poor cert management15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 16. Scalable, Fast, SecureScalable• Virtual scan farm with scanning agents ready• Built in control and monitoring system• Ability to grow at any pace SecureFast • Secure Tier4 A+ Datacenter• Static Analysis: Average turnaround • Follows industry standards: ITIL and < 1 Day ISO-17799• Dynamic Analysis: Average • Built with World-Class Software turnaround = 3-5 Days Security Components of HP Fortify Static Code Analyzer (SCA)16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 17. Breadth of testing• 1,000s of applications• Experts in 4 continents• 16 different industries represented• Civilian and Defense Agencies across US Government• Vendor Management and Internal Management• Development teams from 1 to 10,000s17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 18. Application testing flexibility On Demand On Premise HP Fortify HP Fortify SSC on Demand18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 19. Selecting the right solution On Demand On Premise HP Fortify on Demand HP Fortify SSCNo deployment, no Requires local installationhardware, no training Easy Deployment Involved and supporting hardwareResults triaged by experts Requires expertise to setand delivered in easy to read Little Expertise Required Significant filters and triage resultsreports1-5 days per scan 1-5 Days Time to Results Hours Hours per scan 100% control - instantStandardized process Less Control More access to all capabilities at any time Tight integration with buildPrimary results are in report, systems, bug tracking,but can be sent to bug Less Integration More revision control, testtracking systems and IDEs automation19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 20. Application testing use cases Internal Security Management Vendor Security Management • Provide logins to developers or security leads • Add language to contracts • Understand security of applications within 1 • Allow HP Fortify on Demand team to work with day your vendors directly • Establish internal stage gate before production • Understand security of applications within 1 day • Set policy thresholds acceptable for • Build in 1-2 months for remediation per deployment application • Require security testing of development projects20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 21. Vendor management program© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 22. Vendor management programHow it works Vendor FOD account Procurer FOD account Vendor Expert Automated FOD account Detailed Testing Review results Vendor FOD account Static Analysis DynamicVendor FOD account Vendor publishes Analysis report to Procurer’s Vendor FOD account account Vendor Uploads Results back in Application 1-5 days22 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 23. Vendor management programKey findings for running a successful vendor management programInitiate tests 2-3 months prior to Set realistic and clear goalspurchase or renewal of software • What vulnerabilities must be fixed• Increases leverage • When they have to be fixed• Allows for reasonable time frame Allow Fortify to help at criticalHelp vendor see this as valuable juncturesinformation, not as an obstacle Uploading application• Pay for their first scan or first year Understanding results• Spend time educating them on how the vulnerabilities can be exploited (Fortify can help) Plan for 2-5 uploads per application to reach goals • Results are rarely achieved on first attempt23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 24. Vendor management programSample references Top 5 private company in US Top 5 car manufacturer • Leverage FOD on vendors before acquiring • Vast majority of code is outsourced software • Use FOD to verify vendors have secure their code • Calculate the cost of securing the application and • Static analysis only force vendors to reduce cost or secure the application • Static and dynamic analysis Branch of the US military Top 5 accounting firm • Leverages FOD on vendors of critical software • Leverages FOD on vendors and on internal code components for US soldiers • Static and dynamic analysis • Rejects software that doesn’t pass a threshold • Static analysis only24 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 25. Real world example:Leading international consumer productscompany© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 26. Example: procuring 3rd party software 1. Company was interested in purchasing core 3rd party software from commercial vendors 2. As part of the due diligence, Company used HP Fortify On Demand to analyze several critical and complex applications from the vendor • Static scan of the byte code • Dynamic scan of the running application 3. The scans identified many vulnerabilities, representing significant security risk and expense 4. Company estimated the cost of fixing all these vulnerabilities in-house to be $150,000, based on three key data points: • 6,000 vulnerabilities were identified • 15 minutes on average to fix each vulnerability • $110 / hour cost to fix vulnerabilities26 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 27. The resultsCompany presented two options to commercial vendor:• Lower the price of the deal by $150,000• Remediate the vulnerabilities before the deal closes and pay for a follow-up scan to prove the code is secure 1 Company saved $130k, with an 2 Company integrated HP Fortify investment of only $20k in an on Demand into future contracts FOD subscription, while when renewing or buying purchasing secure vendor code software (ROI: 650%)27 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 28. SummaryHP helps you grow your program:• We can scale the number of apps in our cloud• We can help you deploy a program internally• We can help you with a hybrid deploymentHP Fortify on Demand helps the CIO/CISOBy providing the resources to scan applications that are important to the businessGet started quickly, and across the world (Dev teams across the globe can use FOD)Static or Dynamic, On Premise or in the cloud, HP ESP has your solution.28 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 29. Thank you© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 30. Appendix© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 31. Broadest language supportStatic analysis supports 21 Dynamic analysis covers all weblanguages and growing environments• ABAP • ASP.NET • QA or production environments• C# • C/C++ • Web services• Classic ASP • COBOL• Cold Fusion • Flex• HTML • Java Mobile application security• JavaScript/AJAX • JSP solution covers• Objective C • PHP • Objective C• PL/SQL • Python • Android• T-SQL • VB.NET • Blackberry• VB6 • VBScript • Microsoft• XML31 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 32. HP Fortify on Demand at a glance Comprehensive and accurate Powerful remediation Insightful Analysis and Collaboration Module HP Reports HP Fortify WebInspec Manual SCA t Broad support Fast and scalable • ABAP • ASP.NET • C# • C/C++ • Classic ASP • COBOL 1 Day Static Virtual Scan Farm • Cold Fusion • Flex • HTML • Java • JavaScript/AJAX • JSP Turnaround • Objective C • PHP • PL/SQL • Python • T-SQL • VB.NET • VB6 • VBScript • XML Secure Breadth of testing Datacenter Encryption Third Party Reviews • 1,000s of applications • 16 different industries represented • 4 Continents • Civilian and Defense Agencies across US Government • Vendor Management and Internal Management • Development teams from 1 to 10,000s32 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 33. SecureDatacenter World-class software security• Tier 4 A+ datacenter • Built with all components of HP Fortify SCA• Extensive banking references • Hardened operating systems & open source• SAS-70 type-ii compliant components• Follows industry standards: ITIL and ISO-17799 • Independently verified by 3rd party• 24x7 onsite security Extensive data protection• CCTV onsite, monitored 24x7 • Browser-to-system SSL encryption• Multi-homed network connectivity • Encrypted Ethernet between servers• Redundant power systems with backup generators and double- • Whole-disk encrypted hard disks in all systems conversion ups’s (data-at-rest)• Supervised-only access • Per-client RDMS instance with database encryption• All DC employees are background checked • All crypto keys stored off-site• All doors require PIN, magnetic card and biometric retina scans • Encrypted virtual volumes during analysis• Datacenter employees do not have access to any system − One-time generated keys stored only in memory• Ipsec-based VPN access for authorized personnel only − Volume is erased when analysis is complete33 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.