0
Ensure Software Securityalready during developmentLucas v. StockhausenSoftware Security Consultantlvonstockhausen@hp.com+4...
Some Explanations© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to...
Definition Hacker (Wikipedia)         Hacker:         A person who enjoys exploring the details of         (programmable) ...
Heise Newsletter 25.1.2012                       3 % of the public available IP adresses                       ~5000 open ...
No “Defence in Depth” means….5   © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained here...
Heise Newsletter 26.1.2012      Attack from 3 IP Adresses to US railway.      No big damage – just 15 min delay.          ...
7   © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change witho...
How can HP Fortify help?By 2016 40% of enterprises will make proof ofindependent security testing a preconditionfor using ...
Today’s approach > expensive, reactive                                                                                    ...
Software Development Today     Small coding errors can have a      big effect on security     Typical software development...
Why it doesn’t work30x more costly to secure in production                                                                ...
The right approach > systematic, proactive                        Embed security into SDLC                         develop...
Software must be Fortifyd                         Fortify Source Code                                                    F...
Static Analysis© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to c...
Example Process Development Teams                                                                                         ...
Auditing – Different Possibilities            Auditworkbench                                                              ...
Auditing (AWB and IDE) - Overview                                                                                         ...
Auditing (AWB and IDE) – Trace the issueSourcecode                                                                        ...
Auditing (AWB and IDE) – Training on the job                                                  Detailed description of the ...
Auditing (AWB and IDE) – Training on the job                                                                Detailed recom...
Auditing (AWB and IDE) - Result                                                  Store Analysis                           ...
Dynamic Analysis© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to ...
23          INTRODUCTION TO WEBINSPECT                                                                                    ...
Live scan visualization                                                                                                   ...
Grey Box Testing© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to ...
27   © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with...
Integrated Analysis                                                                                                       ...
Real Time Analysis© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject t...
Fortify RTA : Components                                                                                                  ...
SSCSoftware Security Center© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is ...
Fortify SSC Server – Risk Management Track, measure and understand software security risk Flexible reporting            Da...
Fortify SSC Server – Risk Management II Track, measure and understand software security risk Centralized management of sof...
Fortify Server – Risk Management III Track, measure and understand software security risk Collaborative Auditing and Remed...
How can HP Fortify help?© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is sub...
Software must be Fortifyd                         Fortify Source Code                                                    F...
And the knowledge?© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject t...
526 Categories to Date     SRG updates the Fortify Secure Coding Rulepacks to identify the latest categories of software v...
21 Languages to Date     SRG leads the industry in support for the broadest array of programming languages                ...
710,000+ APIs to Date     SRG builds extensive support for the packages and frameworks used today, resulting in support fo...
How to use?© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to chang...
Security in the Development Lifecycle 43   © Copyright 2012 Hewlett-Packard Development Company, L.P. The information cont...
Maturity Models44   © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject...
Four high-level Disciplines All security-related activities mapped under 4 Disciplines, each  representing a group of rela...
What’s under each Discipline?     The 4 Disciplines are high-level categories for activities              Three security F...
Security Research – Fortify SSA Maturity Model                                              Initiate               Define ...
SSA Scorecard        Blank                                                    Industry                                    ...
SSA Best Practice Approach Key Principles             Rapid identification and remediation of critical vulnerabilities    ...
Goals and benefits for Software SecurityAssurance SSAA successful software security initiative leads to:Measurably reduced...
Success is foreseeing failure.58                                                                                          ...
Thank you Lucas v. Stockhausen lvonstockhausen@hp.com +49-1520 1898430© Copyright 2012 Hewlett-Packard Development Company...
Backup Slides© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to cha...
RAST is the key to correlation     URL: www.     sales.company.com                                                        ...
ROI© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change withou...
The BreachThe biggest ROI is no breachNo regulatory costsNo brand reputation…Hard to measure if it never happened to you b...
Fixing Bugs Earlier in the Lifecycle                                                                             Cost of F...
Example: Cost of Fixing Critical Defects     The following case study provides an example of the savings generated by usin...
Example: Cost of Fixing Critical Defects                      Cost of Fixing Vulnerabilities Early                        ...
Quiz© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change witho...
Quiz     String userName = ctx.getAuthenticatedUserName();     String itemName = request.getParameter("itemName");     Str...
Quiz - Solution     String userName = ctx.getAuthenticatedUserName();     String itemName = request.getParameter("itemName...
Quiz - Solution     SELECT * FROM items WHERE owner = „lucas AND itemname = „x’ or      1=1; -- „”;                       ...
Upcoming SlideShare
Loading in...5
×

Ensure Software Security already during development

1,757

Published on

"How to Code Security into Software? Software Security Assurance with HP Fortify." Nowadays it becomes more and more obvious that security should not only be applied as an afterthought, but already during development. I will show possibilities on how you can integrate Software Security assurance in your Development Lifecycle, and what technologies and processes can help you with that."
Lucas v. Stockhausen
Software Security Consultant

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,757
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Hi, my name is [Name]. I work as a [Title/ Role] at HP, in the Enterprise Security Products business unit. Today, I’ll be talking about application security and why governments and modern enterprises need it. What is application security? Simply put, it is about ensuring that every single line of code is secure and every single software application– whether it is built for the desktop, cloud or mobile device— is safe from cyber attackers and hackers. The goal here is about eliminating exploitablesecurity risk in software at the application code level, making it immune to attack even if intruders get past perimeter defenses.
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Angriff aus der Zukunft
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • How did we get here? There’s always been a communication/ collaboration gulf between Security and Development. These 2 teams don’t normally work together; they don’t even belong in the same group.Typically, Security receives code to deploy. You trust that the application you were given (whether developed in house, outsourced, open sourced, or commercial) is fully tested and secured. In many cases, you don’t have the time, skills or authority to stop that application deployment. So you end up rolling it out, not knowing whether the code is secure or not until it’s breached.
  • How expensive is this approach? According to an NIST study, the cost of fixing software increases substantially further along the Software Development Lifecycle (SDLC). It costs 30x more to fix security issues after a breach in Production than to build security into your code at the beginning during Design.
  • How do we fix this, how do we ensure that only secure software is deployed? Ideally, security should be built into software during the Design phase. Many times, it’s not possible. A pragmatic approach is to put a Security Gate in place before the software is deployed into Production. Before you rollout any application, you must first determine whether it is resilient and secure. If you look at the Development cycle, you have Engineers who develop the code and then QA who test the functionality, i.e. a Software Quality Assurance (SQA) role. The gap right now is that there’s no one comparable in Security. Do you have someone who performs a Software Security Assurance (SSA) role? No! Just as Development has QA to keep them honest, Security needs someone or something in a similar QA capability.
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • BUILD (Auto)
  • AMP Sensor(WebInspect without local GUI)
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Angriff aus der Zukunft
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Why is there a problem, and why do you need application security?Like all organizations, you’ve undoubtedly, invested a lot of time and money attempting to insulate and protect your assets. Your networks are protected – firewalls are in nearly every devices that connects to a network. Your servers are protected, thanks to advances in intrusion prevention systems. But your software applications are still largely unprotected and vulnerable.Companies believed that if you protect the perimeter (network and server), the software will be unreachable and therefore not breachable. However, that has not proven to be the case: software is the New Entry Point.Let’s take a look at how…
  • Transcript of "Ensure Software Security already during development"

    1. 1. Ensure Software Securityalready during developmentLucas v. StockhausenSoftware Security Consultantlvonstockhausen@hp.com+49-1520 1898430HP Enterprise Security© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    2. 2. Some Explanations© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    3. 3. Definition Hacker (Wikipedia) Hacker: A person who enjoys exploring the details of (programmable) systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.3 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    4. 4. Heise Newsletter 25.1.2012 3 % of the public available IP adresses ~5000 open Video Systems. Continous exploit from there. http://www.h-online.com/security/news/item/Video-conferencing-systems-as-spying-tools-1421346.html © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
    5. 5. No “Defence in Depth” means….5 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    6. 6. Heise Newsletter 26.1.2012 Attack from 3 IP Adresses to US railway. No big damage – just 15 min delay. http://www.h-online.com/security/news/item/Hackers-may-have-disrupted-railway-computers-and-schedules-1422666.html © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
    7. 7. 7 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    8. 8. How can HP Fortify help?By 2016 40% of enterprises will make proof ofindependent security testing a preconditionfor using any type of cloud services© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    9. 9. Today’s approach > expensive, reactive IT deploys the insecure 2 1 3 software We are breached or Somebody builds pay to have someone insecure software tell us our code is 4 insecure We convince & pay the developer to fix it9 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    10. 10. Software Development Today Small coding errors can have a big effect on security Typical software development practices don’t address the problem As a group, developers tend to make the same security mistakes over and over10 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    11. 11. Why it doesn’t work30x more costly to secure in production 30X 15X Cost 10X 5X 2X Requirements Coding Integration/ System Production component testing testing After an application is released into Production, it costs 30x more than during design. Source: NIST11 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    12. 12. The right approach > systematic, proactive Embed security into SDLC development process 1 2 Leverage Security Gate to validate resiliency of internal or external In-house Outsourced Commercial Open source code before Production 3 Monitor and protect software Improve SDLC policies running in Production This is application security12 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    13. 13. Software must be Fortifyd Fortify Source Code Fortify Security Fortify RTA Analysis Scope HP WebInspect Source Code Security Audits Run-Time Protection PLAN DESIGN CODE FUNCTIONAL ACCEPTANCE DEPLOY TEST TEST Software Inventory Collaboration Module Governance Module Fortify SSC Server Software Security Metrics and Reporting13 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    14. 14. Static Analysis© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    15. 15. Example Process Development Teams Security 2. Audit AWB Monitor CM Defect Tracking System Project Security CISO Lead Source Code Repository(s) 3. Assign 5. Validate Central Build Server(s) CM AWB AWB Build Tool Fortify SCA Development Security Auditor Manager 1. Identify Fortify CM 4. Fix Fortify SSC Server IDE Developer15 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    16. 16. Auditing – Different Possibilities Auditworkbench Collaboration Module IDE - VS , Eclipse (Web-base Auditworkbench) Clicking on the issue and being guided through the source code is VERY important for understanding and fixing a vulnerability16 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    17. 17. Auditing (AWB and IDE) - Overview Functions and Rulewriting wizard (only Filtering in AWB) Priorization Categorization Overview Issue - Groups17 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    18. 18. Auditing (AWB and IDE) – Trace the issueSourcecode DiagramAnalysis Trace18 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    19. 19. Auditing (AWB and IDE) – Training on the job Detailed description of the issue19 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    20. 20. Auditing (AWB and IDE) – Training on the job Detailed recommendation to fix the issue20 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    21. 21. Auditing (AWB and IDE) - Result Store Analysis See other comments and make comments yourself File a bug21 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    22. 22. Dynamic Analysis© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    23. 23. 23 INTRODUCTION TO WEBINSPECT WebInspect is a comprehensive Dynamic Application Security Testing (DAST) solution used by IT Security auditors and penetration testers to detect, classify and report discrete application vulnerabilities. WebInspect dynamically interacts with your application enumerating application parameters and server configuration characteristics which can be exploited by a malicious attacker. WebInspect employs “ethical” attack methods which discover and confirm vulnerabilities without actually exploiting them. Monthly WebInspect Technical Demonstration: http://www.hp.com/go/techdemos 23 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    24. 24. Live scan visualization Live Scan Start remediation of vuln’s immediately Dashboard Live Scan Statistics Site tree Detailed Attack Excluded and Table Allowed Hosts Section Vulnerabilities24 found in application © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    25. 25. Grey Box Testing© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    26. 26. 27 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    27. 27. Integrated Analysis Application Real-time link • Find More • Fix Faster29 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    28. 28. Real Time Analysis© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    29. 29. Fortify RTA : Components RTA Console31 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    30. 30. SSCSoftware Security Center© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    31. 31. Fortify SSC Server – Risk Management Track, measure and understand software security risk Flexible reporting Dashboards to details - Metrics that matter Snapshots and trends - Easy to customize33 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    32. 32. Fortify SSC Server – Risk Management II Track, measure and understand software security risk Centralized management of software security Software security policy - Multiple projects Real-time alerts - Enterprise Security Rules management34 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    33. 33. Fortify Server – Risk Management III Track, measure and understand software security risk Collaborative Auditing and Remediation Web Base Auditworkbench like interface User Assignment35 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    34. 34. How can HP Fortify help?© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    35. 35. Software must be Fortifyd Fortify Source Code Fortify Security Fortify RTA Analysis Scope HP WebInspect Source Code Security Audits Run-Time Protection PLAN DESIGN CODE FUNCTIONAL ACCEPTANCE DEPLOY TEST TEST Software Inventory Collaboration Module Governance Module Fortify SSC Server Software Security Metrics and Reporting37 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    36. 36. And the knowledge?© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    37. 37. 526 Categories to Date SRG updates the Fortify Secure Coding Rulepacks to identify the latest categories of software vulnerabilities on a quarterly basis Growth in Vulnerability Categories 2005 – 2012 Examples of Categories 600 •Command Injection •Cross-Build Injection 500 •Cross-Site Request Forgery •Cross-Site Scripting 400 •HTTP Response Splitting •JavaScript Hijacking 300 •LDAP Injection •Privacy Violation •Session Fixation 200 •SQL Injection •System Information Leak 100 •Unhandled Exception For a complete list, go to 0 http://www.hpenterprisesecurity.com/vulncat/e n/vulncat/index.html 1 3 1 3 1 3 1 3 1 3 1 3 1 3 139 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q 05 05 06 06 07 07 08 08 09 09 10 10 11 11 12
    38. 38. 21 Languages to Date SRG leads the industry in support for the broadest array of programming languages Growth in Language Support 2005 – 2012 Language Support 25 •ABAB •XML/HTML •Actionscript •Classic ASP 20 •ASP.NET •JSP •Java •PHP 15 •C •Python •C++ •VB.NET 10 •C# •VBScript •COBOL •VB6 5 •Cold Fusion •T-SQL 0 •Objective C •PL/SQL 1 3 1 3 1 3 1 3 1 3 1 3 1 3 1 Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q 05 05 06 06 07 07 08 08 09 09 10 10 11 11 12 •JavaScript40 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. /AJAX
    39. 39. 710,000+ APIs to Date SRG builds extensive support for the packages and frameworks used today, resulting in support for over 710,000 APIs over 526 vulnerability categories and 21 languages Growth in API Support 2005 – 2012 Sample Packages 800.000 •JDK 1.4, 1.5, 1.6 700.000 •Apache Struts 1.x, 2.x 600.000 •Hibernate 2.x, 3.x 500.000 •Spring 1.x, 2.x 400.000 •JSF 1.x •.NET 1.1, 2.0, 3.0, 3.5 300.000 •Microsoft Practices Enterprise 200.000 Library 100.000 •NHibernate 1.x 0 •Spring MVC •Google GWT 1 3 1 3 1 3 1 3 1 3 1 3 1 3 1 Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q 05 05 06 06 07 07 08 08 09 09 10 10 11 11 1241 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. •Java Webservices
    40. 40. How to use?© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    41. 41. Security in the Development Lifecycle 43 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    42. 42. Maturity Models44 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    43. 43. Four high-level Disciplines All security-related activities mapped under 4 Disciplines, each representing a group of related business functions Alignment & Requirements & Verification & Deployment & Governance Design Assessment OperationsActivities related to Activities related to the Activities related to Activities related tosecurity program product conception and reviewing, testing, and knowledge transfermanagement and cross- software design validating software and maintenance ofcutting organizational processes running softwareconcerns45 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    44. 44. What’s under each Discipline? The 4 Disciplines are high-level categories for activities Three security Functions under each Discipline are the specific silos for improvement within an organization Alignment & Requirements & Verification & Deployment & Governance Design Assessment Operations Disciplines Functions46 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    45. 45. Security Research – Fortify SSA Maturity Model Initiate Define Design Develop Test Implement Operate Education & Guidance Alignment & Governance Standards & Compliance Strategic Planning Threat Modeling Requirements & Design Security Requirements Defensive Design Architecture Review Verification & Code Review Assessment Security Testing Vulnerability Management Deployment & Infrastructure Operations Hardening Operational Enablement SCA WebInspect Fortify SSC RTA47 Fortify SSC Server © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    46. 46. SSA Scorecard Blank Industry Enterprise Prioritized Scorecard Best Practices Scoring RoadmapObjective 3Objective 2 8 4 7 6 2Objective 1 5 1 3Objective 0 Education Standard Planning Threat Md Sec Req Def Design Arch Rev Code Rev Sec Testing Vul Mgmt Infr Harden Ops Enable Governance Requirements Verification Deployment & Alignment & Design & Assessment & Operations 48 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    47. 47. SSA Best Practice Approach Key Principles Rapid identification and remediation of critical vulnerabilities • Don‟t “forget to fix” or “boil the ocean” Prevent introduction of new vulnerabilities • Integrate into existing SDLC with minimal process changes • Provide flexibility to integrate with new SDL as it rolls-out Provide support for the developers • Training in the context of their own code base • Mentoring as required Monitor and control • Automate gathering of vulnerability statistics and publish • Enforcement via security gate Continuous Improvement49 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 49
    48. 48. Goals and benefits for Software SecurityAssurance SSAA successful software security initiative leads to:Measurably reduced risk from existing applicationsA controlled process for preventing vulnerabilities in new releasesReduced costs, delays, and wasted effort from emergency bug fixes and incident clean-up57 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    49. 49. Success is foreseeing failure.58 – Henry Petroski © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    50. 50. Thank you Lucas v. Stockhausen lvonstockhausen@hp.com +49-1520 1898430© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    51. 51. Backup Slides© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    52. 52. RAST is the key to correlation URL: www. sales.company.com File: NewClass.java File: NewClass.java Line: 27 Line: 27 ID: 234 ID: 234 Source Code: <java.sql. Connection.xxx>61 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    53. 53. ROI© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    54. 54. The BreachThe biggest ROI is no breachNo regulatory costsNo brand reputation…Hard to measure if it never happened to you before.63 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    55. 55. Fixing Bugs Earlier in the Lifecycle Cost of Fixing One Vulnerability Based On The Stage It Was Identified $15.000 $14,102 $12.000 $9.000 $7,136 $6.000 $3.000 $455 $977 $139 $0 Requirements Design Coding Testing Maintenance64 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    56. 56. Example: Cost of Fixing Critical Defects The following case study provides an example of the savings generated by using source code analysis to find vulnerabilities earlier in the SDLC • Sample Application Size: 2 Million LOC Application • Defects Identified during SCA: 1,600 Vulnerabilities Identified Using SCA • Defects Deemed Critical 20065 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    57. 57. Example: Cost of Fixing Critical Defects Cost of Fixing Vulnerabilities Early Cost of Fixing Vulnerabilities Later Critical Bugs Cost of Fixing 1 Cost of Fixing Critical Bugs Cost of Fixing Cost of Fixing Stage Stage Identified Bug All Bugs Identified 1 Bug All Bugs Requirements $139 Requirements $139 Design $455 Design $455 Coding 200 $977 $195,400 Coding $977 Testing $7,136 Testing 50 $7,136 $356,800 Maintenance $14,102 Maintenance 150 $14,102 $2,115,300 Total 200 $195,400 Total 200 $2,472,10066 Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3MM © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    58. 58. Quiz© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    59. 59. Quiz String userName = ctx.getAuthenticatedUserName(); String itemName = request.getParameter("itemName"); String query = "SELECT * FROM items WHERE owner = " + userName + " AND itemname = „” + itemName + “„”; ResultSet rs = stmt.execute(query); Username = lucas Itemname = x’ or 1=1; --68 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 68
    60. 60. Quiz - Solution String userName = ctx.getAuthenticatedUserName(); String itemName = request.getParameter("itemName"); String query = "SELECT * FROM items WHERE owner = " + lucas + " AND itemname = „” + x’ or 1=1; -- + “„”; ResultSet rs = stmt.execute(query); Username = lucas Itemname = x’ or 1=1; --69 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 69
    61. 61. Quiz - Solution SELECT * FROM items WHERE owner = „lucas AND itemname = „x’ or 1=1; -- „”; Username = lucas Itemname = x’ or 1=1; --70 © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 70
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×