• Save
IBM Rational Software Conference 2009: Application Security & Compliance Track Keynote
Upcoming SlideShare
Loading in...5
×
 

IBM Rational Software Conference 2009: Application Security & Compliance Track Keynote

on

  • 3,681 views

Track Keynote for the Application Security & Compliance Track at the IBM Rational Software Conference 2009...

Track Keynote for the Application Security & Compliance Track at the IBM Rational Software Conference 2009

More and more we rely on Web-based software and systems to run business processes, conduct transactions and deliver sophisticated services to customers. Unfortunately, in the race to stay ahead competitors, we often give little or no attention to ensuring that these applications don't compromise our security or compliance by introducing exploitable vulnerabilities that can used to compromise confidential company information or sensitive client data. The most efficient way to stay ahead of application security and compliance is to build software securely from the ground up. Unfortunately, application security is often an after-thought, "bolted on" at the end of the software development process, rather than "built in" across the entire development and delivery cycle, resulting in vulnerabilities that are found late -- if at all -- where they prose the greatest threats and are significantly more costly to repair.

In this track we will focus on the fundamentals of application security - common attack types, how to defend against these attacks, secure coding practices, identifying vulnerabilities through a combination of manual and automated approaches, what to do when vulnerabilities have been identified, and best practices for integrating security testing into application development. We will also delve into emerging threats in Web 2.0 environments, SOA security and the inherent risks of Web-enabling legacy applications.

Statistics

Views

Total Views
3,681
Views on SlideShare
3,665
Embed Views
16

Actions

Likes
3
Downloads
0
Comments
0

1 Embed 16

http://www.slideshare.net 16

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IBM Rational Software Conference 2009: Application Security & Compliance Track Keynote IBM Rational Software Conference 2009: Application Security & Compliance Track Keynote Presentation Transcript

  • IBM Rational Vision and Roadmap for Application Security Michael Weider Director, Rational ASC01 © 2009 IBM Corporation
  • IBM Rational Software Conference 2009 Today’s Agenda Strategic Trends in Application Security Best Practices and Strategies Vision and Roadmap for 2009 and Beyond ASC01
  • IBM Rational Software Conference 2009 Changing security landscape creates complex threats Web-enabled Applications Drive the Need for Security New Applications are increasing the attack surface Complex Web applications create complex security risks Making applications more available to “good” users, makes them more available to “bad” users Web attacks are evolving to blended attacks (i.e. planting of malware on legitimate web sites) Web Applications ASC01
  • IBM Rational Software Conference 2009 2009 Web Threats Take Center Stage Web application vulnerabilities Represent largest category in vuln disclosures (55% in 2008) 4 ASC01
  • IBM Rational Software Conference 2009 Growth of Web Application Vulnerabilities SQL injection The number of vulnerability active, disclosures automated more than attacks on web doubled in servers was comparison to unprecedented 2007 ASC01
  • IBM Rational Software Conference 2009 Webapp Exploitation is Cheaper and Easier than Alternatives ASC01
  • IBM Rational Software Conference 2009 Exploitation of SQL injection skyrocketed in 2008 Increased by 30x from the midyear to the end of 2008 ASC01
  • IBM Rational Software Conference 2009 Application Security Maturity Model UNAWARE CORRECTIVE BOLT ON BUILT IN PHASE PHASE PHASE 20 % 50 % Maturity 20 % 10 % Duration 2-3 Years Time ASC01
  • IBM Rational Software Conference 2009 Driver #1 – Cost Benefits of Early Detection ASC01
  • IBM Rational Software Conference 2009 Driver #2 – Need to Scale Phase 1 Phase 2 Phase 3 Development # of Team people involved Development Team QA Team QA Team Security Team Security Team Security Team Low High % Applications Tested ASC01
  • IBM Rational Software Conference 2009 IBM Rational Vision and Roadmap for Application Security ASC01
  • IBM Rational Software Conference 2009 Securing a smarter planet Globalization and Globally Available Resources Billions of mobile devices Access to streams of accessing the Web information in the Real Time New possibilities. New Forms of Collaboration New complexities. New risks. ASC01
  • IBM Rational Software Conference 2009 Key Focus Areas 1. Build security into the development lifecycle Development, QA, Security audit, Production monitoring and defense 2. Composite analysis technology for automation Integrated blackbox, whitebox and runtime analysis 3. Provide multiple delivery options Software, software as service, consulting, appliance/IPS ASC01
  • IBM Rational Software Conference 2009 IBM Rational AppScan End-to-End Web Application Security REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  • IBM Rational Software Conference 2009 IBM Rational AppScan – Security in the Development Lifecycle CODE BUILD QA SECURITY AppScan Enterprise / Reporting Console AppScan Ent. (scanning agent) AppScan AppScan AppScan AppScan Build Ed Developer Ed QuickScan (QA clients) Enterprise user Standard Ed (web client) (scanning agent) AppScan Tester Ed (web client) (desktop) (desktop) AppScan Express Rational Rational (desktop) Application Software Rational Rational Rational Quality Developer Analyzer ClearCase BuildForge Manager Rational ClearQuest / Defect Management IBM Rational Web Based Training for AppScan Build security testing into Automate Security / Security / compliance testing Security & Compliance the IDE* Compliance testing in the incorporated into testing & Testing, oversight, Build Process remediation workflows control, policy, audits ASC01
  • IBM Rational Software Conference 2009 Application Security in: Code/Build REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  • IBM Rational Software Conference 2009 Dev Team 1 Scan Scan Data and Data and Dev Team 2 Reports Dev Team 5 Reports Scan Data and Reports ASE Portal Scan Scan Data and Data and Scan Reports Reports Data and Reports Dev Team 4 Dev Team 3 Security Team ASC01
  • IBM Rational Software Conference 2009 IBM Rational AppScan Developer & Build Editions Web Application Security Solutions for Development The most efficient place in the SDLC to find and fix security issues Dev Ed Empowers Developers to do Security Testing Desktop IDE-Integrated Solution for Developers Also helps build a developer’s web appsec awareness Build Ed Ensures All Code is Scanned Many dev environments do automated regression tests in their regular build process Now can include Security tests in regression tests Automation-Friendly, Build time oriented solution Key Stakeholder/User – Build Engineer ASC01
  • IBM Rational Software Conference 2009 Security Issues Coverage Total Potential Security Issues Static Dynamic Runtime Analysis Analysis Analysis ASC01
  • IBM Rational Software Conference 2009 Roadmap Highlights: Code/Build Add new language support Current product only supports Java, In 2009 we will add .NET Support analysis of Web Applications built on .NET; using both black box and white box testing techniques Productizing String Analysis Provides automatic detection of user defined sanitizers – automating parts of the configuration to contain false positive issues from static analysis Included to-date as a Tech Preview; will improve accuracy and performance, modify detection methodology, and be turned on by default Enhanced Static Analysis engine Support for all Java frameworks (including Portal and services) Evolve performance, scalability and usability Responding to customer feedback to date Tighter integration with Code Quality tools (Software Analyzer and Logiscope) ASC01
  • IBM Rational Software Conference 2009 Application Security in: QA REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  • IBM Rational Software Conference 2009 Introducing AppScan Tester Edition for RQM RQM - Rational Quality Manager Embedd Security Testing into the QA Process Ideal way to scale security testing Integrated into the QA environment to enable the adoption of security testing alongside functional and performance testing Delivering the building blocks to help customers build a process to address security & compliance Leverage existing compliance mechanisms in the QA process Provides collaboration tools for security testing between development, QA and security teams The Result: Seamless integration of security testing to provide Collaboration, Automation and Reporting ASC01
  • IBM Rational Software Conference 2009 Rational Quality Manager – Test Management Hub IBM Collaborative Application Lifecycle Management Rational Quality Manager Quality Dashboard Requirements Test Management and Execution Defect Management Management Create Build Manage Report Plan Tests Test Lab Results Open Platform Best Practice Processes JAZZ TEAM SERVER SAP System z, i Java Open Lifecycle Service Integrations .NET Functional Security and Testing Performance Code Compliance Web Service Testing Quality Quality homegrown ASC01
  • IBM Rational Software Conference 2009 Application Security in: Security Team REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  • IBM Rational Software Conference 2009 Introducing Rational AppScan Version 7.8 Securing next generation Web applications and technologies Automated scanning and testing for Flash-based applications Support for increasingly sophisticated Web Services applications Built in expert security intelligence for analyzing results Addresses #1 problem inhibiting broader adoption of scanning tools “Results Expert” helps users understand and articulate issues to external audiences The Result: Improved Security and More Efficient Testing ASC01
  • IBM Rational Software Conference 2009 Advancing Web 2.0 Security: automatically auditing Adobe Flash Applications Evolution of Flash support First generation tools partially explored through Flash applications Second generation (emerging now) can fully explore and audit Flash applications Rational AppScan automatically scans Flash-based applications Is the first to introduce automatic Flash Execution (first “Second Generation” scanner) Similar to AJAX: 1st gen was parsing, 2nd gen was execution Automatically explores deep and complex Flash applications Identifies traditional, as well as Flash-specific security issues Cross-Site Flashing, Cross-Site Scripting through Flash, Phishing… Supports Flash & Flex applications Includes server-side testing of Flex applications (only scanner to support AMF protocol) Continued leadership in Flash application security Flash Execution is now a strategic & evolving component of AppScan ASC01
  • IBM Rational Software Conference 2009 Extending AppScan’s lead in Web Services security testing Web Services momentum continues Enterprise Modernization allows organizations to transition legacy applications to sophisticated Web 2.0 and SOA solutions, driven by user demand Legacy applications were not designed with Web security considerations SOA deployments present a complex and rich technology heavy scanning environments Leveraging IBM’s rich investment in SOA Using established Rational SOA Tester capabilities Powerful functional & performance testing for SOA AppScan to include GSC: General SOA Client Testing Custom Web Services code Identifies business logic vulnerabilities Support complex Web Services deployments XML Signatures XML Encryption Complex Types in WSDL … ASC01
  • IBM Rational Software Conference 2009 CVSS support provides industry standard severity rating Guides user through verifying that the issue is a legitimate vulnerability Integrated screenshots with explanations immediately demonstrate whether an issue truly exists, saving time and effort ASC01
  • IBM Rational Software Conference 2009 The Problem: Legitimate Sites serving Malware Malware is served or linked primarily from Legitimate Sites! “Federal Travel Booking Site “TrendMicro site Spreads Malware” infected users with -Washington Post Trojan” “A large web - CIO hosting firm (IPower) “BusinessWeek website attacked and inflicted by mass “Twitter hosts malware” malware installation” worm strikes” -Net-Security - Washington Post - New York Times Flagged as the “New Biggest Problem”: WebSense: "Legitimate Sites Carry Increasing Portion Of Malware“ (Jan, '09) ScanSafe: "Web-based malware up 400%, 68% hosted on legitimate websites“ (June, '08) Blog: "Online Trust: A Thing of the Past?" (Jan, '09) X-Force: "Are Legitimate Sites the Next Malware Threat?" (Feb, '09) Breach: “SQL Injection Attacks Planting Malware on Web Sites Ranks #1 in Breach Security’s 2008 Web Hacking Incidents Database Report” (Feb, '09) ASC01
  • IBM Rational Software Conference 2009 AppScan’s HTTP-Based Malware Scanning 1. Discover all content and links in a Web Application Execute JavaScript & Flash Fill forms and login sequences Analyze secure pages … 2. Analyze all content for malicious behavior indicators link1 link2 3. Compare all links to link3 comprehensive black-lists ASC01
  • IBM Rational Software Conference 2009 Application Security in: Production REQUIREMENTS CODE BUILD QA SECURITY PRODUCTION Req’ts Definition AppScan Developer AppScan Build AppScan Tester AppScan Standard AppScan OnDemand (security templates) (desktop) (scanning agent) (scan agent & clients) (desktop) (SaaS) AppScan Enterprise / Reporting Console (enterprise-wide scanning and reporting) Security requirements Automate Security / Security / compliance Security & Outsourced testing defined before design Build security Compliance testing testing incorporated Compliance Testing, for security audits & & implementation testing into the IDE in the Build Process into testing & oversight, control, production site remediation workflows policy, audits monitoring Application Security Best Practices ASC01
  • IBM Rational Software Conference 2009 Expanded Options for Production Testing and Defense 1. Testing solutions: – AppScan Enterprise – AppScan OnDemand – ISS Managed Security Services 2. Defensive solutions: – ISS Proventia IPS with New Web Protection – DataPower SOA Appliance 3. Combined approach – Integrated scanning and defense ASC01
  • IBM Rational Software Conference 2009 Introducing expanded Rational AppScan OnDemand AppScan OnDemand: Comprehensive testing of pre-production applications Periodic assessment of applications in QA or Security Monthly scans Flexible offerings base on organization (Small/Medium/Large) AppScan OnDemand Production Site Monitoring: Continuous scanning of production Web sites for vulnerabilities that may have been introduced after the app went live Dynamic or interactive content and forms, online registrations Weekly scans The Result: Ability to address online risk without in-house resources with the faster route to actionable information Policy Testing OnDemand is also available to support website ASC01 compliance management for Privacy, Quality & Accessibility
  • IBM Rational Software Conference 2009 Block attacks in real-time with Proventia Web application security Intrusion prevention just got smarter with web application protection backed by the power of X-Force Virtual Patch Threat Detection & Content Analysis Web Protection Network Policy Prevention Enforcement What It Does: What It Does: What It Does: Shields vulnerabilities What It Does: Monitors and identifies Protects web applications What It Does: from exploitation Detects and prevents unencrypted personally against sophisticated Manages security policy independent of a software entire classes of threats as identifiable information (PII) application-level attacks and risks within defined patch, and enables a opposed to a specific and other confidential such as SQL Injection, segments of the network, responsible patch exploit or vulnerability. information for data awareness. XSS (Cross-site such as ActiveX management process that Also provides capability to scripting), PHP file- fingerprinting, Peer To can be adhered to without Why Important: explore data flow through the includes, CSRF (Cross- Peer, Instant Messaging, fear of a breach Eliminates need of network to help determine if any site request forgery). and tunneling. constant signature potential risks exist. Why Important: updates. Protection Why Important: Why Important: At the end of 2008, 53% includes the proprietary Why Important: Expands security Enforces network of all vulnerabilities Shellcode Heuristics (SCH) Flexible and scalable capabilities to meet both application and service disclosed during the year technology, which has an customized data search criteria; compliance requirements access based on had no vendor-supplied unbeatable track record of serves as a complement to data and threat evolution. corporate policy and patches available to protecting against zero day security strategy remedy the vulnerability governance. vulnerabilities. ASC01
  • IBM Rational Software Conference 2009 Rational/ISS Vision: Application & Network Security Ecosystem Proventia IDS/IPS Site Protector Enterprise Scanner Joint interface for Application & Network Security AppScan Agent Collaborative flow of product usage Mutual leveraging of technology ASC01
  • IBM Rational Software Conference 2009 WebSphere DataPower SOA Appliances An SOA Appliance… Creating customer value through extreme SOA connectivity, performance and security Simplifies SOA and accelerates time to value Helps secure SOA XML implementations Governs and enforces SOA/Web services policies WebSphere DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations. ASC01
  • IBM Rational Software Conference 2009 Virtual Application Security Patch 1. Rational AppScan Scans Web Application, Uncovers Security Issues 2. WebSphere DataPower Rules are Auto-Created, Based on Found Issues 3. Custom protection blocks exploits on vulnerable locations, blocking where required while avoiding False Positives 4. Vulnerabilities are remediated in the next release of Web Application 2 1 3 4 ASC01
  • IBM Rational Software Conference 2009 2009 Roadmap Q1 New AppScan Releases AppScan Standard, Express, Developer, Build Product Translations Available for all products Japanese, Korean, Traditional Chinese, Simplified Chinese, French, Italian, and German Expanded SaaS offering Production Site Monitoring Q2 Web-based Malware Detection & Scanning AppScan-ISS SiteProtector Integration Q4 Portfolio-wide release (AppScan DE, Standard and Enterprise) Joint ISS initiatives ASC01
  • IBM Rational Software Conference 2009 Application Security at RSC 1. Application Security Track Sessions 2. Rational Labs 3. User First Lounge ASC01
  • IBM Rational Software Conference 2009 IBM Rational User Technologies Try out Rational AppScan for yourself. You’re invited to the Users First Lounge, where you will get to speak one- on-one with the AppScan User Experience team on topics including: usage scenarios, user interface design, ease-of-use, user assistance, learning, and quality. This is a chance to share your reality with us and help shape the future of the AppScan family! Sign up at tinyurl.com/djoj9b or in person at Europe 5 ASC01 40
  • IBM Rational Software Conference 2009 ASC01 41
  • IBM Rational Software Conference 2009 © Copyright IBM Corporation 2009. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. ASC01 42