Live webinar : Secure Diverse and Highly Accessible Applications with SAP Fortify

970 views

Published on

https://www.SAP.com/Services

Overview
1.Today’s challenges around Application Security Testing
2.Best Practices for SAP Application Security Solutions
3.Solutions Overview
4.Questions & Answers

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Live webinar : Secure Diverse and Highly Accessible Applications with SAP Fortify

  1. 1. Live webinar : Secure Diverse and Highly Accessible Applications with SAP Fortify Presenter 1 : Andrew Kay, HP Application Security Solution Architect Presenter 2 : Andreas Gloege, SAP Quality Assurance Solutions
  2. 2. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2Public A few items before we begin…  There is no phone bridge for this webinar, be sure your computer speakers are off mute  If the volume is faint, first check the volume settings on your computer, then check the volume setting in the media player box in the upper left hand corner of your screen  You may make the slides bigger by hitting the maximize button in the upper right hand corner of the slide area  You may submit a question at any time in the Q&A box. We will answer questions throughout the presentation as well as at the end.  If you accidentally close the media player, Q&A box or slide area, you can re- open them by selecting the corresponding icon at the bottom of the screen
  3. 3. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 3Public About the speakers Andrew Kay, CISSP, CEH, CCSK Application Security Solution Architect, HP Enterprise Security Products With over 10 years of experience in static code analysis and enterprise code quality initiatives, Andrew is a key member in the Global HP Enterprise Security Products consulting team and one of Australia's leading application security specialist. He has designed and implemented quality and secure development lifecycles for clients around the world. Andreas Gloege Director, Quality Assurance Solutions, SAP Andreas is part of the SAP Quality Assurance Solutions group where he is focused on the global strategy and best practices around testing and quality assurance. Previously from Mercury Interactive and HP Software, Andrew has been deeply involved in the Technical aspects of integrating Mercury and HP solutions with SAP Applications
  4. 4. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4Public Agenda 1. Today’s challenges around Application Security Testing 2. Best Practices for SAP Application Security Solutions 3. Solutions Overview 4. Questions & Answers
  5. 5. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 5Public Polling Question 1 To what extent are you currently confident that your organization’s highly accessible applications are highly secure? (Please tick one only) ( ) Yes, I am confident that they are highly secure ( ) Yes, to a certain extent they are secure ( ) No, they are not highly secure ( ) No, I do not know
  6. 6. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 6Public
  7. 7. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 7Public Why Software Is Attacked 7 Hardware Software Digital Files Personal Information Network Attacks Today, software is the entry point $
  8. 8. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 8Public 84% of breaches occur at the application layer 68% increase in mobile application vulnerability disclosures Developers/QA are focused on functionality Security professionals are overwhelmed by applications Application Security is the Frontier Now and Future!
  9. 9. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 9Public Software security vulnerability A look at current situation Your software is everywhere How can you be sure that these highly accessible applications are also highly secure? Grown over the years Complex Built on changing requirements Created based on different development paradigms Optimized for Performance Extended but not reinvented Today's business applications have a history
  10. 10. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 10Public The Incident • PlayStation Network breach reported in April 2011 • 77M customer accounts compromised • PS Network completely offline for 25 days • Total cost of damages / loss > $171M What should never have happened…. The Attack • DDoS attack followed by SQL Injection • 130+ servers completely compromised • Account data, credit cards, email addresses stolen • Required full network shutdown to contain • More than just PlayStation Network…
  11. 11. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 11Public Heartland cybercrime case 1. 2008: Albert Gonzalez and 2 Russian co-conspirators gained access to Heartland systems through a personnel application (SQl Injection) 2. Attackers injected code into data processing network and installed a sniffer malware that was able to see credit card numbers and other details. 3. After being alerted by Visa and MasterCard of suspicious card transactions activity Heartland called U.S. Secret Service and hired two breach forensics teams to investigate 4. Jan 20, 2009: Breach reported by Heartland • At least 650 financial institutions affected • 94M credit records stolen • Fines levied to banks > $6M • Total cost of damages / loss > $140M 5. At the time, Heartland breach was largest identity theft case ever
  12. 12. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 12Public $ We convince and pay developers to fix it 4$ $ Approach Today: Expensive + Reactive Breach or pen test proves our code is bad 3 Somebody builds insecure software 1 In-house Outsourced Commercial Open source IT deploys the insecure software 2 1 Enterprise Security – HP Confidential
  13. 13. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 13Public 30X 15X 10X 5X 2X 30x more costly to secure in production Why it doesn’t work After an application is released into Production, it costs 30x more than during design. Cost Source: NIST ProductionSystem testing Integration/ component testing CodingRequirements
  14. 14. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 14Public Fortify Strategy Assess Find security vulnerabilities in any type of software SAP, Mobile, Web, Infrastructure Assure Fix security flaws in source code before it ships Secure SDLC Protect Fortify applications against attack in production Logging, Threat Protection Software Security Assurance (SSA) In-house Outsource d Commerci al Open source Application Assessment Application Protection 1 2 3
  15. 15. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 15Public Polling Question 2 Do you currently face any of the following challenges (please tick all that apply) : ( ) lack of trust that diversified, highly accessible applications are secure ( ) security vulnerabilities in software that’s on the Web, on premise, or in development ( ) weak collaboration of testing and development teams to improve software quality ( ) meet compliance goals for internal and external security mandates ( ) all of above
  16. 16. Best Practices for SAP Application Security
  17. 17. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 17Public Testing Center of Excellence Supported by: SAP Quality Center by HP, premier edition and SAP LoadRunner by HP, performance center edition ASAP Includes tools, templates and accelerators to help customers define a Quality Assurance Strategy designed to effectively manage the test management process, governance, and testing solutions that will enable effective execution of their quality assurance lifecycle across each ASAP phase SAP Quality Assurance Solution Portfolio SAP Solution Manager Business Blueprint Business Process Change Analyzer (BPCA) SAP ASAP Methodology SAP Quality Center by HP SAP LoadRunner by HP SAP Test Data Migration Server SAP Service Virtualization by HP SAP Test Acceleration & Optimization OperateRealizationBusiness Blueprint Final Prep Go Live SupportProject Preparation SAP Solution Manager Adapter SAP Fortify by HP and SAP NW Code Vulnerability Analyzer Test Manageme nt Functional Testing Refresh non- Production Data Performance Testing Test Result Analysis Virtualize Processes &Services Confirm Successful Test Executions Application Security Testing
  18. 18. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 18Public Application Security Testing Solutions Manual Source Code Review DAST Dynamic Application Security Testing Find vulnerabilities in the running application SAST Static Application Security Testing Find vulnerabilities analyzing the sources including SAP NetWeaver Application Server, Add-on for code vulnerability analysis (CVA) ManualApplication Penetration Testing Automated Application Vulnerability Scanning Automated Source Code Analysis SAP Fortify by HP Finding security issues at design time instead of in production is easier and less expensive!
  19. 19. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 19Public Secures diverse and highly accessible ABAP and non-ABAP based applications SAP Fortify by HP  Build trust across entire software landscape  Quickly find, triage and fix security vulnerabilities  Delivers detailed, line-of-code guidance  Identifies critical security issues early  Integrated with development environments like the SAP ABAP development environment (SE80)
  20. 20. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 20Public Capabilities of SAP Fortify by HP Get proactive with holistic centralized software security  Addresses the complete spectrum of application security needs  Shared collaboration environments, predefined templates, and audit tools  Establishes repeatable, automated processes  Real-time, interactive dashboards show key results  Two-tier testing approach pinpoints the root cause of vulnerabilities with line-of-code detail  Helps meet internal and external security and quality mandates
  21. 21. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 21Public • Reduce risk with minimal effort and operational costs • Deliver measurable business and strategic value • Meet government and industry compliance regulations • Build a security culture throughout your organization Minimizing risk, driving business agility Application security benefits
  22. 22. Solution Overview
  23. 23. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 23Public Application Security Vulnerability Examples SQL Injection Explained 1 2 3 Attacker submits extra info i.e or ‘1=‘1; with a login or other input variable 1 2 Attacker constructs SQL arguments used to retrieve data 3 DB schema identified, attacker extracts usernames, passwords, credit card info
  24. 24. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 24Public Identified input field First test it out Users table available Application Security Vulnerability Examples SQL Injection In Action
  25. 25. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 25Public Construct Attack String Extract Full Name, Username and (hashed) Passwords Application Security Vulnerability Examples SQL Injection In Action
  26. 26. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 26Public Enterprise Application Security System Application Security Assessment Summary SAST and DAST SQL Injection
  27. 27. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 27Public Enterprise Application Security System Application Security Vulnerability Review Application Line of Code Details
  28. 28. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 28Public Management, tracking and remediation of enterprise software risk Enterprise Application Security System
  29. 29. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 29Public Application Security Reporting Enterprise Application Security System
  30. 30. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 30Public What does Fortify stand for? Fixes reduced from weeks to hours Recurring vulnerabilities get eliminated virtually Improves productivity by automating application security Tightly integrated into standard testing infrastructure Yes! Its used internally by SAP! Find, triage and fix security vulnerability no matter where or how your applications are deployed OS agnostic and works with different programming languages, development platforms that your teams use everyday
  31. 31. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 31Public Polling Question 3 Would you like SAP to run a security scan on one NetWeaver application in your environment ? ( ) Yes, please contact me via email to do that ( ) Yes, please contact me via phone to do that ( ) No, not at the moment
  32. 32. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 32Public Polling Question 4 Would you like to be contacted by SAP regarding SAP Fortify by HP ? ( ) Yes, please contact me via email ( ) Yes, please contact me via phone ( ) No, not at the moment
  33. 33. © 2014 SAP AG or an SAP affiliate company. All rights reserved. Q&A Andrew Kay Application Security Solution Architect, HP Enterprise Security Products Andreas Gloege Director, Quality Assurance Solutions, SAP
  34. 34. © 2014 SAP AG or an SAP affiliate company. All rights reserved. Thank You! Contact : Justin Bullock Justin.Bullock@sap.com
  35. 35. APPENDIX
  36. 36. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 37Public What are application risks? Application Security Vulnerability Examples Injection Flaws • SQL Injection • Header Manipulation • Command Injection • LDAP and Resource Injection • Dynamic Code Evaluation • Xpath and XML Injection • Query String Injection • Log Forging Broken Auth & Session Mangmnt • Excessive Session Timeout • Persistent Authentication • Sensitive File Persistence • Session Cookies Disabled • Anonymous Message/Transport Client • Weak Cryptographic Hash • Insufficient Session ID’s Direct Object Reference • Access Control • File Disclosure • Path Manipulation • Unsafe Reflection • Process Control Insecure Crypto Storage & Comms • Weak / Missing Encryption and Crypto Hashes • Weak Tokens and missing timestamps • Passwords– Hardcoded, Null/Empty, Plain Text • Insecure Randomness • Credentials– Hardcoded, Easy to guess • Cookie Security – Not using SSL, Persistent • Web Server Misconfiguration • Insecure Transport Info Leak & Improper Errors • Privacy Violation & System Info Leak • Debug Info and Trace Output • Poor Error Handling • Unhandled Exceptions • Overly Broad Logging • Race Conditions • Screen and Keyboard Caching Cross Site Scripting • Reflected XSS • Persistent XSS • DOM
  37. 37. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 38Public Supported Languages Application Security Language Coverage • ASP.NET • Classic ASP • Flex / ActionScript • JavaScript / AJX • PHP • Python • VB6 • XML • ABAP • C / C++ • ColdFusion • Java • Objective-C • PL / SQL • T-SQL • VBScript • C# • COBOL • HTML • JSP • PL / SQL • T-SQL • VB.NET

×