Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IBM Security Solutions<br />IBM Rational Application Security<br />
2<br />Agenda<br />Current Trends in Application Security<br />The Solution<br />Strategies for Customer Success<br />Rati...
Executive Summary<br />Web applications are the greatest source of risk for organizations<br />Rational Application Securi...
The Costs from Security Breaches are Staggering<br />4<br />285 Million records compromised in 2008<br />Verizon 2009 data...
Sources of Security Breach Costs<br />5<br />Unbudgeted Costs:<br /><ul><li> Customer notification / care
 Government fines
 Litigation
 Reputational damage
 Brand erosion
 Cost to repair</li></ul>1,000,000x<br />10x<br />1x<br />Security Flaw<br />Damage to Enterprise<br />Functional Flaw<br ...
Web Applications are the greatest risk to organizations<br />6<br /><ul><li>Web application vulnerabilities represented th...
In 2009, 49% of all vulnerabilities were Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot</li></ul>IBM Internet Security Systems...
Why are Web Applications so Vulnerable?<br />7<br />Developers are mandated to deliver functionality on-time and on-budget...
8<br />Clients’ security challenges in a smarter planet <br />Key drivers for security projects<br />Increasing  Complexit...
Market Drivers<br />Regulatory & Standards Compliance<br />eCommerce: PCI-DSS,  PA-DSS<br />Financial Services: GLBA<br />...
10<br />Agenda<br />Current Trends in Application Security<br />The Solution<br />Strategies for Customer Success<br />Rat...
The Solution - Security for Smarter Products<br /><ul><li>Smarter Products require secure applications
Security needs to be built into the development process and addressed throughout the development lifecycle
Providing security for smarter products requires comprehensive security solutions deployed in concert with application lif...
Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders
Leveragemultiple appropriate testing technologies (static & dynamic analysis)
Provide effortless security that allows development to be part of the solution
Supportgovernance, reporting and dashboards
Can facilitate collaboration between development and security teams</li></ul>11<br />
Upcoming SlideShare
Loading in …5
×

Rational application-security-071411

1,763 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Rational application-security-071411

  1. 1. IBM Security Solutions<br />IBM Rational Application Security<br />
  2. 2. 2<br />Agenda<br />Current Trends in Application Security<br />The Solution<br />Strategies for Customer Success<br />Rational AppScan Suite<br />IBM Application Security Coverage<br />
  3. 3. Executive Summary<br />Web applications are the greatest source of risk for organizations<br />Rational Application Security enables organizations to address root cause of this risk<br />AppScan leverages a mix of technologies (static & dynamic)<br />AppScan is a key part of IBM Security’s full solution view of application security <br />3<br />Rational AppScan Suite<br />enables<br />Comprehensive Application Vulnerability Management<br />
  4. 4. The Costs from Security Breaches are Staggering<br />4<br />285 Million records compromised in 2008<br />Verizon 2009 data Breach Investigations Report<br />$204 Cost per Compromised Record<br />Ponemon 2009-2010 Cost of a data Breach Report<br />Translates to $58.1B<br />Cost to CoRporations<br />
  5. 5. Sources of Security Breach Costs<br />5<br />Unbudgeted Costs:<br /><ul><li> Customer notification / care
  6. 6. Government fines
  7. 7. Litigation
  8. 8. Reputational damage
  9. 9. Brand erosion
  10. 10. Cost to repair</li></ul>1,000,000x<br />10x<br />1x<br />Security Flaw<br />Damage to Enterprise<br />Functional Flaw<br />Development<br />Test<br />Deployment<br />
  11. 11. Web Applications are the greatest risk to organizations<br />6<br /><ul><li>Web application vulnerabilities represented the largest category in vulnerability disclosures
  12. 12. In 2009, 49% of all vulnerabilities were Web application vulnerabilities
  13. 13. SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot</li></ul>IBM Internet Security Systems 2009 X-Force®Year End Trend & Risk Report<br />
  14. 14. Why are Web Applications so Vulnerable?<br />7<br />Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications<br />Developers are not generally educated in secure code practices<br />Product innovation is driving development of increasingly complicated software for a Smarter Planet<br />Network scanners won’t find application vulnerabilities and firewalls/IPS don’t block application attacks<br />Volumes of applications continue to be deployed that are riddled with security flaws… <br />…and are non compliant with industry regulations<br />
  15. 15. 8<br />Clients’ security challenges in a smarter planet <br />Key drivers for security projects<br />Increasing Complexity<br />Rising Costs<br />Ensuring Compliance <br />Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billionin 2010<br />Soon, there will be 1 trillionconnected devices in the world, constituting an “internet of things”<br />The cost of a data breach increased to $204 per compromised customer record <br />Source  http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html<br />
  16. 16. Market Drivers<br />Regulatory & Standards Compliance<br />eCommerce: PCI-DSS, PA-DSS<br />Financial Services: GLBA<br />Energy: NERC / FERC<br />Government: FISMA<br />User demand <br />Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures<br />Cost cutting in current economic climate <br />Demands increased efficiencies<br />Cyber Blitz Hits U.S., Korea Websites <br />-WSJ<br />July 9th, 2009<br />“Web-based malware up 400%, 68% hosted on legitimate sites” <br />— ZDnet, June 2008<br />Hackers Break Into Virginia Health Website, Demand Ransom<br /> — Washington Post, May, 2009<br />
  17. 17. 10<br />Agenda<br />Current Trends in Application Security<br />The Solution<br />Strategies for Customer Success<br />Rational AppScan Suite<br />IBM Application Security Coverage<br />
  18. 18. The Solution - Security for Smarter Products<br /><ul><li>Smarter Products require secure applications
  19. 19. Security needs to be built into the development process and addressed throughout the development lifecycle
  20. 20. Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:
  21. 21. Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders
  22. 22. Leveragemultiple appropriate testing technologies (static & dynamic analysis)
  23. 23. Provide effortless security that allows development to be part of the solution
  24. 24. Supportgovernance, reporting and dashboards
  25. 25. Can facilitate collaboration between development and security teams</li></ul>11<br />
  26. 26. Cost is a Significant Driver<br />80% of development costs are spent identifying and correcting defects!*<br />Once released as a product <br />$7,600/defect<br />+<br />Law suits, loss of customer trust,<br />damage to brand<br />During the QA/Testing phase<br />$960/defect<br />During the build phase <br />$240/defect<br />During the coding phase <br />$80/defect<br />The increasing costs of fixing a defect….<br />*National Institute of Standards & Technology <br />Source: GBS Industry standard study<br />Defect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.<br />
  27. 27. Make Applications Secure, by DesignCycle of secure application development<br />Manage,<br />Monitor<br />& Defend<br />Design Phase<br /><ul><li>Consideration is given to security requirements of the application
  28. 28. Issues such as required controls and best practices are documented on par with functional requirements</li></ul>Development Phase<br /><ul><li>Software is checked during coding for:
  29. 29. Implementation error vulnerabilities
  30. 30. Compliance with security requirements</li></ul>Build & Test Phase<br /><ul><li>Testing begins for errors and compliance with security requirements across the entire application
  31. 31. Applications are also tested for exploitability in deployment scenario</li></ul>Deployment Phase<br /><ul><li>Configure infrastructure for application policies
  32. 32. Deploy applications into production</li></ul>Operational Phase<br /><ul><li>Continuously monitor applications for appropriate application usage, vulnerabilities and defend against attacks</li></ul>Design<br />Functional Spec<br />Develop<br />Deploy<br />Build & Test<br />Outsourcing Partner<br />Software<br />13<br />
  33. 33. ROI Opportunity of Application Security Testing<br />Cost Savings – of testing early in the development process (ALM)<br />80% of development costs are spent identifying and correcting defects<br />Testing for vulnerabilities earlier in the development process can help avoid that unnecessary expense<br /><ul><li>Cost of finding & fixing problems:
  34. 34. code stage is $80, QA/Testing is $960*
  35. 35. Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage. </li></ul>Cost Savings – of automated vs. manual testing<br /><ul><li>Outsourced audits can cost $10,000 to $50,000 per application
  36. 36. At $20,000 an app, 50 audits will cost $1M.
  37. 37. With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)</li></ul>Automated testing provides tremendous productivity savings over manual testing<br />Automated source code testing with periodic penetration testing allows for cost effective security analysis of applications <br />Cost Avoidance – of a security breach<br />The cost to companies is $204per compromised record**<br />The average cost per data breach is $6.6 Million**<br />Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage<br /> * Source: GBS Industry standard study<br /> ** Source: Ponemon Institute 2009-10<br />
  38. 38. 15<br />Agenda<br />Current Trends in Application Security<br />The Solution<br />Strategies for Customer Success<br />Rational AppScan Suite<br />IBM Application Security Coverage<br />
  39. 39. Application Security Maturity Model<br />CORRECTIVE<br />BOLT ON<br />BUILT IN<br />UNAWARE<br />PHASE<br />PHASE<br />PHASE<br />Security testing before deployment<br />Fully integrated security testing<br />Doing nothing<br />Outsourced testing<br />View of application testing coverage<br />Time<br />Duration 1-2 Years<br />
  40. 40. Build<br />Coding<br />QA<br />Security<br />Production<br />Security Testing Within the Software Lifecycle<br />SDLC<br />Most Issues are found by security auditors prior to going live.<br />% of Issue Found by Stage of SDLC<br />
  41. 41. Build<br />Coding<br />QA<br />Security<br />Production<br />Security Testing Within the Software Lifecycle<br />SDLC<br />Desired Profile<br />% of Issue Found by Stage of SDLC<br />
  42. 42. Build<br />Coding<br />QA<br />Security<br />Production<br />Security Testing Within the Software Lifecycle<br />SDLC<br />Developers<br />Developers<br />Developers<br />Application Security Testing Maturity<br />
  43. 43. 20<br />Agenda<br />Current Trends in Application Security<br />The Solution<br />Strategies for Customer Success<br />Rational AppScan Suite<br />IBM Application Security Coverage<br />
  44. 44. Rational ALM Integrations<br />Rational AppScan:<br /><ul><li>Source for Automation
  45. 45. Standard Ed</li></ul>Application Developer<br />Build<br />Build Forge<br />Development<br />Rational AppScan:<br /><ul><li> Source Ed Developer
  46. 46. Source Ed Remediation
  47. 47. Enterprise QuickScan</li></ul>QA<br />Rational AppScan Tester Ed for RQM<br />Rational AppScan Enterprise portal<br />Rational AppScan Source Ed Core<br />Quality Manager<br />ClearQuest<br />Rational AppScan:<br /><ul><li>Standard Ed
  48. 48. Source Ed for Security</li></ul>Compliance<br />Security<br />
  49. 49. Security Testing Technologies... Combination Drives Greater Solution Accuracy<br />Static Code Analysis (Whitebox )<br />Scanning source code for security issues<br />Total Potential<br />Security Issues<br />Dynamic<br />Analysis<br />Static<br />Analysis<br />Best Coverage<br />Dynamic Analysis (Blackbox)<br /><ul><li>Performing security analysis of a compiled application</li></ul>22<br />
  50. 50. 23<br />Agenda<br />Current Trends in Application Security<br />The Solution<br />Strategies for Customer Success<br />Rational AppScan Suite<br />IBM Application Security Coverage<br />
  51. 51. IBM Web application security for a smarter planet<br />Rational <br />AppScan<br />Secure code development and vulnerability management<br /><ul><li>Identify vulnerabilities and malware
  52. 52. Actionable information to correct the problems</li></ul>Tivoli <br />I&AM<br />Manage secure Web applications<br />Protect Web applications from potential attacks<br />End-to-end Web application security<br /><ul><li>Ongoing management and security with a suite of identity and access management solutions
  53. 53. Block attacks that aim to exploit Web application vulnerabilities
  54. 54. Integrate Web application security with existing network infrastructure</li></ul>Deliver security and performance in Web services and SOA<br />ISS IPS<br /><ul><li>Purpose-built XML and SOA solutions for security and performance</li></ul>WebSphere<br />Datapower<br />24<br />
  55. 55. 25<br />

×