Fortify On Demand and ShadowLabs


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • In today’s information-centric world, Hackers are after data and business logic, which they can manipulate and control. You’re talking about stealing your Intellectual Property, your Customer Data (credit card, SSN, address, etc.), Business Processes and Trade Secrets. With software, protecting one point in the system is not sufficient. The whole pathway to the data must be secure. If there is any vulnerability along that path, then the entire system is vulnerable. Hackers are ingenious in discovering new pathways. Years ago, they started at the network and hardware levels, but we have been successful in handling the problem (grayed out area), now they are going right to the app layer.This can be useful in explaining things like why encryption is not going to help you with app sec.
  • Fortify On Demand and ShadowLabs

    1. 1. Powered By: PSO eOPS Security Training October 1st, 2012 Jason Haddix -Director of Penetration Testing© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    2. 2. About the Presenter • Jason Haddix (@jhaddix) • Director of Penetration Testing at HP/Fortify on their ShadowLabs team. • Previously worked in HP’s Professional Services as a security consultant, and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to,, and Hakin9 magazine. • Serves on the advisory board for GIAC Penetration Testing curriculum as well is GSEC, GPEN, and eCPPT certified.
    3. 3. About the Presenter • Website: • Presentations:
    4. 4. Why Application Security?
    5. 5. Source:
    6. 6. “Weve also seen 19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised .” Sophos Threat Report (First half of 2011)
    7. 7. ...a new web threat emerges every 4 .5 seconds...
    8. 8. Attackers are targeting applications Applications Hardware Networks Intellectual Security Measures Property • Switch/Router security • Firewalls Customer • NIPS/NIDS Data • VPN • Net-Forensics • Business Anti-Virus/Anti-Spam • DLP Processes • Host FW • Host IPS/IDSTrade • Vuln. Assessment tools Secrets
    9. 9. Why do we care? Your critical business Regulations and More than 60% of applications face the Standards (PCI, applications have Internet HIPAA, SOX, etc) serious flaws
    10. 10. Challenges • Difficult to train and retain staff - very difficult to keep skills up-to-date • Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results
    11. 11. Introducing© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    12. 12. What is Fortify on Demand? • SAAS-Based, Annual subscription • Business Logic Assessments model • Large Testing team at your • Unlimited Assessments, Unlimited fingertips Users • Scale Rapidly (10, 100, 1000) • The most Comprehensive Coverage Model – Verify False Positives & • Security Branding with HP FOD Manual Penetration Testing Logo on Web Applications • Single portal for consuming results • Market leading analyzers for Static and Dynamic Testing
    13. 13. Mobile Thick ClientWeb FOD 3rd Party API Binary
    14. 14. Dynamic Testing } Baseline Application Standard Premium 3
    15. 15. Dynamic Testing • Recommended for Low Risk Websites Baseline (Marketing Sites, Brochure, Not much Application change in the application) Standard • An automated solution for Websites WebInspect security scanner Premium • All results are manually reviewed by security experts to remove false positives
    16. 16. Dynamic Testing • Recommended for Medium Risk Websites Baseline Application • Use of multiple automated and manual testing solutions Standard • All results are manually reviewed by security experts to remove any false positives. Includes penetration testing. Premium • Single User Perspective
    17. 17. Dynamic Testing • Recommended for High Risk websites Baseline Application • Designed for mission-critical Technical and business logic vulnerabilities Standard • All results are manually reviewed by security experts to remove any false positives. Higher focus on manual penetration testing. Premium • Two User Perspective • Web Services
    18. 18. Dynamic Testing False Manual Automated User Remediation Business Web Positive Security Scanning Accounts Scan Logic Services Removal Testing Baseline   1  Standard   1   Premium   2     Custom   -    
    19. 19. Terms and DefinitionsAutomated Scanning: Fortify On Demand utilizes, as it’s core technology, HP WebInspect to perform automated crawling and technical auditingof Web Applications.False Positive Removal: For all levels of service (Baseline, Standard, Premium), security assessment results are verified by a team of expertSecurity Engineers before results are marked for completion within the Fortify On Demand Portal. The Fortify On Demand team confirms that alldata provided in the final report is free of false positives.User Accounts: Depending the level of service, the FOD assessment team will utilize either one (1) or two (2) user accounts for exercising thetarget application. By utilizing more than one account profile during the testing process, the assessment team may recognize a significantnumber of Business Logic flaws within the application. Examples of this may be “Session Hijacking” or “Privilege Escalation”.Remediation Scan: For each completed assessment, users may opt to have discovered vulnerabilities retested to confirm remediation effortswhere successful. The remediation scan process does not involve a re-scan of the entire application, but a verification of the unique (initiallydiscovered) vulnerabilities.Manual Security Testing: For service levels “Standard” and “Premium”, advanced tools and automated scripts are utilized to assess the targetapplication for non-standard web application security flaws.Business Logic Testing: Business Logic flaws represent a category of vulnerabilities which can not be discovered by technical or automatedscanning technology. Business Logic testing may be leveraged within our Premium Level of Service and provides approximately 40 hours ofmanual testing by a team of expert Application Security Engineers.Web Services: The Premium level of service provides the assessment (SOAP and REST-based) of Web Services for up to ten (10) Web Serviceendpoints.
    20. 20. Static Testing Broad Support • ABAP • ASP.NET • C# • C/C++ • Classic ASP • COBOL  Unlimited static scans • Cold Fusion • Flex • HTML • Java • JavaScript/AJAX • JSP  Results verified • Objective C • PHP • PL/SQL • Python • T-SQL • VB.NET  Unlimited users • VB6 • VBScript • XML Powerful Remediation Insightful Analysis and Reports Collaboration Module Fast and Scalable 1 Day Static Turnaround Virtual Scan Farm
    21. 21. Custom Testing • Internal Penetration Testing • Internal • Mobile Binaries • Manual Source Code • External Penetration Testing • External • Reverse Engineering Auditing in other languages • Wireless Penetration Testing • Web Service • Malware Analysis • Vulnerability Remediation • Physical Penetration Testing • Cloud • Threat Modeling • SDLC Implementation & • Social Engineering • Embedded Device Testing Auditing • APT Breach Simulation • Secure Code Training • Vulnerability Assessment
    22. 22. Technologies of© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    23. 23. World Renowned Technologies Fortify SCA Engine Fully mapped taxonomy of all Vulnerability categories (VulnCAT) HP WebInspect Largest set of Dynamic Engine Vulnerability Checks 8k+ (SecureBase) Leaders in Malware & 0-Day TippingPoint & ArcSight Research Vulnerability Intelligence
    24. 24. Fortify SCA Detect more than 480 types of software security vulnerabilities across 20+ development languages—the most in the industry. IDE Integration for faster identification earlier in the development lifecycle Mobile Application support: iPhone & AndroidFeatures • Pinpoint root cause of vulnerabilities – line of code detail • Prioritize fixes sorted by risk severity • Detailed “fix” instruction -- in the development language
    25. 25. HP WebInspect  Largest Security Check Database (8k+ Dynamic Checks)  Independent research study showed WI to outperform other enterprise dynamic scanners in application coverage and scored a 99.26% in injection accuracy.  One of the only dynamic scanners to support web services and true REST APIs Features • Can integrate with server runtime to find more vulnerabilities, faster. (Security Scope) • Easy and simple export of vulnerabilities to TippingPoint WAF • Powerful Macro Engine to navigate custom authentication or heavy use of AJAX.Source:
    26. 26. Behind the Curtain© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    27. 27. Security Assessments by Security Professionals Mobile Automated Thick Client Static/Whitebox Engineers Analysis False Positive Reduction Web FOD Manual Source Code Analysis Automated Full Web/Mobile 3rd Dynamic/Blackbox Application Penetration Party Analysis Testing Binary
    28. 28. Dynamic Process Flow
    29. 29. Static Process Flow
    30. 30. History
    31. 31. (Some) Team Members • Daniel Miessler • Nick Childers • Methodology Guru (OWASP, WASC, WAHH) • Sr Researcher and Application Tester • SecLists Project Maintainer • Former Leader of Shellphish Defcon CTF Team • Dennis Antunes • Nick Denarski • Dynamic Assessment Lead • Metasploit Contributor and Trainer • Bucky Spires • Brooks Garret • Mobile Assessment Lead • DVWA Maintainer • Andre Gironda • Kevin Lynn • Sr. Application Tester • Sr. Application Tester • Cash Turner • Sr. Dynamic Application Tester
    32. 32. Community Contributions
    33. 33. Certifications
    34. 34. Repeatable, Highly Technical Methodologies Web Application Security Consortium Open Web Application Security Project Penetration Testers Execution Standard Web Application Hackers Handbook } Combined 7+ decades of practical application security testing experience
    35. 35. Success Stories© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    36. 36. Leading By Example Over 1000 organizations worldwide have standardized on HP Fortify:  9 of the top 10 major banks  9 of the top 10 software companies  All of the top 10 telecoms  All major branches of U.S. DOD  All 5 top insurance firms  2 out of 4 top oil and gas companies  Many top car manufactures  Big 4 accounting firms
    37. 37. Fortify & FoD Awards Dynamic Application Static Application Testing Testing Leader Leader “At any given time, there are 200 to 300 zero day vulnerabilities only HP knows about”
    38. 38. An CTO’s Perspective on FoD “I was very impressed by the knowledge and the responsiveness of both the Fortify BU sales and delivery resources. They helped me in building the business case for Application security which was key in establishing client stakeholder support for this initiative . Besides, they also partnered with the account to conduct a PoC which helped showcase our capability to the client. I am very confident based on my own positive experience that anyone in the security officer role could benefit a lot by working closely with the Fortify team to introduce our Application security capabilities to their clients”.
    39. 39. Commonalities of Success, Developing a Winning SDLC• Internal app security research• External hacking research HP Fortify Solutions Static Source code QA & Integration Application Audit Production validation Testing Environment Assessment Audit Static Code Dynamic Static Code Functional Test Analysis Analysis in the Integration Continuous IDE (SCA) Assessment Dynamic Penetration Hybrid Testing
    40. 40. The Future of Powered By:© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    41. 41. Mobile Application Security • More apps more problems • Pentest like it’s 1999!
    42. 42. Next Step?• Contact Myself or David Nester• Discuss our group internally at HP• Schedule a PoV! David Nester ( Jason Haddix (
    43. 43. Questions?