HP provides an Application Security Center that offers solutions across the application lifecycle to help secure applications from development through production. The Center includes DevInspect for development, QAInspect for testing, and WebInspect for production assessments. These integrate with an Assessment Management Platform to manage security activities and compliance reporting across the enterprise. WebInspect in particular helps companies like JC Penney comply with PCI standards by automating web application security testing, reducing assessment time from weeks to hours.
Operation High Roller: The need for a security ally!Jeff Danielson
Operation High Roller was a dramatic change in the way cyber criminals went after their victims. This presentation will focus on the specifics of this attack against corporations, which was focused on small to medium sized organizations, the use of analytics to signal out the victims, and the advanced methodologies to hide the attack. Jeff will also discuss the need for specialization in the security marketplace and the need to ally yourself with other organizations as well as working with your General and Outside counsel to prepare for the inevitable battle.
Software Defined Networking - from Campus to Carrier. Shehzad Merchant of Extreme Networks presentation to the Open Network Summit 2012 in Santa Clara.
Learn about Monitoring process to keep eye on systems or scheduled activities, to obtain real-time information to ease the overview or action in certain cases.For more information, visit http://ibm.co/PNo9Cb.
2010 Software Licensing and Pricing Survey Results and 2011 PredictionsFlexera
2010 Software Licensing and Pricing Survey Results and 2011 Predictions by Amy Konary, Director, Software Pricing and Licensing, IDC
Presented at SoftSummit 2010
Operation High Roller: The need for a security ally!Jeff Danielson
Operation High Roller was a dramatic change in the way cyber criminals went after their victims. This presentation will focus on the specifics of this attack against corporations, which was focused on small to medium sized organizations, the use of analytics to signal out the victims, and the advanced methodologies to hide the attack. Jeff will also discuss the need for specialization in the security marketplace and the need to ally yourself with other organizations as well as working with your General and Outside counsel to prepare for the inevitable battle.
Software Defined Networking - from Campus to Carrier. Shehzad Merchant of Extreme Networks presentation to the Open Network Summit 2012 in Santa Clara.
Learn about Monitoring process to keep eye on systems or scheduled activities, to obtain real-time information to ease the overview or action in certain cases.For more information, visit http://ibm.co/PNo9Cb.
2010 Software Licensing and Pricing Survey Results and 2011 PredictionsFlexera
2010 Software Licensing and Pricing Survey Results and 2011 Predictions by Amy Konary, Director, Software Pricing and Licensing, IDC
Presented at SoftSummit 2010
What is Cloud Computing? It can be defined as a web-based technology that remotely delivers computing resources, namely hardware, software and information as services over a network. Learn more about it here. http://www.microsoft.com/en-in/server-cloud/cloud-computing/default.aspx
Join Nimsoft CTO Mark Rivington as he discusses the state of IT, how we got here, and the forces driving us towards the cloud. We’ll dive into specific management challenges that cloud based infrastructure brings with it, as well as approaches that work – and those that don’t. The talk will focus on monitoring and performance management, and will reference real world examples of Nimsoft customers who are using our cloud-based IT Management As A Service solution to manage their cloud with confidence.
Visit www.nimsoft.com for more information.
Antivirus específicos para entornos virtualizadosNextel S.A.
Ponencia de Álvaro Sierra, Major Account Manager de Trend Micro, durante la Jornada Tecnológica 2011 de Nextel S.A.
http://www.nextel.es/eventos_/jornada-tecnologica/
Build Scanning into Your Web Based Business Applicationbgalusha
Learn about the new EMC Captiva Cloud Toolkit, a software developer kit (SDK) that allows web application developers to quickly add scanning and imaging functionality directly to their web-based business applications. Learn how partners are leveraging the toolkit to deliver Web-based scanning solutions.
StrikeIron IronCloud API Web Service Publishing Platform SAASsibob
IronCloud commercialization platform for publishing data and APIs to the Web for consumption and integration by others including applications, Web sites, and devices.
Case Study - Appirio as the Serverless EnterpriseAppirio
Glenn Weinstein, Appirio's Chief Technology Officer, describes how the midsize company runs its entire IT without any infrastructure. No servers, no networks, no hardware - just 100% reliance on public cloud computing.
Complexity and Risk: Effective Business Community Management through Integrationjgatrell
Increased economic pressures and continuous changes in market dynamics businesses need to make decisions in real-time based on information from their suppliers and business partners. Global business communities are often at risk without visibility into key indicators which can impact their bottom line due to integration challenges within their back office and throughout the community.
This session will outline emerging trends and investments in managing business communities and illustrate how visibility integration and automation improved businesses execution. Real-time visibility will reduce the business impact from such events as compliance, charge backs, fulfillment or supplier rating issues caused by data quality issues and limited visibility due to integration gaps. These events can drastically stall the order-to-cash lifecycle and impact customer relationships.
What is Cloud Computing? It can be defined as a web-based technology that remotely delivers computing resources, namely hardware, software and information as services over a network. Learn more about it here. http://www.microsoft.com/en-in/server-cloud/cloud-computing/default.aspx
Join Nimsoft CTO Mark Rivington as he discusses the state of IT, how we got here, and the forces driving us towards the cloud. We’ll dive into specific management challenges that cloud based infrastructure brings with it, as well as approaches that work – and those that don’t. The talk will focus on monitoring and performance management, and will reference real world examples of Nimsoft customers who are using our cloud-based IT Management As A Service solution to manage their cloud with confidence.
Visit www.nimsoft.com for more information.
Antivirus específicos para entornos virtualizadosNextel S.A.
Ponencia de Álvaro Sierra, Major Account Manager de Trend Micro, durante la Jornada Tecnológica 2011 de Nextel S.A.
http://www.nextel.es/eventos_/jornada-tecnologica/
Build Scanning into Your Web Based Business Applicationbgalusha
Learn about the new EMC Captiva Cloud Toolkit, a software developer kit (SDK) that allows web application developers to quickly add scanning and imaging functionality directly to their web-based business applications. Learn how partners are leveraging the toolkit to deliver Web-based scanning solutions.
StrikeIron IronCloud API Web Service Publishing Platform SAASsibob
IronCloud commercialization platform for publishing data and APIs to the Web for consumption and integration by others including applications, Web sites, and devices.
Case Study - Appirio as the Serverless EnterpriseAppirio
Glenn Weinstein, Appirio's Chief Technology Officer, describes how the midsize company runs its entire IT without any infrastructure. No servers, no networks, no hardware - just 100% reliance on public cloud computing.
Complexity and Risk: Effective Business Community Management through Integrationjgatrell
Increased economic pressures and continuous changes in market dynamics businesses need to make decisions in real-time based on information from their suppliers and business partners. Global business communities are often at risk without visibility into key indicators which can impact their bottom line due to integration challenges within their back office and throughout the community.
This session will outline emerging trends and investments in managing business communities and illustrate how visibility integration and automation improved businesses execution. Real-time visibility will reduce the business impact from such events as compliance, charge backs, fulfillment or supplier rating issues caused by data quality issues and limited visibility due to integration gaps. These events can drastically stall the order-to-cash lifecycle and impact customer relationships.
Having the Cloud Conversation: Why the Business Architect Should CarePeter Coffee
Peter Coffee presentation at The Open Group in Seattle, February 2010, on business incentives and handling of business concerns surrounding cloud computing
Peter Coffee presentation on enterprise cloud computing to CIO Forum in Schaumburg IL 6 April 2010 with new material on Chatter and social tools as well as U.S. Census case study
This presentation explains how to expose APIs in a controlled, secure manner. To control and secure APIs in this way requires an API management system able to address versioning and meter consumption without burdening either third-party developers or application consumers.
Opening SaaS applications and cloud services to outside developers is becoming critical to achieve cloud-enterprise integrations, information sharing across affiliate Web sites and enabling mobile / tablet access to data. Controlling how API's get securely exposed to different consumers requires a simple, scalable way to manage API security, address versioning and meter consumption without burdening either application developers or application consumers.
Join eBay's Chief Security Strategies Liam Lynch and Layer 7's CTO Scott Morrison for this informative presentation.
Building and Managing Cloud Applications and InfrastructureDarren Cunningham
While service-based infrastructure can improve TCO and streamline IT management, it also presents some challenges that need to be met head-on. How do you ensure your data is secure in transit and available when you need it? How do you manage and communicate with your infrastructure? How do you enable service quality metrics and disaster recovery? And, how do you integrate data from legacy systems with data from web-based systems? Join AT&T and Informatica as they share their experience in building and managing cloud applications and infrastructure.
Info360 Keynote by AIIM President John ManciniJohn Mancini
What is happening to Enterprise IT? What are the implications for your organization? What should you do about it? For more detail, see http://www.aiim.org/roadmap.
Similar to Application Security Testing - Tycho Schmidt (20)
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. HP Application Security Center
Part of the industry’s most comprehensive IT management portfolio
Business outcomes
STRATEGY APPLICATIONS OPERATIONS
Quality Business Service Business Service IT Service
Management Management Automation Management
Operations Orchestration
Project & Portfolio Quality
Management Center Business
Center Availability Client
Center Automation
Center
CIO Office Performance Service
Center Operations
Management
Center
Center
Data Center
SOA
Application Network Automation
Center
Security Center Management Center
Center
CTO Office SAP, Oracle, SOA, J2EE, .Net Universal CMDB
4. Security Risks have never been greater
Everything has evolved
Attacks
Loose
collaboration
among groups Reliance on web
based systems for
Individual
gain business
Individual
fame transactions
Time Drivers
Internal Increase in data
Wide variety of
measures
Variety of breaches, online
regulations by
regulations under fraud and online
industry and
development
Regulations begin to
attacks
geography
come into force
New ones under
Regulation
development
5. The Risks are Real
PCI dead
line loom
ing
hit by PCI Requ cked
r Hannaford ire
becomes ment 6.6 site ha
Groce ef Ob ama web
reach 30, 200 fective on June
computer b 8,
sites to b requires web ar ac k
n may es
vulnerab canned for edirects B
Chain s ays intrusio Hacker R
cards; ilities or site to
e xpose 4.2m protected Obama's m using c
ross-
es seen ton.co
1,80 0 fraud cas hillaryclin lnerability
site scripting vu
usiness W eb 2
m s out of b .0 vuln
Cardsyste e rable
bbyists to
ov e from ho My S p a
Hackers M . ce site
sh
Ja v a S c
professio
nals ript wo ut down by
vulnera r m e xp
years, 40 bilities loit
t on for 2 company
Hack wen ds stolen, AJAX c i n t he s i ng
cor ode ites
million re
business.
n ow out of
6. Cross-Site Scripting (XSS)
• Attacker injects a script in your browser via
vulnerable web application.
− Normally due to faulty input or output validation
• This script accesses information in your browser
− Installs Web Keylogger, Steal Cookies, etc
6
7. XSS example
<script
type=quot;text/javascriptquot;>alert('hello');</script>
11 December
7 2008
9. MySpace XSS Worm
• 10/04, 12:34 pm: You have 73 friends.
I decided to release my little popularity program. I'm going to be famous...among my friends.
• 1 hour later, 1:30 am: You have 73 friends and 1 friend request.
One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her
inadvertent friend request and go to bed grinning.
• 7 hours later, 8:35 am: You have 74 friends and 221 friend requests.
Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8
hours. That means I'll have 600 new friends added every day. Woah.
• 1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it's exponential, isn't it. Shit.
• 1 hour later, 10:30 am: You have 518 friends and 561 friend requests.
Oh crap. I'm getting messages from people pissed off that I'm their friend when they didn't add me.
I'm also getting emails saying quot;Hey, how the hell did you get onto my myspace....not that I mind,
you're hotquot;. From guys. But more girls than guys. This actually isn't so bad. The girls part.
• 3 hours later, 1:30 pm: You have 2,503 friends and 6,373 friend requests.
I'm canceling my account. This has gotten out of control.
• 5 hours later, 6:20 pm: I timidly go to my profile to view the friend requests. 2,503 friends.
917,084 friend requests.
I refresh three seconds later. 918,268. I refresh three seconds later. 919,664 (screenshot below).
A few minutes later, I refresh. 1,005,831.
• It's official. I'm popular.
11 December
9 2008
10. The Costs to the Enterprise are Enormous
• Costs incurred for
− Discovery, response, and notification
− Lost employee productivity
− Regulatory fines
− Customer losses
• The total cost* of a data breach ranges from $90 to $305
per compromised record
• Cost of a single breach may run into millions or even
billions of dollars
From scans of over 31,000 sites, over 85% showed a
vulnerability that could give hackers the ability to read, modify
and transmit sensitive data.
-- Web Application Security Consortium
-- Web Application Security Consortium
*Forrester Research, “Calculating The Cost Of A Security Breach” April, 2007
11. Applications are the target
Applications:
Unprotected and ignored
Servers:
Protected by intrusion prevention
Network:
Secured by firewall
“75% of hacks
happen at the
application.”
- Gartner “Security at the Application Level”
12. Vulnerabilities exist within the apps themselves,
so security can’t be “bolted on”
Application teams must bridge the gap
Security Application
professionals don’t developers and QA
know the professionals don’t
applications know security
11 December
12 2008
13. HP Application Security Center
Security for the Application lifecycle
Enterprise application security assurance
Code Test Production
HP Application Security Center
HP Application Security Center
Source code QA Production
validation testing assessment
DevInspect
DevInspect QAInspect
QAInspect WebInspect
WebInspect
Assessment Management Platform
Continuous
Updates Assessment Management Platform
HP Web Security
Research Group Enterprise security assurance
Enterprise security assurance
• Internal app security research and reporting
and reporting
• External hacking research
14. DevInspect
Find, Fix and Protect: Accelerate Secure Application Development
Key Benefits
• Find security defects in
development
− Unique Hybrid Analysis technology (Static
Code Analysis + Dynamic Testing) provides
the most accurate results
• Fix Defects Automatically
− HP SecureObjects technology fixes defects,
hardens applications against attack
• Supports most popular web
development languages
− C#, VB.NET, Java
• Integrations with leading IDE's
− Microsoft Visual Studio (2005, and 2008)
− IBM Rational Application Developer
− Eclipse
15. HP QAInspect
Automated security testing for quality assurance teams and engineers
Key benefits
• Automated Security Defect discovery
− Automatically finds and prioritizes
security defects in a Web application
• Integrated with Quality Center
− Manage security testing within existing
QM methodology
− Correct security defects early in
application lifecycle
• Lower Application Risk
− Ensures compliance with government
regulations
− Less exposure to application downtime
• Targeted Security Testing
− Holistic or targeted application security
tests depending upon requirements
• Built in Knowledgebase
− Built-in Security Expertise combines
daily updates of vulnerability checks
with unique intelligent engines.
− Comprehensive defect information and
remediation advice about each
vulnerability
16. HP WebInspect Security Testers
For Security Professionals and Advanced
Key Benefits
• Find security defects during production or
before you go live
− Determine the current security status of
your web or web service applications
− Remediation advice for Development, QA
and Operations
• Accelerate Regulatory Compliance
− Includes reports for more than 20 laws,
regulations, and best practices, like SOX,
HIPAA, PCI
• Support for the latest web technologies
− Supports the latest AJAX and JavaScript
rich internet applications
• Advanced Security Toolkit
− High automated while allowing hands-on
control
− Advanced toolkit for penetration testers
• Create customized reports and policies
− Custom checks, report templates, policies,
compliance reports
17. HP Assessment Management Platform
Assess and manage application security risk across the enterprise
Key Benefits
• Controlled Visibility
− Centralize all application security data
− View and report on assessments
conducted anytime by anyone
− Strict access control of sensitive data
• Scalability
− Multi-scanner arrays amplify existing
personnel to scan more systems faster
• Managed Self-Service
− Allow low usage customers can scan
themselves via web portal
• Control Sensitive Security Activities
− Set user permissions, enforce policies
and restrict activities
− DevInspect, QAInspect, AMP Sensors
and WebInspect
SC Awards 2008 winner for “Best Enterprise Security Solution”
18. HP Application Security Center
HP Application Security Center
Dashboard
Assessment Management Platform
Policy and Centralized Vulnerability and Alerts and Distributed
compliance administration risk management reporting scanning
DevInspect QAInspect WebInspect
Microsoft IBM HP Quality Center Production Application
Eclipse
Visual Studio RAD Assessment
Foundation
Intelligent Hybrid Security
Reporting SecureBase SmartUpdate Open APIs
engines analysis toolkit
19. Secure your outcome with Application
Security Center
A complete application lifecycle solution
DevInspect’s hybrid analysis ensures code under
development is secure
QAInspect verifies the security of the entire
application during QA
WebInspect provides pre- and post-production
application and environment security analysis
Assessment Management Platform enforces
security policies and manages activities across the
lifecycle
20. Server and general HTTP
• Secure Sockets Layer (SSL) certificate issues
What Do We Check for • SSL protocols
• SSL ciphers
• Server misconfiguration
Data injection and manipulation attacks • Directory indexing and enumeration
• Reflected cross-site scripting (XSS) • Denial of Service (DoS)
• Persistent cross-site scripting (XSS) • HTTP response splitting
• Cross-site request forgery • Encoding attacks
• SQL injection • Windows 8.3 file name
• Blind SQL injection • DOS device handle DoS
• Buffer overflows • Canonicalization attacks
• Integer overflows • URL redirection attacks
• Log injection • Password autocomplete
• Remote File Include (RFI) injection • Cookie security
• Server Side Include (SSI) injection • Custom fuzzing
• Operating system command injection • Path manipulation—traversal
• Local File Include (LFI) • Path truncation
• Ajax auditing
Sessions and authentication • WebDAV auditing
• Session strength • Web services auditing
• Authentication attacks • File enumeration
• Insufficient authentication • Information disclosure
• Insufficient session expiration • Directory and path traversal
• Spam gateway detection
• Brute force authentication attacks
• Known application and platform vulnerabilities
20
21. Compliance Manager: Addresses the Following
Best
Practices and Legal Regulatory Initiatives:
• Health Insurance Portability and • Sarbanes-Oxley Act, Section 404
Accountability Act (HIPAA) • 21CFR11
• Federal Information Security Management Act • NIST 800-53
(FISMA)
• Director of Central Intelligence Directive
• North America Electric Reliability Council 6/3 (DCID)
(NERC)
• California Online Privacy Protection Act
• Safe Harbor
• Children’s Online Privacy Protection Act
• Payment Card Industry (PCI) Data Security (COPPA)
Policy
• Japan Personal Information Protection Act
• UK Data Protection Act (JPIPA)
• Basel II • Personal Information Protection and
• ISO 17799 Electronic Documents Act (PIPEDA)
• OWASP top 10
• California SB1386
• Gramm-Leach Bliley Act (GLBA)
21
22. HP Web Security Research Group
• Formerly known as SPI Labs
• Industry
leading research
group focused on the latest HP Web Security
web security vulnerabilities and Research Group
technologies
• Ensures that the latest
vulnerability updates are
delivered within 24 hours of
their discovery to your desktop
using HP SmartUpdate
23. HP Application Security Services
HP Application Security Services can help you jumpstart your
Application Security programs and see results quickly
24. The HP difference
Application Security Center leadership
Accelerates the
Used by the worlds
Award winning process of managing
leading companies*
your application risk
• 5 of the top 6 banks SC Magazine “Reduced the security
• 5 of the top 6 Awarded ASC validation cycle for
diversified financials and AMP the critical web
• 3 of the top 4 food 2008 winner for applications from one
markets week to one hour”
“Best Enterprise
• 4 of the top 6 Security Solution”
insurance companies - Jes Beirholm, End2End
• 5 of the top 7 overall
* Forbes Global 2000
25. JC Penney
On-Line Retailer
“I can’t say enough good things about WebInspect. It’s an incredible tool. It’s
unbelievably fast. And it’s so much more accurate than anything else that
we’ve tried.”
Security Engineer for intrusion prevention team
Objective Approach Results
• Required to comply with • Began using HP WebInspect • Complete web application
Payment Card Industry (PCI) for automated assessments assessments in hours—not days
Standard • Used HP Assessment or weeks
• Manual web application Management Platform to build • Rapid assessment enables
assessments were too an enterprise-wide secure web continuous compliance with PCI
expensive and time consuming application development DSS and other regulations
lifecycle
• Purchased HP DevInspect to
help developers build secure
applications
26. Sony Pictures
Global Entertainment Company
“The key has been our ability to gain security visibility into the
development and quality assurance processes, and express quality in
terms of actionable security defects that need to be fixed.”
VP of Enterprise Architecture and Planning
Objective Approach Results
• Coordinate 25 development • Implemented HP WebInspect • Maintained fast-moving
teams Across eight business and HP QAInspect for HP production schedule
units Quality Center • Enabled QA & dev teams to
• Needed an easily managed, • Integrated Security testing with standardize the defect
quick-to-deploy, accurate web existing quality assurance management process
application vulnerability processes and activities • Helped ensure compliance with
scanner • Automated web application Sarbanes-Oxley & privacy laws
• Needed to promote security testing from within HP from other countries
collaboration across the Quality Center using HP
company’s development, QAInspect
security, audit, & management
teams.
27. Hewlett-Packard
Global Technology Company
HP is a technology solutions provider to consumers, businesses and
institutions globally. The company’s offerings span IT infrastructure, global
services, business and home computing, and imaging & printing.
Objective Approach Results
• Reduce risk to the business by • By implementing the HP • Significantly reduced the risk to
meeting the demand of Assessment Management the business by allowing all
scanning thousands of Platform HP was able to applications to receive a
applications a year integrate security testing into security assessment before
• Assists application developer existing go live processes going live
community with embedding • HP used the AMP WebServices • Fewer security defects—
security throughout system API to integrate AMP with Application launched without
development life cycle and in existing systems and automate any significant security defects
turn helps with creating secure assessment configuration • Integrated Security testing—has
applications. become a core part of the
application deployment process
for all of HP
28. Key things to remember
Web Security Risk has never
been greater
The ASC is an integrated
solution for the entire
application security lifecycle
Scales from small teams to the
entire organization
32. HP Software approach to Application
quality management
Strategic End-user Business
control Demand Portfolio Requirements Validation
management
application
impact
change
points mapping management
Define/ Develop/
Strategy Plan Launch Operate
design test
Projects
and
The real programs
application
Portfolio
lifecycle New
mgmt. deployment Fix/
Fix/ Fix/
patch patch patch
Demand Minor release Minor release
Full Quality process Accelerated Quality process
Three pillars Does it work? Does it perform? Is it secure?
of quality FUNCTIONALITY PERFORMANCE SECURITY
33. Integrating Security Into the Quality Process
Align with management and stakeholders
STRATEGY / REQUIREMENTS RISK-BASED TEST MANAGEMENT Go/
No OPERATIONS
DEMAND MANAGEMENT TEST PLANNING AND EXECUTION Go
Strategic Business Create manual
Connect to production
demand requirements test cases
Execute
• New apps functional
Integrate with demand
• New Automate tests
Functional Assess and
services regression test
requirements Analyze risk
• Integrations cases
Operational
demand Establish
Performance
testing Production
requirements Create Execute tests,
priorities monitoring
• Defects performance diagnose and
• Enhancements scripts and resolve
• Change scenarios problems
Security Create
requests
requirements test plans Service desk
Enterprise
Architecture Quality Teams
Policies Other non-
Security- functional Identify and
related Operational
requirements customize Execute
Business Risk security
security security scans
Enterprise management
policies
Security
Security Policies
/Privacy Hybrid Analysis
Security Teams
Compliance
Requirements Dynamic
Threat Model Attack Surface Analysis
Static Analysis
(Black Box
Testing)
Developers
DEFECT MANAGEMENT
34. HP Application Security Center
HP Application Security Center
Dashboard
Assessment Management Platform
Policy and Centralized Vulnerability and Alerts and Distributed
compliance administration risk management reporting scanning
DevInspect QAInspect WebInspect
Microsoft IBM HP Quality Center Production Application
Eclipse
Visual Studio RAD Assessment
Foundation
Intelligent Hybrid Security
Reporting SecureBase SmartUpdate Open APIs
engines analysis toolkit