The document provides an overview of Fortify on Demand (FoD) security assessments. It summarizes that FoD offers automated static and dynamic application security testing through their analysis tools and security experts. It provides concise summaries of their baseline, standard, and premium assessment levels that vary in coverage, user accounts tested, and inclusion of manual security testing. The document highlights some customer success stories and commonalities that organizations achieving success have in developing a secure software development lifecycle.

1. Powered By:
PSO eOPS Security Training
October 1st, 2012
Jason Haddix
-Director of Penetration Testing
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

2. About the Presenter
• Jason Haddix (@jhaddix)
• Director of Penetration Testing at HP/Fortify on their ShadowLabs team.
• Previously worked in HP’s Professional Services as a security consultant,
and an engineer & pen tester for Redspin.
• Frequent attender, presenter, & CTF participant at security cons such as
Defcon, BlackHat, Brucon, DerbyCon, etc.
• Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and
Hakin9 magazine.
• Serves on the advisory board for GIAC Penetration Testing curriculum as
well is GSEC, GPEN, and eCPPT certified.

3. About the Presenter
• Website:
www.SecurityAegis.com
• Presentations:

4. Why Application Security?

5. Source: http://xkcd.com/327/

6. “We've also seen 19,000 new malicious URLs
each day in the first half of this year. And,
80% of those URLs are legitimate websites
that were hacked or compromised .”
Sophos Threat Report (First half of 2011)

7. ...a new web threat emerges every 4 .5
seconds...

8. Attackers are targeting applications
Applications
Hardware
Networks
Intellectual
Security Measures
Property
• Switch/Router security
• Firewalls Customer
• NIPS/NIDS Data
• VPN
• Net-Forensics
• Business
Anti-Virus/Anti-Spam
• DLP Processes
• Host FW
• Host IPS/IDSTrade
• Vuln. Assessment tools
Secrets

9. Why do we care?
Your critical business Regulations and More than 60% of
applications face the Standards (PCI, applications have
Internet HIPAA, SOX, etc) serious flaws

10. Challenges
• Difficult to train and retain staff - very difficult to keep skills up-to-date
• Constantly changing environment
• New attacks constantly emerge
• Compliance Requirements
• Too many tools for various results

11. Introducing
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

12. What is Fortify on Demand?
• SAAS-Based, Annual subscription • Business Logic Assessments
model
• Large Testing team at your
• Unlimited Assessments, Unlimited fingertips
Users
• Scale Rapidly (10, 100, 1000)
• The most Comprehensive Coverage
Model – Verify False Positives & • Security Branding with HP FOD
Manual Penetration Testing Logo on Web Applications
• Single portal for consuming results
• Market leading analyzers for Static and
Dynamic Testing

13. Mobile
Thick
Client
Web FOD
3rd
Party
API
Binary

14. Dynamic Testing
}
Baseline
Application
Standard
Premium
3

15. Dynamic Testing
• Recommended for Low Risk Websites
Baseline (Marketing Sites, Brochure, Not much
Application change in the application)
Standard • An automated solution for Websites
WebInspect security scanner
Premium • All results are manually reviewed by
security experts to remove false positives

16. Dynamic Testing
• Recommended for Medium Risk
Websites
Baseline
Application • Use of multiple automated and manual
testing solutions
Standard • All results are manually reviewed by
security experts to remove any false
positives. Includes penetration testing.
Premium • Single User Perspective

17. Dynamic Testing
• Recommended for High Risk
websites
Baseline
Application • Designed for mission-critical Technical
and business logic vulnerabilities
Standard • All results are manually reviewed by
security experts to remove any false
positives. Higher focus on manual
penetration testing.
Premium
• Two User Perspective
• Web Services

18. Dynamic Testing
False Manual
Automated User Remediation Business Web
Positive Security
Scanning Accounts Scan Logic Services
Removal Testing
Baseline   1 
Standard   1  
Premium   2    
Custom   -    

19. Terms and Definitions
Automated Scanning: Fortify On Demand utilizes, as it’s core technology, HP WebInspect to perform automated crawling and technical auditing
of Web Applications.
False Positive Removal: For all levels of service (Baseline, Standard, Premium), security assessment results are verified by a team of expert
Security Engineers before results are marked for completion within the Fortify On Demand Portal. The Fortify On Demand team confirms that all
data provided in the final report is free of false positives.
User Accounts: Depending the level of service, the FOD assessment team will utilize either one (1) or two (2) user accounts for exercising the
target application. By utilizing more than one account profile during the testing process, the assessment team may recognize a significant
number of Business Logic flaws within the application. Examples of this may be “Session Hijacking” or “Privilege Escalation”.
Remediation Scan: For each completed assessment, users may opt to have discovered vulnerabilities retested to confirm remediation efforts
where successful. The remediation scan process does not involve a re-scan of the entire application, but a verification of the unique (initially
discovered) vulnerabilities.
Manual Security Testing: For service levels “Standard” and “Premium”, advanced tools and automated scripts are utilized to assess the target
application for non-standard web application security flaws.
Business Logic Testing: Business Logic flaws represent a category of vulnerabilities which can not be discovered by technical or automated
scanning technology. Business Logic testing may be leveraged within our Premium Level of Service and provides approximately 40 hours of
manual testing by a team of expert Application Security Engineers.
Web Services: The Premium level of service provides the assessment (SOAP and REST-based) of Web Services for up to ten (10) Web Service
endpoints.

20. Static Testing
Broad Support
• ABAP • ASP.NET • C#
• C/C++ • Classic ASP • COBOL
 Unlimited static scans • Cold Fusion • Flex • HTML
• Java • JavaScript/AJAX • JSP
 Results verified • Objective C • PHP • PL/SQL
• Python • T-SQL • VB.NET
 Unlimited users • VB6 • VBScript • XML
Powerful Remediation
Insightful Analysis and Reports Collaboration Module
Fast and Scalable
1 Day Static Turnaround Virtual Scan Farm

21. Custom Testing
• Internal Penetration Testing • Internal • Mobile Binaries • Manual Source Code
• External Penetration Testing • External • Reverse Engineering Auditing in other languages
• Wireless Penetration Testing • Web Service • Malware Analysis • Vulnerability Remediation
• Physical Penetration Testing • Cloud • Threat Modeling • SDLC Implementation &
• Social Engineering • Embedded Device Testing Auditing
• APT Breach Simulation • Secure Code Training
• Vulnerability Assessment

22. Technologies of
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

23. World Renowned Technologies
Fortify SCA Engine Fully mapped taxonomy of all
Vulnerability categories
(VulnCAT)
HP WebInspect Largest set of Dynamic
Engine Vulnerability Checks 8k+
(SecureBase)
Leaders in Malware & 0-Day
TippingPoint & ArcSight Research
Vulnerability Intelligence

24. Fortify SCA
 Detect more than 480 types of software security
vulnerabilities across 20+ development
languages—the most in the industry.
 IDE Integration for faster identification earlier in
the development lifecycle
 Mobile Application support: iPhone & Android
Features
• Pinpoint root cause of vulnerabilities – line
of code detail
• Prioritize fixes sorted by risk severity
• Detailed “fix” instruction -- in the
development language

25. HP WebInspect
 Largest Security Check Database (8k+ Dynamic Checks)
 Independent research study showed WI to outperform other
enterprise dynamic scanners in application coverage and scored a
99.26% in injection accuracy.
 One of the only dynamic scanners to support web services and true
REST APIs
Features
• Can integrate with server runtime to find more vulnerabilities,
faster. (Security Scope)
• Easy and simple export of vulnerabilities to TippingPoint WAF
• Powerful Macro Engine to navigate custom authentication or
heavy use of AJAX.
Source: http://www.sectoolmarket.com/

26. Behind the Curtain
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

27. Security Assessments by Security Professionals
Mobile
Automated
Thick
Client
Static/Whitebox Engineers
Analysis
False Positive Reduction
Web
FOD Manual Source Code
Analysis
Automated Full Web/Mobile
3rd Dynamic/Blackbox Application Penetration
Party Analysis Testing
Binary

28. Dynamic Process Flow

29. Static Process Flow

30. History

31. (Some) Team Members
• Daniel Miessler • Nick Childers
• Methodology Guru (OWASP, WASC, WAHH) • Sr Researcher and Application Tester
• SecLists Project Maintainer • Former Leader of Shellphish Defcon CTF Team
• Dennis Antunes • Nick Denarski
• Dynamic Assessment Lead • Metasploit Contributor and Trainer
• Bucky Spires • Brooks Garret
• Mobile Assessment Lead • DVWA Maintainer
• Andre Gironda • Kevin Lynn
• Sr. Application Tester • Sr. Application Tester
• Cash Turner
• Sr. Dynamic Application Tester

32. Community Contributions

33. Certifications

34. Repeatable, Highly Technical Methodologies
Web Application Security
Consortium
Open Web Application
Security Project
Penetration Testers
Execution Standard
Web Application Hackers
Handbook
}
Combined 7+ decades of
practical application
security testing
experience

36. Success Stories
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

37. Leading By Example
Over 1000 organizations worldwide have standardized on HP Fortify:
 9 of the top 10 major banks
 9 of the top 10 software companies
 All of the top 10 telecoms
 All major branches of U.S. DOD
 All 5 top insurance firms
 2 out of 4 top oil and gas companies
 Many top car manufactures
 Big 4 accounting firms

38. Fortify & FoD Awards
Dynamic Application Static Application Testing
Testing Leader Leader
“At any given time, there are 200 to 300 zero day vulnerabilities only HP knows about”

39. An CTO’s Perspective on FoD
“I was very impressed by the knowledge and the
responsiveness of both the Fortify BU sales and delivery
resources. They helped me in building the business case
for Application security which was key in establishing
client stakeholder support for this initiative . Besides, they
also partnered with the account to conduct a PoC which
helped showcase our capability to the client. I am very
confident based on my own positive experience that
anyone in the security officer role could benefit a lot by
working closely with the Fortify team to introduce our
Application security capabilities to their clients”.

40. Commonalities of Success, Developing a Winning SDLC
• Internal app security research
• External hacking research
HP Fortify Solutions
Static
Source code QA & Integration Application Audit Production
validation Testing Environment
Assessment
Audit Static Code
Dynamic Static Code Functional Test Analysis
Analysis in the Integration Continuous
IDE (SCA) Assessment
Dynamic
Penetration
Hybrid
Testing

41. The Future of
Powered By:
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

42. Mobile Application Security
• More apps more problems
• Pentest like it’s 1999!

43. Next Step?
• Contact Myself or David Nester
• Discuss our group internally at HP
• Schedule a PoV!
David Nester (david.nester@hp.com)
Jason Haddix (jason.haddix@hp.com)

44. Questions?