This document discusses enterprise software security and provides examples of how organizations like Accenture and ANZ Bank have implemented software security programs using Fortify's platform. It describes what organizations are protecting (e.g. personal information, financial data), the risks of data breaches, and case studies of past breaches at companies like Heartland Payment Systems. It then outlines how ANZ Bank established a "SAFE Program" using Fortify to integrate security practices into development and meet compliance obligations. The document promotes Fortify as a software security partner that can help achieve compliance, identify vulnerabilities, and effectively manage security programs.

1. “Enterprise Software Security
For the real-world!”
Justin Derry
jderry@fortify.com

2. Enterprise Software Security
• Accenture
–What are we protecting and Why?
–Case Studies & Examples
–Fortify more then a “software vendor”!
–The Fortify platform

3. What are we protecting?
• It’s more than just about Money!
– Personal Information (Customer Data)
– Financial/Banking Information
– Company/Trade Secrets
– Corporate Data
• Consider this?
– Can you business operate without the use
of software on a daily basis?
– What would happen if you software just
stopped working one day?

4. Making the Case for Software Security
• Risk of a Major Data Breach is increasing 146% since 2001
• Cost of a data breach could be $11 Million US #1
• A breach will cost more then protecting against attack
• Attacks are focused at the Application Layer (> 76% Gartner)
• NIST: 92% of vulnerabilities in application code
• It’s not all about SQL Injection & Cross Site Scripting
• False sense of security, existing security gates don’t protect you
• 2009 expected to be the year of identity theft and significant increase
in web based attacks for financial benefit

5. Heartland Payment Systems
• Very Late 2007 – SQL Injection via a customer facing web page in our
corporate (non-payments) environment. Bad guys were in our corporate
network.
• Early 2008 – Hired largest approved QSA to perform penetration testing
of corporate environment
• Spring 2008 – Learned of Sniffer Attack on Hannaford’s , Created a
Dedicated Chief Security Officer Position and filled that position
• April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest
QSA
• Very Late 2007 – Mid-May 2008 – Bad guys studied our corporate
network
• Mid-May 2008 – Penetration of our Payments Network

6. Heartland Events!
• Late October 2008 – Informed by a card brand that several issuers
suspected a potential breach of one or more processors. We received
sample fraud transactions to help us determine if there was a problem in
our payments network. A high percentage of these samples never
touched our payments network.
• No evidence could be found of an intrusion despite vigorous efforts by
HPS employees and then two forensics companies to find a problem.
• January 9, 2009 – We were told that “no problems were found” and that
a final report reflecting that opinion would be forthcoming within days.
• January 12, 2009 – January 20, 2009 – Learned of breach, notified card
brands, notified law enforcement and made public announcement.

7. Case Study – ANZ Bank
• What are the Drivers?
– PCI Compliance Obligations
– APRA Regulations & Requirements after review
– Software security threat #3 risk on Fortune 500
– Internal Risk Drivers
• Initial Steps
– Enablement of new program called “SAFE Program”
– Introduction of Developer Training through organization
– “Adoption of Culture Change” critical
– Implementation of world class technology & Governance

8. ANZ Timeline of Events

9. ANZ Bank Integration & Technologies
• Platforms/Development Languages
– Microsoft.NET, Classic ASP, VB, C++
– Java, JSP, J2EE
– Mainframe languages (COBOL, C etc)
– All Platforms such as Windows, UNIX, LINUX etc
• Integration with Existing Technologies
– Quality Centre Integration
– Other bug tracking software (find bugs etc)
– Build integration (ANT, Maven, Cruise Control, MSBUILD)
– Web based delivery technologies (XML API F360 Server)

10. Fortify more then a software Vendor!
Multi Platforms, Technology
and Governance

11. Software Security Partner

12. Vision Guidance
• Creating a successful vision is hard, get help! Or use the
recommended strategy online at www.opensamm.org
• SAMM (Software Assurance Maturity Model), the building
blocks for a successful Software Security Strategy

13. PCI Compliance
Quickly Demonstrate PCI Compliance
• Instantly Protect Deployed Applications
– Ensure compliance with PCI DSS Section 6.6
– Application defense module
• Identify and Remediate Vulnerabilities
– Ensures compliance with Sections 3, 6.3.7, 6.5, 6.6, 11.3.2
– View vulnerabilities in context of PCI compliance
– Static and dynamic testing
• Complete Self-Assessment Questionnaire
– Assign responsibilities
– View outstanding activities
– Generate detailed reports to demonstrate PCI activities

14. Fortify 360 Platform
• Identify the Most Vulnerabilities
• Collaborate and Remediate
more Code
• Instantly Protect Deployed
Applications
• Effectively Manage SSA
Programs
• Achieve Compliance Quickly

15. Vulnerability Detection
Identify the Most Vulnerabilities

16. Technology Support
SCA, PTA and RTA
• Static Analysis (Fortify 360 SCA)
– Microsoft .NET (All languages), Classic ASP, VB, COM
– C/C++
– Java, J2EE, JSF, Javascript etc
– XML, HTML, Other web technologies
– SQL TSQL/PSQL
– Cold Fusion, PHP, COBOL and more coming..
• Testing/Production (Fortify 360 RTA/PTA)
– Web based technologies only, supporting
– .NET and Java primarily with some minor other languages (CF)

17. Fortify Technology
Analysis
Result
Analysis
Tracer
Source Code
Summary and details
API
List

18. Reporting What does it look like?

19. Open Discussion
• What is currently done during development lifecycles?
• How can/does Fortify integrate and provide value to the
existing development practices within Accenture?
• How do customers benefit from having Fortify scanned as a
part of the development process?
• Technical Questions?