The document discusses web application security and securing the software development lifecycle. It notes that web applications are the top target of hackers, with many sites being vulnerable. It emphasizes that network defenses like firewalls are not enough, and that application security needs to be addressed throughout development. The document promotes IBM Rational products for automating security testing of web applications across the entire development lifecycle.
At VMworld 2012, Symantec announced new solutions and technical integrations with VMware across its entire product portfolio to ensure higher levels of protection for virtualized environments. Together, Symantec and VMware enable SMBs and enterprises to use the benefits of virtualization without compromising protection.
Symantec announced new offerings to create a trusted ecosystem of applications and partners to help businesses accelerate the execution of their mobility initiatives. The offerings include two new programs – the App Center Ready Program for application developers and the Mobility Solution Specialization Program for channel partners – as well as a single mobile suite spanning device management, application management and mobile security.
Symantec executes on its promise to offer innovative and comprehensive solutions to meet the many increasing security and performance needs for connected businesses. The company announces new offerings to its Website Security Solutions portfolio, featuring the first available multi-algorithm SSL certificates with additional ECC and DSA options. These offerings will help organizations build and protect their web ecosystems and strengthen the foundation of trust online. The WSS strategy focuses on protecting companies, meeting compliance requirements, improving performance and reducing infrastructure costs. The end result is to deliver trusted shopping, trusted advertising and trusted applications for businesses and their consumer customers.
At VMworld 2012, Symantec announced new solutions and technical integrations with VMware across its entire product portfolio to ensure higher levels of protection for virtualized environments. Together, Symantec and VMware enable SMBs and enterprises to use the benefits of virtualization without compromising protection.
Symantec announced new offerings to create a trusted ecosystem of applications and partners to help businesses accelerate the execution of their mobility initiatives. The offerings include two new programs – the App Center Ready Program for application developers and the Mobility Solution Specialization Program for channel partners – as well as a single mobile suite spanning device management, application management and mobile security.
Symantec executes on its promise to offer innovative and comprehensive solutions to meet the many increasing security and performance needs for connected businesses. The company announces new offerings to its Website Security Solutions portfolio, featuring the first available multi-algorithm SSL certificates with additional ECC and DSA options. These offerings will help organizations build and protect their web ecosystems and strengthen the foundation of trust online. The WSS strategy focuses on protecting companies, meeting compliance requirements, improving performance and reducing infrastructure costs. The end result is to deliver trusted shopping, trusted advertising and trusted applications for businesses and their consumer customers.
BayThreat Why The Cloud Changes EverythingCloudPassage
Subtitle: How I Learned to Stop Worrying and Get DevOps to Love Security
These slides are from a talk delivered by Rand Wacker at BayThreat 2011.
ABSTRACT: Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center, but all the same risks are there. Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely.
It's 2012 and My Network Got Hacked - Omar Santossantosomar
Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.
Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
Microsoft System Center 2012 Delivering better IT ManagementIntergen
Presentation at Intergen's event: Delivering IT Performance across Devices, Data Centres and Clouds.
Understand how Microsoft System Center helps you to empower your people to use their devices and theapplications they need to be productive, while maintaining corporate compliance and control. How do you managethe influx of devices, of various shapes, sizes, ownership and provenance all while maintaining the compliance anddata protection needs of your enterprise?
RSA 2012 Virtualization Security February 2012Symantec
At RSA 2012 Symantec and VMware announced five new security integrations with the VMware cloud infrastructure suite designed to deliver extensive protection for virtual and cloud environments along with operational cost savings. With new VMware integrations, Symantec enables joint customers to completely protect their virtual infrastructure and business-critical applications with data loss prevention, IT risk an compliance, data center protection, security information and event management (SIEM) and endpoint protection solutions – delivering unparalleled security, scalability and cost reductions for rapid services delivery and enhanced business agility for the cloud.
BayThreat Why The Cloud Changes EverythingCloudPassage
Subtitle: How I Learned to Stop Worrying and Get DevOps to Love Security
These slides are from a talk delivered by Rand Wacker at BayThreat 2011.
ABSTRACT: Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center, but all the same risks are there. Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely.
It's 2012 and My Network Got Hacked - Omar Santossantosomar
Many times security professionals, network engineers, and management ask "why did I spend all this money in network security equipment if I still got hacked?" For example, often questions like
these run through their minds: "Am I not buying the right security products? Am I not configuring or deploying them correctly? Do I have the right staff to run my network?" The security lifecycle requires measuring the current network state, creating a baseline and providing constant improvements. This presentation will cover several real-life case studies on how different network segments were compromised despite that state-of-the-art network security technologies and products were deployed. We will go over several security metrics that you should understand in order to better protect your network.
Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
Microsoft System Center 2012 Delivering better IT ManagementIntergen
Presentation at Intergen's event: Delivering IT Performance across Devices, Data Centres and Clouds.
Understand how Microsoft System Center helps you to empower your people to use their devices and theapplications they need to be productive, while maintaining corporate compliance and control. How do you managethe influx of devices, of various shapes, sizes, ownership and provenance all while maintaining the compliance anddata protection needs of your enterprise?
RSA 2012 Virtualization Security February 2012Symantec
At RSA 2012 Symantec and VMware announced five new security integrations with the VMware cloud infrastructure suite designed to deliver extensive protection for virtual and cloud environments along with operational cost savings. With new VMware integrations, Symantec enables joint customers to completely protect their virtual infrastructure and business-critical applications with data loss prevention, IT risk an compliance, data center protection, security information and event management (SIEM) and endpoint protection solutions – delivering unparalleled security, scalability and cost reductions for rapid services delivery and enhanced business agility for the cloud.
Setting up a secure development life cycle with OWASP - seba deleersnyderSebastien Deleersnyder
Using the OWASP Software Assurance Maturity Model (OpenSAMM) as a framework, this talk covers the major application security controls of a secure development lifecycle program as provided by OWASP. Featured OWASP open source material include: OWASP guidelines and tools such as ESAPI, ZAProxy, as well as educational resources.
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...Amazon Web Services Korea
스폰서 발표 세션 | 클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic
채현주 보안기술본부장, Openbase
클라우드 환경의 다양한 서비스로 인해 자산을 지키는 보안을 위한 작업은 더욱 복잡해지고 있다. 기존 온프라미스에서 해 오던 방식으로 클라우드 보안에 접근하는 것은 비용 및 자원활용 측면에서도 낭비이며, 기술의 발전 속도를 따라가기도 어렵다. 본 세션에서는 클라우드 환경의 보안 특성을 살펴보고 효율적인 보안시스템 구축을 위한 가이드를 제시하며, 아울러 전문적인 보안 지식이나 자체 구축 보안시스템 없이도 즉시 활용할 수 있는 Alert Logic의 보안 서비스를 소개한다.
Secure & Automate AWS Deployments with Next-Generation on SecurityAmazon Web Services
Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Palo Alto Networks provides organizations with the visibility and automation needed to create and update security policies in your cloud environment in real time. Learn how you can gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows.
Michael South, AWS Security Acceleration Business Development
Matt McLimans, Public Cloud Consultant Engineer, Palo Alto Networks
Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro
VSD Infotech (VSDi) is a technology services company specializing in Information Security Services and Networking solutions. We have been working with leaders in the Infrastructure management space, through a hybrid model combining technology and human expertise.
We offer a complete range of IT Services to our customers, focussing on delivery, technology and process excellence in providing top-notch infrastructure management and information security services.
IBM Security Strategy Intelligence, Integration and Expertise
by Marc van Zadelhoff, VP, WW Strategy and Product Management and Joe Ruthven IBM MEA Security Leader
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Amazon Web Services
Over the last 7 years, Alert Logic has helped AWS customers achieve enhanced security and peace of mind. Learn how positive security outcomes are attained by combining human expertise and the latest in AWS security in this engaging session with Jack Danahy, SVP of Security at Alert Logic, and Zach Vinduska, VP of IT Infrastructure and Security at ClubCorp. Hear real-world examples of how expert defenders in Alert Logic’s 24/7 Security Operations Center can help you quickly detect threats, verify them as incidents, and support you in responding quickly and effectively.
2. IBM Software Group | Rational software
Agenda
W eb Application Security Issues
W eb Application Security Model
Application Security and Software development
Application Security Maturity Model
3. IBM Software Group | Rational software
Application Security Today
“Web application vulnerabilities accounted for 69% of vulnerabilities
disclosed between July 2005 and June 2006”
Gartner
“64% of developers are not confident in their ability to write secure
applications”
Microsoft Developer Research
“70% of companies today are NOT applying secure application
development techniques in their software development practices”
Aberdeen Group, May 2007
“90% of applications, when tested are vulnerable”
Watchfire
4. IBM Software Group | Rational software
The Reality: Security and Spending Are Unbalanced
Security Spending
% of Attacks % of Dollars
Web 10%
Applications
75% 90%
Network
25% Server
75% of All Attacksto the Web Application Layer
Are Directed
on Information Security
2/3 of All Web Applications Are Vulnerable
Sources: Gartner, Watchfire
5. IBM Software Group | Rational software
Why Application Security is a High Priority
Web applications are the #1 focus of hackers:
75% of attacks at Application layer (Gartner)
XSS and SQL Injection are #1 and #2 reported vulnerabilities (Mitre)
Most sites are vulnerable:
90% of sites are vulnerable to application attacks (Watchfire)
78% percent of easily exploitable vulnerabilities affected Web applications (Symantec)
80% of organizations will experience an application security incident by 2010 (Gartner)
Web applications are high value targets for hackers:
Customer data, credit cards, ID theft, fraud, site defacement, etc
Compliance requirements:
Payment Card Industry (PCI) Standards, GLBA, HIPPA, FISMA,
6. IBM Software Group | Rational software
The Myth: “Our Site Is Safe”
We Have Firewalls
in Place We Audit It Once a
Quarter with Pen Testers
We Use Network
Vulnerability Scanners
7. IBM Software Group | Rational software
Network Defenses for Web Applications
Security
Perimeter IDS IPS App Firewall
Firewall Intrusion Intrusion Application
Detection Prevention Firewall
System System
System Incident Event Management (SIEM)
7
9. IBM Software Group | Rational software
12 Most Frequent Hacker Attacks
Cookie Poisoning
Hidden Field Manipulation
Parameter Tampering
Buffer Overflow
Cross-site Scripting
Backup and Debug Options
Forceful Browsing
HTTP Response Splitting
Stealth commanding
3rd Party Misconfiguration
Known vulnerabilities
XML & Web service vulnerabilities
10. IBM Software Group | Rational software
Going Beyond Pointing out Security Problems
11. IBM Software Group | Rational software
Web Application Environment
Security
Web Application Scanners
Web Application Web Services
Network
Scanners Web Server
Database Operating System
Database Scanners Host Scanners
11
12. IBM Software Group | Rational software
Network vs. Application Security - Complimentary
Info Security Landscape
Desktop Transport Network Web Applications
Antivirus Encryption Firewalls /
Protection (SSL) Advanced
Routers
Application Backend
Firewall
Servers Server
Databases
Web Servers
Network & Application Security
solutions address different problems
ISS Rational AppScan
12
13. IBM Software Group | Rational software
High Level Web App. Architecture Review
Sensitive
Customer data is
App is deployed stored here
here
Internet
Firewall
Client Tier
(Browser) Database
SSL App Server
(Presentation)
(Business
Logic)
Protects
Transport Protects Network Data Tier
Middle Tier
14. IBM Software Group | Rational software
Why Application Security Problems Exist
Root Cause
Developers are not trained to write or test for secure code
Firewalls and IPS’s don’t block application attacks.
Port 80 is wide open for attack.
Network scanners won’t find application vulnerabilities.
Nessus, ISS, Qualys, Nmap, etc.
Network security (firewall, IDS, etc) do nothing once an organization web enables an
application.
Current State
Organizations test tactically at a late & costly stage in the development process
A communication gap exists between security and development as such vulnerabilities
are not fixed
Testing coverage is incomplete
14
16. IBM Software Group | Rational software
Building Security & Compliance into the SDLC
SDLC
Coding Build QA Security Production
Enable Security
Developers to effectively
drive
remediation into
development
Developers
Ensure
vulnerabilities
are addressed
before
Developers Provides Developers and Testers applications
with expertise on detection and are put into
remediation ability production
17. IBM Software Group | Rational software
Application Security Maturity Model
BLISSFUL AWARENESS CORRECTIVE OPERATIONS
IGNORANCE PHASE PHASE EXCELLENCE PHASE
10 %
30 %
Maturity
30 %
30 %
Duration 2-3 Years Time
18. IBM Software Group | Rational software
Reduced Costs, Increased Coverage
External Security
Internal Tactical
Cost
Per
Application
Tested
Strategic
Operationalized
0% 25% 50% 75% 100%
Application Coverage
19. IBM Software Group | Rational software
IBM Rational Application Security Testing Products
AppScan Enterprise
Web Application Security Testing Across the SDLC
Application Quality Security Production
Development Assurance Audit Monitoring
Test Test Test Monitor or
Applications Applications Applications Re-Audit
As Developed As Part of Before Deployed
QA Process Deployment Application
s
21. IBM Software Group | Rational software
IBM Rational in the IBM Security Portfolio
4 – Monitor and fix !
Centrally manage security Assess
events, report on security 1 – Where are you ?
posture, remediate Understand customer security needs and
Watchfire Solutions Monitor security exposures
Access
3 – Let the good guys IN !
Manage and control user identities and
access privileges Defend
2 – Keep the bad guys OUT !
Preemptively protect the enterprise against threats
to the infrastructure, confidential data and services
Watchfire Solutions
21
22. IBM Software Group | Rational software
Bad Press Decreases Shareholder Value
One-day market cap
drop of $200M
23. IBM Software Group | Rational software
Build Better and More Secure Applications/Websites
Improve business integrity before you go live
Address the security issues during the development cycle before applications go live, where
business risk is magnified, and costs to remediate are high.
Reduce application costs by automating manual processes
Automate accurate vulnerability and compliance issues detection and their remediation
throughout the entire web application lifecycle, from the development cycle into operations.
Comply to the Government Regulations and Industry Security Requirements
Incorporates most comprehensive compliance reporting solution, which generates 41out-of-
the-box regulatory compliance templates and reports
Provide ‘core to perimeter’ view into enterprise security
Add web-application security and compliance testing to network-level offerings
IBM Rational AppScan® automates web
application security audits to help ensure the
security and compliance of web applications
23