© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 © Copyright 2013 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
Is your software secure ?
HP Fortify Application Security
VII konferencja Secure 2013
Warsaw - October 9, 2013
Gunner Winkenwerder
Sales Manager Fortify CEE, Russia & CIS
HP Enterprise Security
+49 (172) 443 7795
Skype: GCHW-HPESP
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Threats and risks are expanding in frequency, intensity and sophistication
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Why Software Is Attacked
Root cause of security problems
• Gartner – 82% of breaches due to security flaws in software
• NIST – 92% of vulnerabilities are in software
• RSA 2013 – 86% of successful breaches happen on application layer
• Cenzic – 99% of web applications are vulnerable to attac
• Yet, 90% of security spending is on perimeter protection
OBJECTIVE:
Protect everything
OBJECTIVE:
Exploit one vulnerability
Intellectual
Property
Customer Data
Business
Processes
Hardware
Network
Software & Data
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
The Growing Cost of Cyber Crime!
Despite widespread awareness of the impact of cyber crime, cyber attacks continue to occur more
frequently and result in serious financial consequences. The HP Ponemon 2012 Cost of Cyber Crime
Study revealed that cyber attacks have more than doubled and the financial impact has increased
by nearly 40 percent in a three year period. At HP, we believe a better understanding of the cost of
cyber crime can assist organizations in taking proactive measures to identify, combat and mitigate
the potentially devastating consequences of an attack.
Cyber threats and risks are expanding in :
•
Frequency
•
Intensity
•
Sophistication
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
When should we address software security?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Fortify Application Security Assessments
Delivery Options
On Premise
On Demand
HP
Fortify
on
Demand
HP
Fortify
SSC
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Continuous Security Research (SRG, DV Labs etc.)
Update the Fortify/ESP Secure Coding Rulepacks to identify the latest categories of
software vulnerabilities on a quarterly basis
Growth in Vulnerability Categories
2005 – 2013, 563 Categories to Date
Command Injection
LDAP Injection
Privacy Violation
Cross-Build Injection
Session Fixation
Cross-Site Request Forgery
SQL Injection
Cross-Site Scripting
System Information Leak
HTTP Response Split
Unhandled Exception
JavaScript Hijacking
For a complete list go to:
www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html
21 Supported Programming Languages
SCA, Binary & FoD
•
ABAB
*
•
Actionscript
•
ASP
•
.NET
•
Java
•
C,
•
C++
•
C#
•
COBOL
*
•
Cold Fusion
*
•
T-SQL
•
PL/SQL
•
JavaScript/AJAX, XML/HTML
•
Classic ASP
•
JSP
•
PHP
•
Python
*
•
VB.NET
•
VBScript
•
VB6
•
Objective C (IOS)
…plus more than 720.000
supported API’s/Frameworks…
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
HP Fortify Source Code Analyzer (SCA)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Security
Development Teams
Build Tool
Best-Practice Implementation (Example)
Fortify SSC Server
CISO
AWB
Project Security Lead
Security Tester
AWB
Development Manager
Developer
Fortify SCA
AWB
Fortify SSC
AWB
Source Code Repository(s)
Central Build Server(s)
2. Audit
3. Assign
4. Fix
Monitor
5. Validate for Release
1. Identify
Bug Tracker
Repeat
1. Identify
2. Audit
3. Assign
4. Fix
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Innovation Driven by Major Customer Deployments
E-commerce & Retail
Banking & Finance
Telco & Energy
Public & Government
Infrastructure
Healthcare
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
HP Fortify is Leader in Application Security Testing
Gartner Magic Quadrant 2013
“HP offers comprehensive SAST capabilities with
Fortify's strong brand name and breadth of languages
tested.
The company has innovative IAST capability with Fortify
SecurityScope, which integrates with its WebInspect DAST.
There is strong integration within HP's security portfolio,
such as integration of AST knowledge into ArcSight and
DAST knowledge into TippingPoint's IPS for WAF-like
protection.
HP uniquely offers runtime application self-protection
(RASP) technology (see "Runtime Application
Self-Protection: A Must-Have, Emerging Security
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Sneak Pre-View:
Look & Feel HP Fortify SCA
- Audit Work Bench (AWB) &
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
The Scanning Process
…waiting until the scan is
completely finished….
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Auditing (AWB and IDE) - Overview
Issue - Groups
Filtering
Priorization
Categorization
Functions and Rulewriting
wizard (only in AWB)
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Diagram
Auditing (AWB and IDE) – Trace the issue
Analysis Trace
Sourcecode
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Store Analysis
Auditing (AWB and IDE) - Result
See other comments and make comments yourself
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Detailed description of the issue
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Detailed recommendation to fix the issue
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Fortify Software Security Center
WebInspect (GUI)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
Start remediation of vuln’s immediately
Live scan visualization
Live Scan
Dashboard
Site tree
Vulnerabilities
found in application
Excluded and
Allowed Hosts
Section
Detailed Attack
Table
Live Scan
Statistics
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Fortify my Application
HP Fortify on Demand (FoD) assessment services is offering a
limited free trial where customers can get an example Java
code of theirs assessed free of charge.
The free FoD is out of California but is accessible from
anywhere.
The following are the limitations on the free version:
•
Up to 5 assessments per month
•
Java and .Net only
•
Up to 75 MB per assessment
•
Cross-Site Scripting (Up to 10 vulnerabilities)
Access:
https://www.fortifymyapp.com
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23