Is your software secure?

Full text

(1)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 © Copyright 2013 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

Is your software secure ?

HP Fortify Application Security

VII konferencja Secure 2013

Warsaw - October 9, 2013

Gunner Winkenwerder

Sales Manager Fortify CEE, Russia & CIS

HP Enterprise Security

+49 (172) 443 7795

Skype: GCHW-HPESP

(2)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Threats and risks are expanding in frequency, intensity and sophistication

(3)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

Why Software Is Attacked

Root cause of security problems

• Gartner – 82% of breaches due to security flaws in software

• NIST – 92% of vulnerabilities are in software

• RSA 2013 – 86% of successful breaches happen on application layer

• Cenzic – 99% of web applications are vulnerable to attac

• Yet, 90% of security spending is on perimeter protection

OBJECTIVE:

Protect everything

OBJECTIVE:

Exploit one vulnerability

Intellectual

Property

Customer Data

Business

Processes

Hardware

Network

Software & Data

(4)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4

The Growing Cost of Cyber Crime!

Despite widespread awareness of the impact of cyber crime, cyber attacks continue to occur more

frequently and result in serious financial consequences. The HP Ponemon 2012 Cost of Cyber Crime

Study revealed that cyber attacks have more than doubled and the financial impact has increased

by nearly 40 percent in a three year period. At HP, we believe a better understanding of the cost of

cyber crime can assist organizations in taking proactive measures to identify, combat and mitigate

the potentially devastating consequences of an attack.

Cyber threats and risks are expanding in :

Frequency

Intensity

Sophistication

(5)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5

When should we address software security?

(6)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6

(7)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7

Fortify Application Security Assessments

Delivery Options

On Premise

On Demand

HP

Fortify

on

Demand

HP

Fortify

SSC

(8)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8

Continuous Security Research (SRG, DV Labs etc.)

Update the Fortify/ESP Secure Coding Rulepacks to identify the latest categories of

software vulnerabilities on a quarterly basis

Growth in Vulnerability Categories

2005 – 2013, 563 Categories to Date

Command Injection

LDAP Injection

Privacy Violation

Cross-Build Injection

Session Fixation

Cross-Site Request Forgery

SQL Injection

Cross-Site Scripting

System Information Leak

HTTP Response Split

Unhandled Exception

JavaScript Hijacking

For a complete list go to:

www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html

21 Supported Programming Languages

SCA, Binary & FoD

ABAB

*

Actionscript

ASP

.NET

Java

C,

C++

C#

COBOL

*

Cold Fusion

*

T-SQL

PL/SQL

JavaScript/AJAX, XML/HTML

Classic ASP

JSP

PHP

Python

*

VB.NET

VBScript

VB6

Objective C (IOS)

…plus more than 720.000

supported API’s/Frameworks…

(9)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9

HP Fortify Source Code Analyzer (SCA)

(10)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10

Security

Development Teams

Build Tool

Best-Practice Implementation (Example)

Fortify SSC Server

CISO

AWB

Project Security Lead

Security Tester

AWB

Development Manager

Developer

Fortify SCA

AWB

Fortify SSC

AWB

Source Code Repository(s)

Central Build Server(s)

2. Audit

3. Assign

4. Fix

Monitor

5. Validate for Release

1. Identify

Bug Tracker

Repeat

1. Identify

2. Audit

3. Assign

4. Fix

(11)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11

Innovation Driven by Major Customer Deployments

E-commerce & Retail

Banking & Finance

Telco & Energy

Public & Government

Infrastructure

Healthcare

(12)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12

HP Fortify is Leader in Application Security Testing

Gartner Magic Quadrant 2013

“HP offers comprehensive SAST capabilities with

Fortify's strong brand name and breadth of languages

tested.

The company has innovative IAST capability with Fortify

SecurityScope, which integrates with its WebInspect DAST.

There is strong integration within HP's security portfolio,

such as integration of AST knowledge into ArcSight and

DAST knowledge into TippingPoint's IPS for WAF-like

protection.

HP uniquely offers runtime application self-protection

(RASP) technology (see "Runtime Application

Self-Protection: A Must-Have, Emerging Security

(13)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Sneak Pre-View:

Look & Feel HP Fortify SCA

- Audit Work Bench (AWB) &

(14)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14

The Scanning Process

…waiting until the scan is

completely finished….

(15)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15

Auditing (AWB and IDE) - Overview

Issue - Groups

Filtering

Priorization

Categorization

Functions and Rulewriting

wizard (only in AWB)

(16)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16

Diagram

Auditing (AWB and IDE) – Trace the issue

Analysis Trace

Sourcecode

(17)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17

Store Analysis

Auditing (AWB and IDE) - Result

See other comments and make comments yourself

(18)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18

Detailed description of the issue

(19)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19

Detailed recommendation to fix the issue

(20)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

HP Fortify Software Security Center

WebInspect (GUI)

(21)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21

Start remediation of vuln’s immediately

Live scan visualization

Live Scan

Dashboard

Site tree

Vulnerabilities

found in application

Excluded and

Allowed Hosts

Section

Detailed Attack

Table

Live Scan

Statistics

(22)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22

Fortify my Application

HP Fortify on Demand (FoD) assessment services is offering a

limited free trial where customers can get an example Java

code of theirs assessed free of charge.

The free FoD is out of California but is accessible from

anywhere.

The following are the limitations on the free version:

Up to 5 assessments per month

Java and .Net only

Up to 75 MB per assessment

Cross-Site Scripting (Up to 10 vulnerabilities)

Access:

https://www.fortifymyapp.com

(23)

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23

Gunner Winkenwerder

Sales Manager Fortify CEE, Russia & CIS

HP Enterprise Security

+49 (172) 443 7795

Skype: GCHW-HPESP

gunnner.winkenwerder@hp.com

Figure

Updating...

Related subjects :