Be Fast, but be Secure a New Approach to Application Security July 23, 2015

(1)

© Copyright 2015 Vivit Worldwide

Be Fast, but be Secure—a New Approach to Application Security

(2)

(3)

© Copyright 2015 Vivit Worldwide

Hosted by

Paul Peissner

(4)

Today’s Speakers

Cindy Blake

Product Marketing Manager

HP Software

Gerben Verstraete

Chief Technologist Professional Services

HP Software

(5)

© Copyright 2015 Vivit Worldwide

Housekeeping

• This “LIVE” session is being recorded

Recordings are available to all Vivit members

• Session Q&A:

(6)

Webinar Control Panel

Questions

Toggle View Window between

Full screen/window mode.

(7)

Be fast but be secure

A new approach to application security

Cindy Blake and Gerben Verstraete/ July 2015

#AppDefender

(8)

Velocity is new normal – hybrid deliver the

key & you better get it right

1 trillion applications

by 2020

100 billion connected

devices in 2020

30 X increase in the

number of apps

46 % of organizations

using agile

50 % apps deleted upon

finding a bug

84 % of breaches at the

app layer

3 seconds before a user

abandons an app

37 percentage of orgs that

host apps externally

Percentage of

businesses expect to be

digital in 24 months

50 Percentage cost

reduction for business

operations by smart

machines by 2018

30 25+

releases per quarter

per app by 2020

43 Percentage of projects

delivered business

value 1st time

81 Percentage of IT org.

believe cloud provides

competitive solutions for

IT

1 of every $5 spent on

packaged software will

(9)

The number of apps is growing

IN-HOUSE DEVELOPMENT

LEGACY

SOFTWARE

OPEN SOURCE

OUTSOURCED

COMMERCIAL

PRODUCTION

(10)

Current solutions protect the perimeter

(11)

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

The ratio of spending between

perimeter security and

application security is 23-to-1.

Joseph Feiman, Gartner analyst

Maverick* Research: Stop Protecting Your Apps: It’s Time for Apps to Protect

Themselves, Sept 25, 2014

(12)

Challenges to overcome

• Business damage in the form of productivity losses

• Infrastructure performance events are not seen in the context of security events

• Disparate data sources and management systems limits organizations to understand the

impact of anomalies

• Device and device components moving in and out of the infrastructure unnoticed

Lack of visibility

• Responding to and resolving incidents are both time consuming and costly

• Lack of integrated data sources and a true understanding of the business

impact

• Limited ability to respond to new vulnerabilities\threats

Inability to pin point

• Securing complex applications (legacy and modern) is challenged by business

pressures

• Borderless consumption models of applications in the cloud and across mobile

platforms

• Security as an afterthought, not fully embedded in the entire application

lifecycle

Comprehensive

malicious code attacks

• No integrated approach to keep service infrastructure compliant with releases across global

infrastructure

• Cumbersome processes to meet audit requirements and reporting capabilities

• Security has build a silo within many organizations, not integrating as a “partner” across the

lifecycle

Governance and

Compliance

(13)

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

13 Strategy to Portfolio

Requirement to

Deploy

Request to Fulfill

Detect to Correct

IT

Value

Chain

Drive IT portfolio to

business innovation

Build what the business

wants, when it wants it

Catalog, fulfill, and manage

services and track usage

Anticipate and resolve

service issues

Security has to be embedded in “everything” IT does

Plan

Dev

Test

Operate

LOB

PMO

Testers

EA

Users

Dev

IT

Ops

IT

Engineers

(14)

Traditional NOCs and SOCs will need to

converge

Understand

Context

Act

Proactive

Risk reduction

IT Operations

Performance & Availability

User Management

App Lifecycle Mgmt

Operations Mgmt

Network Mgmt

See

Everything

IT Security

User Provisioning

Identity & Access Mgmt

Application Security

Database Encryption

Anti-Virus, Endpoint

Firewall, Email Security

See

Everything

(15)

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

15 Key focus areas

Security

Asset

Lifecycle

Managemen

t

Augmented

Cyber

Operations

Secure

Application

Lifecycle

Managemen

t

Security

Compliance

&

Automated

Remediation

Proactive Exposure

Analyses

Continuous discover

what you have in order

to protect your

applications

Prevent and Respond

Continuous manage

compliance across complex

services infrastructures and

automated event

remediation

Detect, Contain and Prioritize

Continuous Security and IT

Operations correlating events

and understand business context

Design Secure

Continuous Development and

Testing with integrated security

(16)

Continuous Application Security

HP App Defender

Scan it

Test it

Defend it

Application Development

(17)

Application Security Testing

Application Security Testing is a best practice, but remediation before production is difficult to

implement = 3 weeks + to remediation

Application Security

talent is very difficult

to find

Process need to be

defined so that

everything is

standardized and

efficient

Developers are not

measured to think

(18)

Application Security Testing

Application Security Testing is a best practice, but remediation before production is difficult to

implement = 3 weeks + to remediation

Application Security

talent is very difficult

to find

Process need to be

defined so that

everything is

standardized and

efficient

Developers are not

measured to think

about security

(19)

Common challenges to removing software

vulnerabilities

• You lack access to the code of critical applications

• Your security scan just found 100+ app vulnerabilities – where to begin?

• Your vendor told you a patch will be ready in 3 months

• You have no idea what vulnerabilities you have

• Your app is end-of-life and you really do not want to invest the resources

• Developer resources are constrained

(20)

Source: HP Cyber Risk Report, 2015

Maximum Days to Announce Remediation

“We were hoping that critical vulnerabilities would be the fastest to fix. Interestingly, this was not

always the case. One possible reason could be that most organizations tend to fix and verify all

critical and high vulnerabilities first. Hence, the developers could be prioritizing their tasks from

a single bucket based on the ease of completing the task, rather than the severity of the issue.”

(21)

Traditional approaches rely on

Web Application Firewalls (WAFs)

Over the Wire works great until…it’s bypassed

Tools are available to exploit WAF’s

signature based approach and more…

An example from

BlackHat 2012

See

RASP vs WAF study

by the SANS

Institute

(22)

When does it make sense to rely on RASP?

START

As a virtual patch

• You lack access to the code of critical applications

• Your security scan just found 100+ app vulnerabilities

• Your vendor told you a patch will be ready in 3 months

• You have no idea what vulnerabilities you have

• Time to market pressure

For defense in depth

(23)

Security can be agile…

You can deliver software quickly and without compromise using continuous,

integrated, and automated methods for overall application health.

Fail forward with known security vulnerabilities - let HP Application Defender

protect those vulnerabilities with compensating controls while you remediate the

code.

(24)

Without compromising performance

Rapid application development is difficult when juggling application performance

and secure coding. Confidently deploy your RASP solution with granular and

transparent performance metrics - let HP App Pulse show you how.

Model your defense pre-production to confidently predict load and

performance.

Try them both for free

App Pulse

free trial

App Defender

free trial

(25)

Application Defender Technology

Application

Server

<Rule>

Event Handler

Chain

Monitor

Event

Handler

Action

Target Program

Program

Point

Log

(26)

Application Defender– Integrated with your

NOC\SOC

Application

Server

<Rule>

Event Handler

Chain

Monitor

Event

Handler

Action

Target Program

Program

Point

Log

NOC\SOC

Operations

(choice)

Operations

Bridge (OMi)

ArcSight ESM

AppView

(27)

Protection

Stop attacks categorically or for specific

vulnerabilities.

HP Application

Defender

Simplicity

Install quickly

and easily with

a three-step

deployment,

get protection

up and running

in minutes

1,2,3

Visibility

Actionable and

accurate

insight from

within the

application to

pinpoint

vulnerabilities

for protection

or remediation

HP

Secu

rity

Re

sea

rch

HP

F

ortify

run

time tech

no

lo

gy

(28)

Simplicity

• Quick Installation

• Up and running in less than

5 minutes

• 3 easy steps

• Easy

“In Service” Updates

• Rulepack

• Agent Binary

• Accurate application protection

(29)

Visibility

• Quick access to

specific vulnerability

events

• Easy filtering of

real-time and historical data

• Accurate presentation

of event trigger and

stack trace detail

(30)

Protection

• Quick protective action against

attacks from within your application

• Easy identification of top

vulnerability events by criticality

• Accurate results from within

(31)

Try it today

Contact your sales executive

Learn more and begin your trial at

hp-application-defender.com

• No cost. Monitor and protect one application for as long as you choose.

• When you are ready to purchase, this SaaS offer is priced per application instance with discounts for