Operationalizing Application Security & Compliance

(1)

®

IBM Software Group

Operationalizing Application Security &

(2)

What is the cost of a defect?

During the

coding phase

$25/defect

During the build

phase

$100/defect

Once released as

a product

$16,000/defect

During the

QA/Testing phase

$450/defect

The increasing costs of fixing a defect….

80% of development costs are spent

identifying and correcting defects!

(3)

IBM Software Group | Rational software

Embed security testing into the development environment and workflow Seamlessly add security

testing alongside functional & performance testing Dashboard provides filtered

relevant data for more informed decision-making

Full traceability for security issue prioritization CISO Tester Developer Build Manager QA Manager

Automated security tests embedded into the build

process

All test assets and results

in one repository

Rational AppScan

Quality processenactment

Rational AppScan Developer & Build Editions raise the industry bar

(4)

Enabling the Operationalization of Security Testing

Enable the Security

Testing Organization

Rational AppScan Standard Edition Rational AppScan Enterprise Edition Requires web application security

subject matter expertise

Single-step security testing (no additional oversight required as expertise is built-in)

Eliminates training requirements for non-security experts

Control, Monitor, Collaborate and Report Web Application Security Testing

Embed Security

Testing in the SDLC

Rational AppScan Developer Edition Rational AppScan Build Edition

Rational AppScan Tester Edition Rational AppScan Standard Edition Rational AppScan Reporting Console

Implement environment-specific security testing solution for select stakeholders

Alleviates security testing bottleneck downstream

Increases security awareness across the organization (code security improvement, vulnerability awareness)

Enables a more efficient process for on-time and on-budget application

development

Outsource Security

Testing

Rational AppScan OnDemand Rational AppScan Security Consulting

Outsource web application security infrastructure or testing

Enables immediate identification for sources of online risk without the necessary time and investment for in-house training and resources

(5)

IBM Software Group | Rational software

Embedding Security in the Development Lifecycle

Primary goals for Web Application Security

1. Manage Online risk with security audits

2. Realize process efficiencies with testing coverage

occurring early in the development lifecycle

Security Auditors Challenge

Accountable for managing organizational risk through on-line activity

Limited resources (by budget or skillset) to provide timely security

testing coverage

The result is a bottleneck that impacts development release cycles

The Solution

Engage more testers earlier in the development lifecycle

(6)

Security tools are being pitched to developers

Security tools require security expertise and don’t address the developer use case

Lack necessary process integration to enable success

Current static analysis suffers from accuracy and efficiency shortcomings

Creating doubt and pushback from development organizations

No solution provides viable mix of blackbox & whitebox technology

High cost of static analysis-only offerings

High cost yet still incomplete solutions

Lack of training

Developers are not mandated or motivated to train on secure code practices

Priority remains on building functionality

(7)

IBM Software Group | Rational software

Challenge: Building software securely from the ground up

Security Auditors need to enable more testers in the process, but software developers are

not trained to be security experts, nor can they meet new development demands

Niche security testing teams have been performing audits before code can pass to production

These teams cannot keep up with the demand from hundreds of developers pushing new applications

frequently > as a result software releases are delayed or risk is introduced

Need to engage more testers earlier in the process

Need to make it simple for non-security professionals

How do we get more resources to provide

more security testing for our applications

How do we make it easier

to identify security vulnerabilities?

How can I ensure our developers are

implementing our corporate policies?

Development does not like us halting releases due

to security issues. How can I give them back control?

(8)

Solution: Utilize offerings designed for the development environment to

identify and fix security issues early in the development process, and turn the

security audit into the final check, not the first step

Rational AppScan Developer Edition & AppScan Build Edition provide

security and compliance checks

Combination of Static Code Analysis and Dynamic Analysis provide non-security professionals in development the ability to accurately check for security defects in code Designed for the developers uses case to seamlessly fit security testing into the

development workflow

AppScan Build Edition embeds automated security testing into the build process

Provides remediation advice to simplify ability to fix security issues

High accuracy security issue identification that developers can understand and fix

Includes embedded security issue training

Bite-sized training modules allow developers to quickly understand the security issue and make appropriate fix

Facilitates non-disruptive adoption of security testing solutions to improve application

IBM Rational AppScan Developer Edition

IBM Rational AppScan Build Edition

(9)

IBM Software Group | Rational software

Expertise:

Development is not focused on or trained to address security issues. Not having security expertise makes the development adoption of security testing a challenge. For development to be effective solutions must be designed for and for non-security professionals and fit the developers use case, thereby improving accuracy and efficiency and avoiding disruption.

Cost/time:

The push to move more business services online places greater demand on limited security testing resources to achieve testing coverage. Tools that naturally fit into the development process provide lifecycle efficiencies as security issues are now identified and addressed much earlier in the process.

Compliance:

Embedding security testing into development processes and systems supports the same governance requirements inherent in development & testing organizations, but the added risk of a security vulnerabilities demands stringent governance processes to log, track & ensure remediation of identified security issues.

Bottom line – Development adoption of

security testing results in more secure

software with on-time release schedules

Development is critical to the security challenge

(10)

Addressing organizational security testing requirements

Enable more testers in the process to alleviate the security bottleneck

Powered by automation

Collaborative life cycle

Govern software delivery

Development & Security Analysts

collaborate

to achieve

greater testing coverage earlier in the development process.

Automate

security testing as part of the normal code-build

process within existing development environments,

eliminating the need for non-security personnel to learn new

or advanced security tools

Govern

the process of issue remediation by providing the

ability to log security issues directly into defect tracking tools

Rational AppScan Developer Edition & AppScan Build Edition

can be embedded into the development process

Rational AppScan Developer Edition & AppScan Build Edition

can be embedded into the development process

(11)

®

IBM Software Group

Rational AppScan Developer & Build

(12)

Rational AppScan Developer Edition and Build Edition Themes

Designed for Developers, not Security Auditors

Self-Serve – No Security Expertise Required

Natural fit into the Development Lifecycle Process

& Tools

Best Web Application Security Analysis

Total Potential

Security Issues

Dynamic

Analysis

Static

Analysis

Runtime

Analysis

Enable more people to contribute to security testing

coverage with solutions for specific use cases

Use case offerings facilitate the adoption of security

with minimal disruption to existing objectives Business Outcome

(13)

IBM Software Group | Rational software

Analysis Techniques Used

Static Code Analysis <> Whitebox

- Looking at the code for issues (code-level scanning)

Dynamic Analysis <> Blackbox

- Sending tests to a functioning application

String Analysis

-IBM patent pending code analysis technique

- Code analysis version of “Scan Expert” for efficient configuration of scan to enable accurate results

Composite Analysis

-Blend of all testing techniques for improved accuracy of reporting

-Leverage strengths and overcomes weaknesses of each individual

technique

Runtime Analysis

- Monitoring behavior for feedback while application is running at a detailed level to tell where a vulnerability exists in the execution code

(14)

Accuracy

Source free

Code coverage

HTTP awareness only

Multi components support

Requires deployed application

Code/path coverage

Limited to given code

More than HTTP validations

Support partial applications

Support per language/framework

No need to deploy application

Black Box

AppScan DE

White Box

Few Prerequisites

Over approximation

(15)

IBM Software Group | Rational software

String Analysis

IBM patent-pending technology

Potentially game-changing technology in code-analysis

Existing white-box offerings use Taint Analysis

Requires configuration, dependent on both knowledge of code & security expertise to be

done accurately

Inaccurate configuration results in volumes of false positives

String Analysis automates configuration

Removes largest driver of inaccurate results of static code analysis

Simplifies use for developers (for non-security experts)

Taint analysis measures

whether

an input is tainted, string analysis can determine

exactly

how

it is tainted

(16)

String Analysis vs. Taint Analysis

Accurate out-of-the-box:

No need to define what the sanitizers are

Users must spend a long time configuring sanitizers

Configuration

String Analysis can validate the correctness of user-defined sanitizers

The entire analysis is based on correct user configuration

Configuration

Validation

Supports

No support; Users have to change their code to scan it.

Validators

“Self-serve” solution underlines high confidence results; developer can trust results to be real

Many “low confidence” results that require security professionals to verify

Result confidence

Allows improved and accurate analysis to pin point specific issues

Restricted to identify taint only

Advanced

Supports

No support; Users have to change their code to scan it.

Inline sanitizers

String Analysis

Taint Analysis

(17)

IBM Software Group | Rational software

Why Buy…

Broadest suite of offerings to

support security testing across the

development lifecycle

Only web application security testing

solution to provide combined code,

dynamic, runtime and string analysis

Broadest set of security compliance

reporting

Integration with Rational portfolio

allowing security to become a

natural part of the software

development process

R&D backed by IBM’s $1.5B annual

investment in security

Designed for Developers, not Auditors

Designed for developer efficiency & addresses non-security expertise

Enable both centralized and broad security testing (“Test before check in” model)

Best Application Security Analysis

Includes multiple analysis techniques - leverages strengths of all techniques & overcomes weaknesses

Emphasis on Accuracy (low FP) & Actionable Results

Self-Serve Security Testing for Developers

Detailed results include all you need to know

Remediation view turns risk into tasks

Detailed Fix Recommendations clarify required actions

Built-in & accompanying training supports self-serve

Naturally fits into the SDLC process

Minimize disruption

Scale to large number of users

Support collaboration within development

Integrate with development tools

(18)

Highlights

What is AppScan Developer Edition?

A solution created to empower developers with the ability to

invoke Web application security testing within their development environment

Designed as a complement to the Rational AppScan family of security testing solutions, it enables the development

organization to address the volumes of security issues that can be introduced in code.

Supports existing developer and build environment use cases for efficient and non-disruptive adoption of security testing with IDE & build server integrations

What does it do?

Provides security and compliance checks using static code analysis for security vulnerabilities,

Enables developers (who are not security experts) address security defects early in development process where the cost of fixing issues is least expensive

Comprehensive Security Analysis

Next-Generation Accuracy

Unparalleled Ease of Use

Identification of line-of-code

Self-Serve Security Testing for

Developers

Seamless Integration into the

Development Process

Complete the Rational AppScan

End-to-End security solution

(19)

IBM Software Group | Rational software

Build

Code

QA

Security

AppScan Standard Ed

(desktop)

Typical Customer Adoption To Date

AppScan Enterprise user

(web client)

IBM Rational Web Based Training for AppScan

IBM Rational AppScan Enterprise / Reporting Console

Automate Security / Compliance testing in

the Build Process Build security testing

into the IDE

Security / compliance testing incorporated into testing &

remediation workflows

Security and Compliance Testing, oversight, control,

policy, in-depth tests

Market Maturity

(20)

Rational

BuildForge Rational Quality _Manager

Rational Application Developer Rational Software Analyzer Rational ClearCase

Rational ClearQuest / Defect Management

IBM Rational AppScan Ecosystem

(web client) AppScan Build Ed

(scanning agent)

IBM Rational Web Based Training for AppScan

AppScan Standard Ed (desktop) AppScan Developer Ed (desktop) AppScan Ent. QuickScan

(web client) _{AppScan Tester Ed} (scanning agent)

(QA clients)

AppScan Enterprise / Reporting Console

CODE

Build security testing into the IDE*

BUILD

Automate Security / Compliance testing in the Build Process

QA

Security / compliance testing incorporated into testing &

remediation workflows

SECURITY

Security & Compliance Testing, oversight, control, policy, audits

(21)

IBM Software Group | Rational software

The New IBM Rational AppScan Ecosystem

(web client) AppScan Build Ed

(scanning agent)

IBM Rational Web Based Training for AppScan

AppScan Standard Ed (desktop) AppScan Developer Ed (desktop) AppScan Ent. QuickScan

(web client) _{AppScan Tester Ed} (scanning agent)

(QA clients)

Rational

BuildForge Rational Quality _Manager

Rational Application Developer Rational Software Analyzer Rational ClearCase

Rational ClearQuest / Defect Management

AppScan Enterprise / Reporting Console

Code

Build security testing into the IDE*

Build

Automate Security / Compliance testing in the Build Process

QA

Security / compliance testing incorporated into testing &

remediation workflows

Security

Security & Compliance Testing, oversight, control, policy, audits

(22)

AppScan Developer Edition - Proactive Use Case

1. Developer Writes Code

2. Developer Tests Changes

Using AppScan DE

3. Developer Fixes or Logs Issues

4. Developer Checks in Code

(23)

IBM Software Group | Rational software

AppScan Developer Edition - Reactive Use-Case

1. Developer receives Defect *

(preferably with scan file)

2. Developer loads scan or

reproduces issue using AppScan DE

3. Developer Fixes Issue In Code

4. Developer Re-Tests using AppScan Dev Ed

5. Developer checks in fix and updates defect

* Defect originating from other developer, QA or Build System

(24)

Rational AppScan Value Propositions

Customer Pain:

Client has acquired a web application testing desktop point product being run by a security auditor.

Limited licenses or resources performing the testing have created a bottleneck by the security team, and it is impeding the deployment of applications.

Value for Customer

IBM Rational AppScanportfolio of web

application security testing solutions enables software development stakeholders from

development, build management and QA to share in the security testing responsibility and alleviated the resource limitations of the security team.

Unlike

Competition who are lacking IBM’s investment in security which allows IBM to lead with the broadest and most advanced security testing and lack the customer experience to enable customer success

Customer Pain:

Client needs the development organization to address the process inefficiencies and project delays resulting from security testing bottleneck occurring late in the development process.

Value for Customer

IBM Rational AppScan Developer Edand

Rational AppScan Build Edprovide security

testing solutions that are designed for development use cases to enable security testing for

non-security experts

The offerings allow for the identification and remediation of security issues much earlier in the development process, resulting in a more efficient process and projects delivered on time.

Unlike

Competition who are lacking breadth and strength of testing techniques to provide the necessary efficiencies and accuracy for development to be successful with security testing