• No results found

HP Fortify application security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "HP Fortify application security"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

HP Fortify

application security

Erik Costlow

(2)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

(3)

Networks

Hardware

Security Measures

Switch/Router security

Firewalls

NIPS/NIDS

VPN

Net-Forensics

Anti-Virus/Anti-Spam

DLP

Host FW

Host IPS/IDS

Vuln. Assessment tools

Cyber attackers are targeting applications

Intellectual

Property

Customer

Data

Business

Processes

Trade

Secrets

Applications

(4)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4

In-house development

Outsourced

Commercial

Open source

Procuring secure

software

Demonstrating

compliance

Certifying new

releases

Securing legacy

applications

(5)

30X

15X

10X

5X

2X

30x more costly to secure in production

Fixing things late is frustrating

After an application is released into production, it costs 30x more than during design.

Co

st

Source: NIST

Production

System

testing

Integration/

component testing

Coding

Requirements

(6)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

(7)

Embed security into SDLC

development process

1

This is application security

The right approach > systematic, proactive

In-house Outsourced Commercial Open source

Leverage Security Gate to validate

resiliency of internal or external

code before Production

2

Monitor and protect software

running in Production

3

(8)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8

HP Fortify Software Security Center

Protects

business critical applications from advanced

cyber attacks by removing security vulnerabilities from

software

Accelerates

time-to-value for achieving secure

applications

Increases

development productivity by enabling

security to be built into software, rather than added on

after it is deployed

Delivers

risk intelligence from application

development to improve operational security

IN-HOUSE

OUTSOURCED

COMMERCIAL

OPEN SOURCE

Identifies and eliminates risk in existing applications and prevents the introduction

of risk during application development, in-house or from vendors.

(9)

Reduce risk with

minimal effort and

operational costs

Deliver

measurable

business and

strategic value

Meet government

and industry

compliance

regulations

Build a security

culture throughout

your organization

Application security benefits

(10)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10

Competitive differentiators

We enable companies to build a holistic application security program from the

ground up to secure all their software from development to production—

regardless of who and where it is developed, and whatever device, form factor or

environment it is running on.

Breadth:

the most

complete software security

solution with static,

dynamic and hybrid testing,

along with collaborative

remediation and proactive

SDLC governance.

Depth:

492 unique

vulnerability categories

discovered across 21

programming languages and

over 750,000 individual

platform and framework

APIs.

Services:

expert guidance

to custom-tailor and

integrate software security

into your unique

development, testing and

production environments

(11)

Comprehensive application security solutions

Summary: HP Fortify Software Security Center

1

2

3

4

That proactively identifies and eliminates the immediate risk in legacy

applications, as well as the introduction of systemic risk during application

development

To ensure that all software is trustworthy and in compliance with internal and

external security mandates

Scaling to protect all your business-critical desktop, mobile and cloud

applications

(12)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

(13)

30X

15X

10X

5X

2X

Review: Fixing things late is frustrating

Co

st

Production

System

testing

Integration/

component testing

Coding

Requirements

(14)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14

Manage everything together: production, testing, coding, manual

Actual attacks

Real-time protection

of running application

Hackers

Software Security Center

Static analysis via

build integration

Source code

Mgt system

Dynamic testing in

QA or production

Vulnerability

database

IDE Plug-ins

(Eclipse, Visual

Studio, etc.)

Developers

(onshore or offshore)

Remediation

Correlatw target

vulnerabilities with

common guidance

and scoring

Application Lifecycle

Development, project

and management

stakeholders

Defects,

metrics and

kpis used to

measure risk

Threat intelligence

Rules management

Normalization

(Scoring, guidance)

Correlation

(Static, dynamic, runtime)

(15)

Manual penetration testers

Some are good, but often unpredictable quality. Cannot scale

Good at finding logic flaws:

Must know business domain

(e.g. cannot trade stocks on Saturday)

Even after they’re done, how do you:

A. Remediate identified issues

B. Verify proper remediation

Let’s work ground-up:

Find vulnerabilities

Fix vulnerabilities

(16)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16

During development

Scan wizard – easy, repeatable scans

Simplifies onboarding

Training

Predictable process

(17)

SCA – Find results in code

Show vulnerabilities in developer’s

language.

Details – what is this?

Recommendations – how do i fix?

Auditable – annotate the risk.

Developers understand their own code

(18)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18

Fortify RTA

Constant monitoring.

API-level.

Ignore probing attacks (not vulnerable)

Dedicate resources to fix active exploits.

Would this attack have worked? If so, stop it and guide remediation.

Application

Normal behavior

Actual Attack

(19)

Bring it all together: Software Security Center

Actual attacks

Real-time protection

of running application

Hackers

Software Security Center

Static analysis via

build integration

Source code

Mgt system

Dynamic testing in

QA or production

Vulnerability

database

IDE Plug-ins

(Eclipse, Visual

Studio, etc.)

Developers

(onshore or offshore)

Remediation

Correlatw target

vulnerabilities with

common guidance

and scoring

Application Lifecycle

Development, project

and management

stakeholders

Defects,

metrics and

kpis used to

measure risk

Threat intelligence

Normalization

(Scoring, guidance)

Correlation

(Static, dynamic, runtime)

(20)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20

Educational, self-service

Security fits: agile or waterfall

Customizable quick-start

(21)

Track security results

Development teams submit results into

Software Security Center:

HP Fortify SCA

HP WebInspect

3

rd

Party Analyzers

(22)

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

References

Download now ( PDF - 22 Page - 753.29 KB )

Related documents

a collaboration between Strategic Marketing Services and the Institute for Decision Making

COVID-19 FINANCIAL IMPACT SURVEY 2020 – Cedar Valley United Way Other responses reported by respondents included:?.  A democrat

Using an accelerated vehicle retirement program (AVRP) to support a mode shift: Car purchase and modal intentions following program participation

For both purchase and travel intentions, travel habits (distance traveled in the previous year), income, and perceived access to transit had inverse associations with inten- tions

Improving Confidence in the Commodity Markets

It also looks at how certain technologies, initiatives and processes, such as LMEshield, could help increase trust, confidence and transparency in commodity markets while

Factors Influencing Job Satisfaction Among Healthcare Professionals At Tilganga Eye Centre, Kathmandu, Nepal

It provides the evidence of moderate level of job satisfaction among the healthcare professionals with factors such as opportunity to develop, responsibility, patient

Extra-verplichtingen van leden en aandeelhouders

woningbouwvereniging is opgenomen dat bij uittreden van een huurder uit de ver- eniging een bepaald bedrag aan de woningbouwvereniging moet worden betaald. Afgezien van het feit dat

Honda Activa Current Offers

Fine for offering a honda current offers immense comfort the dedicated digital display below the current activa as of information.. Inserts on scooters too well as they gave and

Developing Eclipse Plug-ins* Learning Objectives. Any Eclipse product is composed of plug-ins

 The New Plug-in Project creation wizard generates a project complete with manifest files and, optionally, source code  The wizard also provides templates for popular

KonyOne Studio Manual Installation Guide

To install KonyOne Studio, you can use either the Automated Plug-in Installation (Eclipse Help > Install New Software) or manually copy the plug-ins into the dropins folder