Transcription
Application SecurityCenter overviewMagnus HillgrenPresales – HP Software SwedenFredrik MöllerNordic Manager - Fortify Software
HP BTO (Business Technology Optimization)Business ct & PortfolioManagementCenterQualityCenterCIO OfficePerformanceCenterSOACenterCTO Office217 September 2009ApplicationSecurity CenterSAP, Oracle, SOA, J2EE, .NetOPERATIONSBusiness ServiceManagementBusiness ServiceAutomationIT ServiceManagementOperations Data CenterAutomationCenterUniversal CMDBServiceManagementCenter
1Three pillars of qualityDoes it work? Does the application function theway the business needs it to?AQMDoes it perform? Will the application perform forthe entire customer set?Does itwork?Does itperform?Is itsecure? Will it scale? Will it meet SLAs in production?Is it secure?FUNCTIONALITYPERFORMANCESECURITY Has the application beenassessed against all knownthreats? Are there open doors orwindows that sophisticatedhackers can penetrate?317 September 2009
The Risks are Real417 September2009
Applications are the target Applications:Unprotected and ignored Network: Secured by firewallServers:Protected by intrusion preventionApplicationsServersNetwork“75% of hackshappen at theapplication.”- Gartner “Security at the Application Level”517 September2009
Vulnerabilities are “baked into” the appsthemselves, so security can’t be “bolted on”Application teams must bridge the gapSecurityprofessionals617 September2009Applicationdevelopers and QAprofessionals
The Costs to the Enterprise are Enormous Costs incurred for Discovery, response, and notification Lost employee productivity Regulatory fines Customer lossesThe total cost* of a data breach ranges from 90 to 305per compromised record Cost of a single breach may run into millions or evenbillions of dollars From scans of over 31,000 sites, over 85% showed avulnerability that could give hackers the ability to read, modifyand transmit sensitive data.-- Web Application Security Consortium1117 September2009*Forrester Research, “Calculating The Cost Of A Security Breach”
What are organizations doing aboutthese threats? Leading organizations secure the lifecycle 92% of security defects exist in applications Save money by fixing security defects before theyget to nt
HP Software & Fortify Software BestEnterprise Application Security Solution Fortify leads SAST and “Security for Development” market HP dominates Quality Assurance, leader in DAST market Leverage strengths to bring “best of breed” solutions to customersPlanned integrations: Fortify 360 SCAHP Application Management Platform Single dashboard view for more comprehensive risk picture Fortify 360 SCAHP Quality Center Defect Mgmt Module Security into established defect tracking process“Gartner believes that vendors have greater vision if they integrate static and dynamictesting to increase the breadth of application life cycle coverage and the accuracy ofvulnerability detection.”Gartner, Inc. “HP and Fortify Aim to Advance Application SecurityTesting” - Joseph Feiman and Neil MacDonald, June 17, 200913
HP Application Security CenterBefore partnership with FortifyEnterprise application security assurancePlanDesignCodeTestProductionHP Application Security CenterSource codevalidationHP Web SecurityResearch GroupDevInspectContinuousUpdates Internal app security research External hacking researchQA bInspectAssessment Management PlatformEnterprise security assuranceand reporting
HP Application Security CenterSecurity for the Application lifecycle - CurrentEnterprise application security assurancePlanDesignCodeTestProductionHP Application Security CenterSource codevalidationHP Web SecurityResearch es Internal app security research External hacking researchQA &integrationAssessment Management PlatformEnterprise security assuranceand reporting
Fortify 360 Source Code AnalyzerThe Gold Standard for Static Analysis Security TestingBusiness Value Increase Productivity––– Discover, Prioritize and Fix issues fasterPinpoint security flaws at the root cause in the codeEmpower developers to remediate errors earlyIncrease Visibility Analyze and remediate software created: In-house Outsourced Purchased Open source Track and control security throughout the developmentlifecycle Leverage existing infrastructure Works seamlessly in developer IDEs or via web interface Automatically submit defects to HP Quality Center DefectManagement System Analyzes 17 languages and over 600,000 APIs1613 April 2009
Fortify SCA - HP QualityCenter Out-of-the-box,seamless integration Submit issues from Fortify SCA into HP QualityCenterDefect Management Module Via user interface or command line Round-tripintegration enabled Fortify SCA updates issues when status changes in HPQC Customfield integration Via professional services
HP QAInspectAutomated security testing for quality assurance teams and engineersKey benefits Automated Security Defect discovery Integrated with Quality Center Ensures compliance with governmentregulationsLess exposure to application downtimeTargeted Security Testing Manage security testing within existingQM methodologyCorrect security defects early inapplication lifecycleLower Application Risk Automatically finds and prioritizessecurity defects in a Web applicationHolistic or targeted application securitytests depending upon requirementsBuilt in Knowledgebase Built-in Security Expertise combinesdaily updates of vulnerability checkswith unique intelligent engines.Comprehensive defect information andremediation advice about eachvulnerability
HP WebInspectFor Security Professionals and Advanced Security TestersKey Benefits 19Find security defects during production orbefore you go live Determine the current security status ofyour web or web service applications Remediation advice for Development, QAand OperationsAccelerate Regulatory Compliance Includes reports for more than 20 laws,regulations, and best practices, like SOX,HIPAA, PCISupport for the latest web technologies Supports the latest AJAX and JavaScriptrich internet applicationsAdvanced Security Toolkit High automated while allowing hands-oncontrol Advanced toolkit for penetration testersCreate customized reports and policies Custom checks, report templates, policies,compliance reports
HP Assessment Management PlatformAssess and manage application security risk across the enterpriseKey Benefits Controlled Visibility Centralize all application security data View and report on assessmentsconducted anytime by anyone Strict access control of sensitive data Scalability Multi-scanner arrays amplify existingpersonnel to scan more systems faster Managed Self-Service Allow low usage customers can scanthemselves via web portal Control Sensitive Security Activities Set user permissions, enforce policiesand restrict activities DevInspect, QAInspect, AMP Sensorsand WebInspectSC Awards 2008 winner for “Best Enterprise Security Solution”
Enforce the quality processA repeatable quality management process mitigates riskAlign with management and stakeholdersStrategic demandBusinessrequirements Newapplications New services ApplicationintegrationsOperationaldemandIntegrate with demandREQUIREMENTSMANAGEMENT Defects Enhancements Change requestsEnterpriseArchitecture andPolicies SOA Security2117 September 2009FunctionalrequirementsRISK-BASEDTEST PLANNINGCreate manualtest casesAssess andAnalyze iesSecurityrequirementsCreatetest plansOther nonfunctionalrequirementsTEST MANAGEMENTAND EXECUTIONAutomateregression testcasesIdentify andcustomize securitypoliciesCreateperformancescripts andscenariosExecute functionaltestsExecute securityscansExecute tests,diagnose andresolve problemsDEFECT MANAGEMENTCollaborate with design and development teamsGo/No GoOPERATIONSConnect to mentProductionmonitoringService desk
Thank you!magnus.hillgren@hp.comfmoller@fortify.com
HP Software & Fortify Software Best Enterprise Application Security Solution Fortify leads SAST and "Security for Development" market HP dominates Quality Assurance, leader in DAST market Leverage strengths to bring "best of breed" solutions to customers Planned integrations: Fortify 360 SCA HP Application Management Platform
