360 - powertest.com · for identifying vulnerabilities in both source code and running...
TRANSCRIPT
Fo
rtiF
y 360
Fortify® 360 Securing Your entire Software portfolio
“ Fortify’s holistic approach to application security truly safeguards
our enterprise against today’s ever-changing security threats.”
— Craig Schumard, CISO, CIGNA
Software Security assurance (SSa) – Removing the Risk Within Software
Software Security assurance (SSa) – Removing the Risk Within Software
“ The single biggest step for businesses to reduce risk today is to force major improvements in poorly designed and insecure software and applications.”
—John Pescatore, Senior Analyst, Gartner
Our mission is to help our customers ensure that their entire software portfolio—whether it’s built in house, outsourced, purchased from vendors or acquired from the open source community—is secure.
Attacks on software by hackers, criminals and insiders can result in business interruption, brand damage, tremendous financial loss and harm to innocent people. The targets of these attacks are hidden vulnerabilities within software applications. The results of years of security-blind programming practices, these vulnerabilities have accumulated within software, waiting to be exploited. To make matters worse, new vulnerabilities are continuing to be introduced into organizations from their own internal software development groups as well as through procurements from vendors, outsourcing firms and open-source projects.
Alarmed by the potential for widespread social and commercial damage, government and industry regulatory bodies have been strengthening mandates in the area of application security. Many organizations are now required to address the risk posed by their applications and to demonstrate compliance.
Software Security Assurance, or SSA is a systematic approach for eliminating the security risk in software and complying with relevant government and industry mandates. Where Software Quality Assurance ensures that software will function and perform as required, SSA ensures that software can not be used in a way that might cause harm to the organization. SSA addresses the immediate challenge of removing vulnerabilities from deployed applications as well as the ongoing systemic challenge of producing and procuring secure software.
With its market-leading combination of products and services, Fortify has helped more than 500 organizations throughout the world achieve measurable reductions of risk with an effective SSA program. Fortify provides Fortify 360, the leading suite of products for SSA. Fortify’s Global Services organization provides SSA implementation guidance and expertise, and Fortify’s Security Research Group ensures that customer’s SSA capabilities are sufficient to meet the ever-evolving threat landscape.360
3 WWW.FORTIFY.COM
Fortify 360 provides the critical analytic, remediation and management capabilities necessary for a successful, enterprise-class SSA program.
• Identification Comprehensive root -cause identification of more than 400 categories of security vulnerabilities in 17 development languages
• Remediation Brings Security, Development and Management together to remediate existing software vulnerabilities
• GovernanceMonitors organization-wide SSA program performance and prevents the introduction of new vulnerabilities from internal development, outsourcers and vendors through automating Secure Development Lifecycle processes
• ApplicationDefense Quickly contains existing vulnerabilities so they can’t be exploited
• Compliance Easily demonstrates compliance with government and industry mandates
as well as internal policies
Fortify® 360The Market-Leading Suite of Solutions to Contain, Remove and Prevent Vulnerabilities in Software
Auditor CISO
Risk OfficerDeveloper
Fortify 360 Presents Integrated Results from Static and Dynamic Analyzers
vulnerability detection and Remediation
MaximumReductionofRiskattheSource
Fortify 360 identifies the root cause of software security
vulnerabilities in both source code and running applications,
detecting more than 400 types of vulnerabilities across
17 development languages and 600,000 component-
level APIs. Vulnerabilities can be collected during the
development or quality assurance phase of a project or
even after an application has been put into production,
minimizing the risk that a serious problem goes undetected.
To ensure that the most serious issues are addressed
first, Fortify 360 correlates and prioritizes results from its
analyzers to deliver an accurate, risk-ranked list of issues.
HarmonizeExpertiseandRemediateMoreCode
Fortify 360 offers a complete set of collaborative
capabilities for quickly triaging and fixing vulnerabilities
identified by its three analyzers. Application security
professionals, developers and their managers can work
together in the way that best suits them using role-specific
interfaces.
Designed specifically for the application security
professional, Fortify 360 Audit Workbench provides the
means to analyze individual vulnerabilities, assign them
out for remediation and track activities to completion.
Fortify 360’s web-based Collaboration Module provides a
shared workspace and repository for application security
professionals, developers and managers to work together
on code reviews and remediation activities. Developers can
address issues in their preferred development environment
while collaborating with the security team using plug-ins for
Eclipse and Microsoft Visual Studio.
With Fortify 360 developers learn about secure coding
practices while they are fixing vulnerabilities. For every
vulnerability, Fortify 360 delivers reference information to
the developer describing the problem and ways to fix it
in the developer’s specific programming language.
Foridentifyingvulnerabilitiesinbothsourcecodeandrunningapplications, Fortify360offersthefollowingstaticanddynamicanalyzers:
AnAlyzer Type DescripTion UsAge
source code Analyzer (scA)
program Trace Analyzer (pTA)
Static Analysis
Dynamic Analysis
Dynamic Analysis
The SCA component of Fortify 360 examines an application’s source code for potentially exploitable vulnerabilities.
PTA identifies vulnerabilities that can be found only when an application is running and to verify and further prioritize results found using SCA. RTA monitors deployed applications, identifying how the application is getting attacked, by whom and when. It delivers detailed “inside-the-application” information that identifies which vulnerabilities are being exploited.
Used during Development Phase for identifying vulnerabilities early in the development cycle, when they are less costly to address.
During Quality Assurance phase to discover vulnerabilities as part of the normal test process. While application is in production to reveal new exploitable vulnerabilities or ones that may have been missed during development.
WWW.FORTIFY.COM 4
real-Time Analyzer (rTA)
SSa governance
ManagingtheBusinessof SoftwareSecurityAssurance
Organization-wide SSA programs present many challenges
for the security team. As the number of SSA projects
increases, the security team may experience difficulty in
meeting the demands put on it by development teams,
auditors and management. Creation and implementation
of repeatable processes such as Secure Development
Lifecycle (SDL) are an essential first step in getting control
of the situation. Yet, without effective automation,
delivery and tracking of the security activities defined
in a SDL, organizations may still find the situation to
be unmanageable.
For staying on track with multi-project SSA programs, there
is Fortify 360 SSA Governance Module. It provides a single
system-of-record with views into the assets, activities
and results related to the organization’s entire SSA effort.
For individual projects, SSA Governance Module provides
a convenient web portal where risk-mitigation activities
and artifacts can be logged and communicated. For every
project in the organization, Fortify 360 SSA Governance
Module automatically assigns the correct activities based
on the project’s specific risk profile. The application security
team can than track project effort and receive alerts
based upon completed or missed milestones. With
these capabilities in place, the security team can begin
to move towards a management-by-exception approach
to SSA, freeing up valuable time to support other activities.
Advanced reporting and viewing capabilities provide the
means to quickly consolidate results across all projects,
deliver executive-quality reports and identify areas of
improvement.
For those organizations that are seeking a fast-start Secure
Development Lifecycle, SDL templates and artifacts based
on Fortify best practices are provided. These templates
provide an effective SDL that can be implemented out-
of-the box. This can eliminate the research and expertise
required to develop an SDL.
5 WWW.FORTIFY.COM
Fortify 360 ssA governanceFortify 360 SSA Governance Module provides visibility and control of organization-wide SSA programs
InsecureApplications HarmBusinesses
80% of companies report a loss of customers due to data breaches.
Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime.
StayAheadoftheEver-ChangingThreat
Cyber-criminals continue to seek out new ways to exploit
software. Fortify ensures that a customer’s investment is
capable of meeting these new threats by providing a variety
of regular updates to Fortify 360. These updates are delivered
through Fortify’s Security Research Group. This internal team
of security experts is dedicated to leveraging cutting-edge
research into the latest hacking techniques and vulnerability
trends to build security knowledge into Fortify 360. They
represent the security-frontline at Fortify Software and their
research into how real-world systems fail allows them to
identify the most effective solutions to address the threats
that Fortify customers face.
The Security Research Group releases quarterly updates to
the Fortify Secure Coding Rulepacks, which drive the Fortify
360 Analyzers. These updates embody the latest trends in
software security and programming techniques and keep
Fortify customers ahead of hackers, organized crime, rogue
governments and other adversaries. In total, the Security
Research Group has identified over 400 vulnerability categories
across 17 programming languages and have scanned more
than 600,000 Application Programming Interfaces (APIs).
Recent research by Fortify Security Research Group has
resulted in the discovery of two entirely new categories of
vulnerabilities (JavaScript Hijacking and Cross-Build Injection)
as well as groundbreaking work in the area of Service Oriented
Architecture and system backdoor detection.
Threat Intelligence
ActiveDefenseforJavaand.NetApplications
Fortify 360 Application Defense Module protects high-risk
Java and .NET applications from attacks. Application Defense
Module’s inside-the-application approach to application
defense accurately shields an application from attacks
with no tuning required. Users can see which specific
vulnerabilities hackers are attempting to exploit and create
customized responses to attacks. Critical insight into the
type and frequency of all attacks against an application is
also provided. Data generated from this component can be
delivered to Fortify 360 for developing a more complete view
of application security.
application defense
WWW.FORTIFY.COM 6
A 100K record data breach could cost between $10 and $30 million. — Forrester
AttacksAreontheRise
Cybercrime was up 53% in 2008.
The number of malicious programs circulating on the Internet tripled in 2008.
Exceed Application Security Compliance Mandates
Fortify 360 enables companies to pass key compliance
mandates, such as PCI, FISMA, HIPAA, SOX, NERC
and many others.
Pass PCI Compliance
Fortify 360 comes fully configured for meeting the
demands associated with the application security
portions of PCI compliance projects (sections 3, 6,
and 11). All vulnerabilities can be ranked according to
their PCI relevance. Fortify 360 Application Defense
Module provides a precision defensive option for
supporting web-application firewall (WAF) provision.
Fortify 360 SSA Governance Module provides an
out-of-the-box PCI Compliance process complete
with auditor-quality PCI reports.
Pass FISMA Compliance
Government entities must pass tight restrictions for
application security. Fortify 360 identifies application
security issues and guides the user through the
process of fixing issues and reporting on progress.
SOX, NERC, HIPAA and Others
Fortify 360 has helped numerous organizations pass
compliance mandates across a range of industries,
including retail, healthcare, energy, finance,
government and more.
Compliance
7 WWW.FORTIFY.COM
“ The security infrastructure we have implemented at
Financial engines is extremely important to our business
since protecting our customer’s sensitive financial data is
mission critical. Fortify 360 allows us to integrate source
code analysis, dynamic testing and real-time monitoring in
a single comprehensive package that plays a key part in our
overall approach to application security.”
—Gary Hallee, EVP Technology , Financial Engines
WWW.FORTIFY.COM
FORTIFY SOFTWaRe InC. MORe InFORMaTIOn IS avaIlable aT WWW.FORTIFY.COM
2215 bRIdgepOInTe pkWY. Tel: (650) 358-5600 SuITe 400 Fax: (650) 358-4600 San MaTeO, CalIFORnIa 94404 eMaIl: [email protected]
About Fortify
Fortify’s Software Security Assurance solutions protect companies and organizations
from today’s greatest security risk: the software that runs their businesses. Fortify
reduces the threat of catastrophic financial loss and damage to reputation as well
as ensuring timely compliance with government and industry mandates. Fortify’s
customers include government agencies and Global 2000 leaders in financial services,
healthcare, e-commerce, telecommunications, publishing, insurance, systems
integration and information technology. For more information, please visit us at
www.fortify.com.
In February 2009, Gartner positioned Fortify in the Leaders Quadrant in the “Magic Quadrant for Static Application Security Testing (SAST).” The report is available at http://www.fortify.com/magicquadrant.