fortify application security - data protection...
TRANSCRIPT
Fortify Application Security
Janusz SawickiSecurity Sales Account ExecutiveMicro Focus(M)+48 609 82 12 14 [email protected]
Value Proposition
Sales Cycle
2
Security, Risk, & GovernanceMicro Focus Portfolio
DATA GOVERNANCE & PROTECTION
APPLICATION SECURITY
IDENTITY & ACCESS MANAGEMENT
ENDPOINT SECURITY
SECURITY OPERATIONS
INFORMATION ARCHIVING
ANALYTICS & MACHINE LEARNING
Identity Manager
Access Manager
Advanced Authentication
Privileged Account Manager
Self Service Password Reset
Static code analysis SASTWebinspect dynamic analysis DASTApplication Defender
Arcsight Data PlatformArcsight ESM
Arcsight Investigate
Arcsight UBE/ Interset
Arcsight Marketplace
ZENworks Endpoint Security Management
ZENworks Full Disk Encryption
ZENworks Desktop ContainersZENworks Service DeskZENworks Configuration ManagementZENworks Asset ManagementZENworks Patch Management
Voltage SecureData Enterprise
Secure content management
Compliance information archiving
Digital safe-cloud archiving
https://community.microfocus.com
Fortify
There is a breach in the headlines almost every day - 2018
3
“Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms.”
“So now, when we face a choice between adding features and resolving security issues, we need to choose security.”
– Bill Gates, Trustworthy computing, 15th Jan 2002
Fortify
Businesses today need faster innovation…and faster innovation increases risk
2020+2010 2015Release FrequencyNumber of Applications Releases with Critical
VulnerabilitiesSource: 2017 Micro Focus Application Security Research Update
5
Fortify
More code…
More vulns…
More risk…
6
Fortify
Planning App Development App Testing App releaseRelease
decision
Busin
ess
Dem
and
Deployed App
Companies are adopting DevOps for rapid development
Increase Automation Reduce Latency Increase Visibility
Security?
Source: Micro Focus 2017 Application Security Research Update
…but security is often outside of the process
Fortify
Development teams are growing at an 80:1 ratio to security teams
Reference: Micro Focus 2017 Application Security Research Update
VS
Source: “10 Things to Get Right for Successful DevSecOps,” Gartner, Inc., 2017
SecStatic Code Analysis
Static Code Analyzer (SCA)Fortify on Demand Static
Dynamic ApplicationSecurity Testing
WebInspectFortify on Demand Dynamic
The only way to keep up is to “build it in”Real-time Application
Self Protection
Application DefenderOn Premise & on Demand
Fortify is the most flexible, end-to-end AppSec solution
Web Dynamic Testing(DAST)
Runtime Protection(RASP)
Static Code Analysis(SAST)
Production
Fortify on Demand (FOD)
On Premise App Defender
Application Development
Test, Integration& Staging
CodeDesign
IT Operations
Cloud Managed Service
WebInspect
Software Security Center
Static Code Analyzer (SCA)
SAST – Static Application Security TestingFortify SCA
Fortify
Fortify Security Assistant
12
Real-time lightweight analysis of the source code
Vulnerable line of code is highlighted as developer code & provides tips for additional information
Level of criticality
Type of vulnerability, explanation and detailed remediation guidanceAll issues detected
in the project
Fortify menu for additional options
DAST – Dynamic Application Security TestingFortify WebInspect
RASP – Runtime Application Self-ProtectionFortify Application Defender
Fortify
Fortify SCA is the comprehensive SAST solution that integrates with your development environment
15
Comprehensive
25 programming languages
788 unique categories of vulnerabilities over
1,007,000
Accurate
2X as many vulnerabilities found
with up to 95% reduced false
positives*
Reference: Mainstay Continuous Delivery of Business Value with Micro Focus Fortify 2017
Easy to Use for Developers
Integrates with developer IDEs and
tools
Integrates w/ Existing Tools & Processes
Integrates with CI/CD tools and processes,
APIs provide easy integration,
Github provides samples
Scales to any Application
Scales horizontally with Cloudscan
on premises and as a service with
Fortify on Demand
Fortify
Fortify Integration
Fortify Ecosystem
16
Fortify
AppSec-related Terms to Know (functional / operational)Term What Fortify Product
SAST Static Application Security Testing Fortify SCA
DAST Dynamic Application Security Testing Fortify WebInspect (incl. WIE)
MAST Mobile Application Security Testing Fortify on Demand Mobile+
IAST Interactive Application Security Testing Fortify WebInspect + WebInspect Agent
RASP Runtime Application Self-Protection Fortify Application Defender
SaaS Security as a Service Fortify on Demand
SSC Centralized program management Fortify Software Security Center
SCA Software Composition Analysis(Not to be confused with SCA=Fortify SCA)
Fortify on Demand Static/Static+ via SonatypeFortify SSC integrations
Knowledge Check: SAST vs DAST
SAST & DAST are complementary
SAST DAST What? Analyses the application code Tests the running applicationWhen? Early Life-cycle
• Used in development and QA Late Life-cycle• Used in QA and production
Characteristics Comprehensive• Finds most vulnerabilities• Prone to False Positives
Behaves like a Hacker• Finds vulnerabilities most likely to be
exploited• Prone to False Negatives
Working with Results
• Reference source code level details
• Easy for developer to understand
• Reference URL’s and HTTP traffic• More difficult for developer to identify
causeAlso known as • White-box testing
• Source Code Analysis• Black-box testing• Penetration testing
Product • Fortify SCA • WebInspect
AppSec-related Terms to Know* (Governance)
Term Is What Notes
PCI Payment Card Industry en.wikipedia.org/wiki/Payment_card_industry
PCI DSS PCI Data Security Standard www.pcisecuritystandards.org
HIPAA Health Insurance Portability and Accountability Act ww.hhs.gov/ocr/privacy/hipaa/understanding
DISA STIG Defense Information Systems Agency Security Technical Implementation Guide
iase.disa.mil/stigs
GLBA Gramm-Leach-Bliley Act security and data integrity
FISMA Federal Information Security Management Act www.dhs.gov/federal-information-security-management-act-fisma
MSA Monetory Authority of Singapore
GDPR General Data Protection Regulation EU Data Privacy - https://eugdpr.org/
*not exhaustive
AppSec-related Terms to Know* (references / frameworks)
Term What Notes
OWASP Open Web Application Security Project owasp.org
VulnCat Vulnerability Categories – A Fortify Taxonomy of Software Security Errors
vulncat.fortfy.com;Maintained by SSR
OpenSAMM Software Assurance Maturity Model opensamm.org;Commissioned by Fortify
BSIMM Building Security In Maturity Model bsimm.com
SSA Software Security Assurance What we do!
SDLC Systems development life cycle Dev proccess
*not exhaustive
AppSec-related Terms to Know* (technical)
Term What Notes
XSS Cross-Site Scripting OWASP 2013 A3
SQL Structured Query Language Since 1974!
SQLi SQL Injection OWASP 2013 A1
XSRF Cross Site Request Forgery
IDE Integrated Development Environment i.e. Eclipse, Visual Studio (VS), IntelliJ
CI/CD Continuous Integration / Continuous Deployment
Build Tools They compile the application i.e. Maven, Ant, Make, Gradle
Build Environments They orchestrate the build i.e. Jenkins, Team Foundation Server (TFS), Bamboo
*not exhaustive
Fortify
Sales Engagement
In-house development
Outsource Commercial Open source
Procuring secure software
Demonstratingcompliance
Certifying new releases
Securing legacy applications
Triggers for using Fortify
• Customer has suffered a breach or is concerned about the risk in their software such that they will be the next headline
• Compliance drivers require client to consider application assurance (e.g. PCI sect 6, GDPR, HIPPA, MAS, SOX…)
• Repeatedly failing security audit/test around appsec issues
• Customer recognises that early detection is a great way to reduce the overall cost of development
• Testing ‘choke point’ highlights some security issues but often too little, too late & at a point where no-one wants to hear about them
• Customer needs to reduce cost of and reliance on application pen-testing activities
• Customer has outsourced/offshore development and wants to assure code as part of acceptance
• Agile & DevOps initiatives (of course!)
Fortify
• The speed of development, testing, release cycles and updates are increasing
• Siloed development, testing and production roles are becoming integrated
• Reactive pre-deployment testing and fixing of vulnerabilities no longer work
• AppSec has to become a natural part of the continuous development environment
FIND and FIX security issues, FORTIFY applications at every stage of the software lifecycle
Fortify is the best solution - it supports the entire software lifecycle, finding vulnerabilities and empowering secure development.
Fortify provides fast, accurate and scalable application security for rapid detection, remediation and protection
Fortify is available onCloud and onPremise
What challenges are we addressing with Fortify?
The Challenge The Solution
Fortify
• We need to speed our application time-to-market
• Business today demands more complex applications and shorter release cycles – application security can’t keep up
• Slow scans, false positives and lack of subject matter expertise create friction within the organization
• Average of at least 5 business critical custom developed applications, average of at least 20 internally developed applications
• Large dev team – internal and outsourced (i.e offshore)
• B2B or B2C company with high volume of online customer transactions or interactions
Understanding the target customer
• Key attributes: Customers Doing Custom Software Development, Increasingly Frequent Release Cycles
• Personas: CISO, AppSec Director, Dev Lead/App owner
• High risk verticals: finance, telco, health care, utility, retail
Who is this for? How do I identify an opportunity? Pain Point Key Words
Fortify
What is the Use Case Driven Compelling Conversation?
Compelling Conversation
Business today demands more complex applications and shorter release cycles – application security can’t keep up. Security is perceived as a separate process from the software development lifecycle and is often ‘bolted on’ to the process, forgotten or skipped
Integrate with the development pipeline and processes.
Run automated scans, provide results fast and create defects in defect management systems.
Run faster scans simultaneously using centralized scanning.
Provide scan results and audit results in minutes.
Harness the power of hybrid.
Provide real-time feedback to developers as they develop code.
Make static scans available and consumable for developers.
Scale to Cover All AppsSecurity Scanning Integration & AutomationShift AppSec “Left”
Fortify
Target Personas (Who do we typically sell to?)
Who Do We Sell To?
1. CISO - Most often the budget owner and/or driver
2. Dir. or Sr. Manager - (under CISO) – Manages the team that runs the POV and will own the product
3. Technical Security Lead - Most often runs the POV and makes the technical recommendation
4. Development - rarely (although increasingly) leads an opportunity but will have input on selection and may fund the project
Fortify
Securing ApplicationsConcerns, Key Questions & Discussion
Fortify
Are you concerned about apps that are not in the scope of your current appsec efforts?
How do you get developers involved with security?
Discovery | Understanding Current State Drives Selling Strategy
Discovery Questions
How are you delivering frequent releases in a secure way?
At which stage does security get involved with new software projects?
How do you keep up with the speed requirements of development?
How many applications are you eventually looking to scan?
“How are you addressing Application Security today?”
Fortify
Key Concerns• Business requires an increasing number of applications
and faster release cycles – hard for security to keep up• Development and security teams are not integrated• Tools across different teams are not standardized• Not a software development company, dev teams off-site
or outsourced, lack of qualified security personnel
Open Questions• Are you experiencing or do you anticipate growth in the role of
web and mobile apps in your business?• How do you measure and track overall cybersecurity risk in the
business?• How do you secure and ensure compliance of every release of
every application?
Control Questions• How many customer-facing web/mobile apps are you currently
supporting?• What’s the increase rate of applications and releases this year
compared to last year? • How many software developers and application security
specialists do you have?• What percentage of your apps are covered with your current
AppSec program?
Executive Approach
Percentage of applications containing at least one critical or high vulnerability.2
90% Percentage of security incidents from exploits against defects in the design or code of software.1
Source: 1U.S. Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT) 22017 Application Security Research Update” by the HPE Software Security Research team, 2017
Secure DevOps(CIO or CISO)
Fortify
Manager Approach
Key Concerns• Business requires an increasing number of applications
and faster release cycles – hard for security to keep up
• Don’t create friction with my developers and their development process
• Application security takes too long and is difficult
Open Questions• How confident are you that your AppSec team can adapt
and scale to keep up with DevOps?• How effective is your team at triaging application
security testing results and getting developers to remediate vulnerabilities?
• What is your software engineering process and your supporting tool chain?
• Would you be interested in seeing how we can integrate security testing in your build processes and continuously assess your apps for vulnerabilities?
Secure DevOps(Managers)
Fortify
Discovery QuestionsCISO Application Security Manager Development
Security Posture
• What is your security strategy for this year and what are the top initiatives?
• What’s the timing and priority?
• How does your organization define software security?
• Where does AppSec rank in your overall risk environment?
• How do you manage overall application security risk?
• What percent of applications are covered with your current AppSec program?
• How are you demonstrating compliance to auditors?
• Who may I work with you on your team to explore how to reduce time, effort and ensure sustainability with Application Security?
Application Security
• What is your process for identifying security vulnerabilities in your applications?
• What types of AppSec testing are you conducting? (static analysis, pentesting, dynamic analysis, ethical hacking)
• What is your approach or policy for testing applications produced by 3rd parties?
• Have you integrated security testing into your SDLC? (how?)
• How much time is spent triaging scan results for one application?
• Is scaling your AppSec program to meet increasing demand for speed and volume a concern?
• How do security & development work together to fix vulnerabilities?
• Tell me about Security training/education for developers and security?
• Do you have a preference for on-Premise or SaaS?
Building Security into the SDLC
• What types of applications are you building/managing?
• How often do you deploy applications on Average how many updates or new releases are there per year to those applications?
• Is security testing applied across the SDLC?
• What build environments are being used by developers?
• How much time is spent remediating security vulnerabilities?
• How is security changing to address new application development trends? (i.e. DevOps)
• How many developers do you have?
• How many apps do you have?
Customer Concerns…
Fortify
Objection
We’re getting push back from development that security slows them down.
Our developers are interested in a more developer friendly solution.
We want to automate our entire DevOps cycle and we can’t wait days for scan results.
We’ve already got penetration testing before we go live and WAF in production environments.
Addressing Customer Objections and Concerns
Underlying Concern Response
Previous experience with slow scans and release delays as a result of security as a gate approach.
• All organizations need to deliver secure applications to stay in business and Fortify offers a seamless solution that empowers developers.
• Because Fortify integrates with the existing processes and tools, developers won’t have to go through a major change.
Developers would rather go with a solution that provides fewer results (creating less work for them).
• Fortify offers developers the tools and integrations to get an undestanding of the security of their code as they type, then throughout the development cycle.
• Developers can still choose to supress issues with Fortify. False negatives with other solutions pose a bigger threat to developers and the organization.
Previous experience with slow scans that take days and even slower audit processes.
• You can machine audited scan results in minutes providing your developers with validated true positives.
Assumption that penetration testing’s going to catch everything and over confidence in WAF.
• Finding vulns at later stages of the SDLC result in costly fixing efforts and often result in either missing deadlines or going live with issues.
• Penetration testing is painfully slow and can miss issues. WAFs’ protection capabilities are very limited.
You don’t have support for Go and Kotlin.
Having a major programming language not supported means customers can't scan their code.
• Fortify offers the broadest programming language support in the industry and is more agile than ever to support new versions of existing languages and newer languages.
Fortify
Objection
Most of our business logic runs in micro services and not traditional applications. Your approach not a good fit.
IAST is the future of application security and it is a non-intrusive way. We don’t need any other methods because we have IAST with <insert IAST vendor here>.
Addressing Customer Objections and Concerns
Underlying Concern Response
• High licensing/service costs because of the high number of micro services.
• Fortify on Demand and on-premises licensing models handle micro services differently and has special pricing for micro services
• For on-premises solutions, going with developer based licensing would be the best option.
• Previous experience with slow scans and release delays as a result of security as a gate approach.
• IAST is a good, practical solution to get insight about the security of applications during testing. But since the applications are not tested for security (as an attacker would), the results are limited and nowhere near as comprehensive as SAST or DAST.
• All organizations need to deliver secure applications to stay in business and Fortify offers a seamless solution that empowers developers.
• Because Fortify integrates with the existing processes and tools, developers won’t have to go through a major change.
• Most static and dynamic Fortify scans complete in minutes and can provide more value to the organization than IAST.
Fortify
Overcoming objections and concerns
We already have network security/ WAF.
You’re not talking to the right person! (I’m not in charge of AppSec)
80-84% of breaches are happening at the app layer –regardless of network protection.
Could you tell me who in your organization is responsible for securing the software itself?
We’re getting push back from development that security slows them down.
I need help socializing and getting support for centralized Application Security program.
Our customers report the opposite. Average delays in time to market due to software
vulnerabilities reduced from 4+ to -1 Vulnerability remediation times reduced from 1 to 2 weeks to
1 to 2 days.
Development team says Fortify is slow/hard to use.
The development team doesn’t want to add more work to their existing processes
Fortify can be integrated directly into the developers work environment and tools for frictionless security that won’t change their existing processes.
Scans complete in minutes and results can be pre-audited then pushed to developers quickly.
There is nothing simpler than outsourcing your application security program to Fortify on Demand.
Objection Underlying Concern Response
Market Leadership8th consecutive year as MQ Leader2018 growth+30% Fortify on Demand+17% Fortify on Premise
Customers include:• 10 of the 10 largest information tech companies• 9 of the 10 largest banks• 4 of the 5 largest pharmaceutical companies• 3 of the 3 largest independent software vendors• 5 of the 5 largest telecommunication companies
Fortify is widely recognised as the leading AppSec vendor
FortifyFortify-Static-Code-Analyzer-Product-Kit…
Fortify-on-Demand-Product-Kit
Fortify
Thank You
40