Micro Focus Security Fortify. Application Security

Transcription

1 Micro Focus Security Fortify Application Security

2 Secure the new Application security in DevOps Agenda: - Fortify in brief (Offerings) - Fortify Source Code Analyzer - Fortify WebInspect - Using Fortify with DevOps 2

3 Managing risk in today s digital enterprise Increasingly sophisticated cyber attacks More sophisticated More frequent More damaging Cost and complexity of regulatory pressures Compliance Privacy Data protection Rapid transformation of enterprise IT Shift to hybrid Mobile connectivity Big data explosion

4 Today s digital Enterprise needs a new style of protection IaaS PaaS SaaS Off Premise On Premise USERS Protect your most business-critical digital assetsand their interactions, regardless of location device APPS DATA BIG DATA Off Premise BYOD 4

5 Protect your digital enterprise Prevent Detect & Respond Recover Build it in Identify the threats you face, assess your organization s capabilities to protect your enterprise Harden your applications, protect your users, and encrypt your most important data Proactively detect and manage breaches Help reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration. Establish situational awareness to find and shut down threats at scale Safeguard continuity and compliance Drive resilience and business continuity across your IT environments, systems, and applications. Reduce risk with enterprise-wide governance, risk & compliance strategies 5

6 6 Application Security

7 Existing network and perimeter based security is insufficient VNP % of breaches exploit vulnerabilities in the application layer Yet the ratio of spending between perimeter security and application security is 23-to-1 - Gartner Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves (2014)

8 The number of apps is growing Increasing platforms and complexity many delivery models Monitoring / Protecting Production Software Legacy Software Securing legacy applications Demonstrating Compliance Certifying new releases In-house Development Procuring secure software Outsourced Commercial Open Source

9 A reactive approach to AppSec is inefficient and expensive Somebody builds insecure software Somebody builds insecure software Cost to Remediate IT deploys the insecure software QA finds vulnerabilities in software Requirements Design/ Architecture We are breached or pay to have someone tell us our code is bad We convince & pay the developer to fix it thereby delaying the release Coding 7X We convince and pay the developer to fix it Testing Deployments/ Maintenance 15X 30X

10 The right approach for the new SDLC Build it in 1 Secure Development Continuous feedback on the developer s desktop at DevOps speed 2 Security Testing Embed scalable security into the development tool chain 3 Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC

11 Micro Focus Security Fortify key advantages Comprehensive Proven Flexible Only app sec provider to cover SAST, DAST, IAST and RASP Over a decade of successful deployments backed by the largest security research team Available on premise and on demand

12 Micro Focus Security Fortify Leadership Over a decade of successful deployments backed by the largest security research team 10 out of 10 of the largest information technology companies 2017 Gartner MQ for AST 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors 5 out of 5 of the largest telecommunication companies

13 Micro Focus Security Fortify Application Security Solutions On premise and on demand Static Analysis SCA Dynamic Analysis WebInspect Application Protection App Defender Source Code Mgt. System Static Analysis Via Build Integration Dynamic Testing in QA or Production Real-time Protection of Running Application Hackers & Actual Attacks Vulnerability Management Remediation IDE Plug-ins (Eclipse, Visual Studio, etc.) Developers (onshore or offshore) Correlate Target Vulnerabilities with Common Guidance and Scoring Fortify on Demand Software Security Center Normalization (Scoring, Guidance) Vulnerability Database Correlation (Static, Dynamic, Runtime) Defects, Metrics and KPIs Used to Measure Risk Application Lifecycle Development, Project and Management Stakeholders Threat Intelligence Rules Management

14 Fortify Ecosystem DevOps & third party Code repositories & apps - Micro Focus LiveNet - GitHub LiveNet - SVN GitHub - SVN Requirements & issues - ALM Octane - JIRA - Bugzilla Build servers - Jenkins - Bamboo - VSTS/TFS Build tools - Gradle - ANT - Maven Security - Vuln Mgmt - SIEM - WAFs REST APIs with Swagger Fortify solutions Secure Development Security Testing REST APIs with Swagger Continuous Monitoring and Protection Communication/ChatOps DevOps & third party IDEs - Eclipse - Visual Studio - IntelliJ - Xcode/AS Open Source - Sonatype - Black Duck - Fortify Open Rev. Configuration automation - Chef - Puppet - Octopus Containers - Docker - Dockerized Security Cloud - Azure - AWS

15 15 Micro Focus Security Fortify DevInspect

16 Fortify Security Fortify DevInspect Key Benefits Designed for the Developer Easy to use Instant Results Continuous Feedback 16

17 Micro Focus Security Fortify DevInspect Bringing application security closer to the Developer Appsec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment Real-time, instant security results as the developer is writing code. Brings market-leading appsec technologies directly to the developer, ensuring secure code as your shift left in your dev process. Enable developers to assess for security weaknesses. 17

18 Micro Focus Security Fortify DevInspect Real-time lightweight analysis of the source code Fortify menu for additional options Vulnerable line of code is highlighted as developer code & provides tips for additional information Level of criticality All issues detected in the project Type of vulnerability, explanation and detailed remediation guidance

19 Static Application Security Testing Micro Focus Security Fortify Static Code Analyzer 19

20 Micro Focus Security Fortify Static Code Analyzer (SCA) Static Analysis Fortify SCA Source Code Mgt. System Static Analysis Via Build Integration Most Comprehensive Most Accurate Easy to Use for Developers Build Integration Scales to any Application

21 Static Application Security Testing Accurately identify root cause and remediate underlying security flaw Results User Input XML VBScript HTML VB.NET.NET Java CFML COBOL ASP PL/SQL PHP ABAP Python T-SQL JavaScript/AJAX C# Visual Basic Classic ASP C/C++ SCA Frontend JSP T-SQL XML Java SCA Analysis JSP XML Java T-SQL 22+ Languages SQL Injection

22 Static Analysis Tools & Integrations Manage remediation and audit workflows Audit Workbench Security auditor s toolkit including scanning, remediation guidance, and reporting Security Assistant Instantly find vulnerabilities in real-time as developers code Developer IDE plug-ins Scan, view results, and manage remediation. Scan Wizard Easy scan configuration and build integration. Rules Editor Build custom scan rules. Customize Software Security Center to fit your SDLC. Process Designer Customize Software Security Center to fit your SDLC.

23 Dynamic Application Security Testing Micro Focus Security Fortify WebInspect 23

24 Micro Focus Security Fortify WebInspect Dynamic Analysis WebInspect Dynamic Testing in QA or Production Dynamic and Runtime Analysis Technology Made Simple Compliance Management Build Integration Centralized Program Management

25 Dynamic Analysis Dashboard Micro Focus Security Fortify WebInspect Live dynamic scan visualization Live scan dashboard Coverage Analysis Live scan statistics Detailed attack table Vulnerabilities found in application

26 Interactive Application Security Testing Micro Focus Security Fortify WebInspect agent 26

27 IAST with Micro Focus Security Fortify WebInspect agent Find More Runtime level insight into application behavior Discover new vulnerability categories Identify and assess hidden areas of the site IAST Find Faster Decrease scan time with active mode Avoid retesting reused code Micro Focus WebInspect Fix Faster Stack trace gives line of code accuracy to tell developers where to start Reduce false positives Index About Account Details Deposit Supports Java and.net applications Withdraw WebInspect Agent Admin Backup Message Center Send Message Read Message 27

28 Application Security on Premise Micro Focus Fortify Software Security Center 28

29 Micro Focus Security Fortify Software Security Center Application Security on Premise Remediation Vulnerability Management Application Lifecycle Developers (onshore or offshore) Software Security Center Development, Project and Management Stakeholders Find to Fix Workflow Automation Integration Reporting Simplified Program Management

30 Micro Focus Security Fortify Software Security Center Vulnerability detail Line of code vulnerability detail Remediation explanation and advice Vulnerabilities identified in the scan

31 Micro Focus Security Fortify Software Security Center Reporting and Program Management Global dashboard highlights risk across software portfolio Vulnerability status by application

32 Runtime Application Self Protection Micro Focus Security Fortify Application Defender 32

33 Micro Focus Security Application Defender Application Security Simplified Micro Focus Security Research Visibility Actionable and accurate insight from within the application to pinpoint vulnerabilities for protection or remediation Micro Focus Application Defender 1,2,3 Protection Stop attacks categorically or for specific vulnerabilities. Simplicity Install quickly and easily with a three-step deployment, get protection up and running in minutes Micro Focus Security Fortify Runtime

34 Fortify Application Defender Monitor and Protect your Applications Application Server Target Application Application Server Target Application Agent Orchestration & Policy Management Application Defender Server Configurable Event Output & Visualization ArcSight ESM App Defender Agent App Defender Agent Rulepack Updates Application Security Events (CEF) SIEM Application Server Target Application Logging & Protection Events Syslog App Defender Agent On-Premise SaaS

35 Fortify Application Defender Context-Sensitive rules for increased coverage and accuracy Input Target Application Output Detect injections Sanitize input Detect persistent Reduce false positives RASP Application Server Database File System Detect 2 nd order attacks Fully decoded, assembled Detect privacy violations Privileged resource access 35

36 Application Security on Demand Micro Focus Security Fortify on Demand 36

37 Micro Focus Security Fortify on Demand Application security-as-a-service Understanding your application portfolio is the first step to securing it Discover Assess Comprehensive static, dynamic web and mobile testing delivered at the speed of development Continuously monitor and protect software running in production Monitor & Protect Web Remediate Workflows to fix vulnerabilities and manage a successful AppSec program Mobile Thick-client Develop secure coding best practices to prevent vulnerabilities before check-in Educate Integrate Securing DevOps through the Fortify Ecosystem integrations and automation

38 Micro Focus Security Fortify on Demand Features and Benefits Get started in one day Easy to use management platform Accurate, comprehensive scan results 24/7 Personalized support Flexible delivery

39 Cloud-based Portal Single interface to manage your entire application security program Easily identify and prioritize where to take action. Easily track which of your applications are passing or failing your security policy Customize your data view with application attributes you define (business unit, region, etc.). Each application is rated on a scale from 1 to 5. A rating of 1 means the application has critical vulnerabilities, while 5 means it s secure You decide the appropriate criticality levels for your business.

40 Seamless Integrations Connect the development, operations and security ecosystem Open Source - Sonatype - Fortify Open Review Application Defender Network Scanners - Nessus - Qualys - Rapid7 - Tripwire Build Servers - Jenkins - TFS - Bamboo - Team City - etc Security & License Risk Automated Static Scans Upload & Remediate Network Risk API & Data Export Virtual Patch Remediate Custom - GRC tools - BI tools - etc WAFs - Imperva - F5 - Citrix - Barracuda - Radware - Fortinet - TippingPoint Developer IDEs - Eclipse - Visual Studio Fortify SSC Defect Management - Micro Focus ALM / QC - JIRA - etc

41 41 Fortify Professional Services

42 Micro Focus Security Fortify Professional Services Adding professional services can help you need to close the loop on application security Detecting Vulnerabilities Fixing Applications Analyzing Results HP Professional Services Assistance making application security tools and processes work the way you need them to. Tuned Rules Customized Rules Security Policy Applied Prioritized Findings Automation / DevOps False Positive Removal Tuning Technology

43 Micro Focus Security Fortify Professional Services Offerings Quick Start Programs Fortify and WebInspect Applications security consultants build Fortify or WebInspect into the SDLC of your selected pilot application, audit the results, and train your team for success. Fortify on Demand We ll help you build an effective process on-site around the security testing services that will allow you to make the most of your static and dynamic scan results, including a tailored vulnerability training class to help you get started on the road to remediation Framework Software Security Assurance (SSA) Assessment A two week engagement designed to assess your organization s SSA maturity and develop a roadmap that you can use to build a successful software assurance program. Application Security Residents Do you need an long term application security subject matter experts? We can provide experienced SME s for both static and dynamic analysis. On-site Managed Service We can build and/or manage your software assurance program providing the people, processes, and technology to make you successful.

44 Protect your digital enterprise at scale Toronto Virginia Texas Costa Rica UK Germany Bulgaria India Malaysia Technology Consulting Managed Services Australia Leader Visionary Leader Leader application security and network access control (Gartner) data security (Gartner) SIEM (Gartner) managed security services (Forrester) security professionals 10 managed global SOCs 42 business continuity and recovery centers 44

45 45 Fortify Ecosystem

46 Fortify Ecosystem DevOps & third party Code repositories & apps - Micro Focus LiveNet - GitHub - SVN Requirements & issues - ALM Octane - JIRA - Bugzilla Build servers - Jenkins - Bamboo - VSTS/TFS REST APIs with Swagger Build tools - Gradle - ANT - Maven Security - Vuln Mgmt - SIEM - WAFs Fortify solutions Secure Development Security Testing REST APIs with Swagger Continuous Monitoring and Protection Communication/ChatOps DevOps & third party IDEs - Eclipse - Visual Studio - IntelliJ - Xcode/AS Open Source - Sonatype - Black Duck - Fortify Open Rev. Configuration automation - Chef - Puppet - Octopus Containers - Docker - Dockerized Security Cloud - Azure - AWS Micro Focus.com/software/fortifyecosystem

47 Build Server integration SCA with Microsoft VSTS Native in MSFT VSTS, no installation required Integrates with CI/CD DevOps processes

48 For more information: 48